Data Processing Agreement

DISCLAIMER: This is a machine translation provided for convenience only. The German version is the legally binding document.

Agreement on the processing of personal data on behalf of a controller in accordance with Art. 28 GDPR between the app user (hereinafter referred to as the "Controller") and HomeRun GmbH, Harvestehuder Weg 18, 20149 Hamburg (hereinafter referred to as the "Processor"). Controller and Processor, hereinafter jointly referred to as the "Parties".

Table of Contents

• Subject Matter of the Agreement

• Scope of Processing

• Controller's Authority to Issue Instructions

• Responsibility of the Controller

• Personnel Requirements

• Security of Processing

• Engagement of Additional Processors

• Rights of Data Subjects

• Processor's Notification and Support Obligations

• Data Deletion

• Evidence and Audits

• Contract Duration and Termination

• Liability

• Final Provisions

Subject Matter of the Agreement

When using the "GRID" app in accordance with the agreed general terms of use (hereinafter referred to as the "Main Contract"), it is necessary for the Processor to handle personal data for which the Controller acts as the responsible entity within the meaning of data protection regulations (hereinafter referred to as "Controller Data"). This agreement specifies the rights and obligations of the parties in connection with the Processor's handling of Controller Data for the implementation of the Main Contract.

Scope of Processing

1. The Processor processes the Controller Data on behalf of and according to the instructions of the Controller within the meaning of Art. 28 GDPR (Data Processing). The Controller remains the responsible party in the sense of data protection law.

2. The app processes personal data of the Controller's tenants for the digital management of the Controller's rental properties. This involves the following personal data:

   • Name

   • Address

   • Email address

   • Phone number

   • Date of birth

   • Banking details

3. As part of document processing, additional personal data of the Controller's tenants may be uploaded by the Processor to the app, so that additional personal data could be processed in the app (all personal data of the Controller's tenants hereinafter referred to as "Controller Data").

4. The banking data of the Controller's tenants is transmitted to the app by Tink Germany GmbH, Gottfried-Keller-Straße 33, 81245 Munich. No data is transferred from the app to Tink Germany GmbH.

5. The duration of the processing corresponds to the term of the Main Contract.

6. The Processor processes the Controller Data by:

   • Collecting and querying

   • Adapting and changing

   • Transmitting

   • Restricting

   • Deleting

   • Organizing and arranging

   • Storing

   • Using

   • Comparing and linking

7. The Processor reserves the right to anonymize or aggregate the Controller Data so that identification of individual data subjects is no longer possible, and to use it in this form for the purpose of needs-based design, further development and optimization as well as the provision of the service agreed upon in the Main Contract. The Parties agree that anonymized or aggregated Controller Data as described above is no longer considered Controller Data within the meaning of this agreement.

8. The Processor may process and use the Controller Data for its own purposes on its own responsibility within the scope of what is permissible under data protection law, if a legal permission provision or a declaration of consent from the data subject permits this. This agreement does not apply to such data processing.

9. The processing of Controller Data by the Processor generally takes place within the European Union or in another contracting state of the Agreement on the European Economic Area (EEA). Nevertheless, the Processor is permitted to process Controller Data outside the EEA in compliance with the provisions of this agreement, provided that the Processor informs the Controller in advance about the location of data processing and the requirements of Art. 44 - 48 GDPR are met or an exception according to Art. 49 GDPR exists.

Controller's Authority to Issue Instructions

1. The Processor processes the Controller Data in accordance with the instructions of the Controller, unless the Processor is legally obligated to process it otherwise. In the latter case, the Processor shall inform the Controller of these legal requirements prior to processing, unless the relevant law prohibits such notification due to an important public interest.

2. The Controller's instructions are conclusively defined and documented in the provisions of this agreement. Individual instructions that deviate from the provisions of this agreement or impose additional requirements require the prior consent of the Processor and are carried out in accordance with the change procedure specified in the Main Contract, in which the instruction is to be documented and the assumption of any resulting additional costs of the Processor by the Controller is to be regulated.

3. The Processor ensures that it processes the Controller Data in accordance with the Controller's instructions. If the Processor is of the opinion that an instruction of the Controller violates this agreement or applicable data protection law, it is entitled to suspend the execution of the instruction after a corresponding notification to the Controller until confirmation of the instruction by the Controller. The Parties agree that the sole responsibility for the processing of Controller Data in accordance with instructions lies with the Controller.

Responsibility of the Controller

1. The Controller is solely responsible for the lawfulness of the processing of Controller Data and for safeguarding the rights of data subjects in the relationship between the Parties. Should third parties make claims against the Processor based on the processing of Controller Data in accordance with this agreement, the Controller shall indemnify the Processor against all such claims upon first request.

2. The Controller shall immediately and completely inform the Processor if, during the review of the Processor's order results, it discovers errors or irregularities regarding data protection provisions or its instructions.

3. Upon request, the Controller shall provide the Processor with the information specified in Art. 30 Para. 2 GDPR, insofar as the Processor does not have this information itself.

4. If the Processor is obligated to provide information about the processing of Controller Data to a governmental authority or a person, or to cooperate with these authorities in other ways, the Controller is obligated to support the Processor upon first request in providing such information or fulfilling other obligations to cooperate.

Personnel Requirements

The Processor shall obligate all persons who process Controller Data to maintain confidentiality with regard to the processing of Controller Data.

Security of Processing

1. In accordance with Art. 32 GDPR, the Processor will implement necessary, appropriate technical and organizational measures that, taking into account the state of the art, the implementation costs, and the nature, scope, circumstances, and purposes of the processing of the Controller Data, as well as the varying likelihood and severity of the risk to the rights and freedoms of the data subjects, are required to ensure a level of protection appropriate to the risk for the Controller Data.

2. The Processor is permitted to change technical and organizational measures during the term of the contract as long as they continue to meet the legal requirements.

Engagement of Additional Processors

1. The Controller hereby grants the Processor general authorization to engage additional processors with respect to the processing of Controller Data. At the time of conclusion of the contract, the following subprocessors are active:

   • Google Cloud Platform EMEA SARL, 80 Boulevard J.F. Kennedy, L-1855, Luxembourg (as operator of the Google Cloud Platform): Hosting provider for the provision of the server infrastructure for the app. The primary data processing takes place in the EU (region europe-west-3), however, due to global network architectures (especially Premium Network Tier), data transmission via servers outside the EU/EEA (including the USA) cannot be excluded.

   • Auth0 Inc., 10800 NE 8th Street, Suite 600, Bellevue, WA 98004, USA: Provision of authentication and user management services for the Controller's access to the app. Data processing takes place primarily in the EU region of the service configured by the Processor. Since Auth0 Inc. is a US company, data transfers to the USA (e.g., for support purposes or due to legal obligations) may occur with appropriate safeguards (e.g., EU-U.S. Data Privacy Framework, Standard Contractual Clauses).

   • Google Workspace (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland): Use of cloud-based office applications (e.g., email, data storage) for internal administration and communication in connection with the provision and support of the app, which may include the processing of Controller Data. Data processing takes place primarily in the EU, but may also occur globally.

   • OpenAI L.L.C., 3180 18th Street, San Francisco, CA 94110, USA (provider of ChatGPT): Use of AI services to support internal processes (e.g., data analysis, text creation), which may include the processing of Controller Data. Data processing takes place primarily in the USA. Since OpenAI, L.L.C. is a US company, data transfers to the USA occur using appropriate safeguards (e.g., EU-U.S. Data Privacy Framework, Standard Contractual Clauses in accordance with Section 7.5).

   • RevenueCat Inc., 1032 E Brandon Blvd, #3003 Brandon, FL 33511, USA: Subscription management service for in-app subscriptions. Processes among other things subscription status, transaction data, device/app information as well as identifiers (e.g., App Store ID, Google Play ID, Stripe Customer ID). Processing takes place in the USA; standard contractual clauses serve as appropriate safeguards (EU-COM Module 2 – Data Processor).

2. Contractual relationships with service providers that involve the inspection or maintenance of data processing procedures or systems by other entities or other ancillary services generally do not require approval, even if access to Controller Data cannot be excluded, as long as the Processor makes appropriate arrangements to protect the confidentiality of the Controller Data.

3. The Processor will inform the Controller about intended changes regarding the engagement or replacement of additional processors. The Controller has the right in individual cases to object to the appointment of a potential additional processor. An objection may only be raised by the Controller for important reasons to be demonstrated to the Processor. If the Controller does not object within 14 days of receiving the notification, its right to object regarding the corresponding appointment expires. If the Controller objects, the Processor is entitled to terminate the Main Contract and this agreement with a notice period of 3 months.

4. The contract between the Processor and the additional processor must impose the same obligations on the latter as those imposed on the Processor by virtue of this agreement. The Parties agree that this requirement is fulfilled if the contract has a level of protection equivalent to this agreement or if the additional processor is subject to the obligations set out in Art. 28 Para. 3 GDPR.

5. Subject to compliance with the requirements of Section 2.5 of this agreement, the provisions in this Section 7 also apply if an additional processor is engaged in a third country. The Controller hereby authorizes the Processor to conclude a contract with an additional processor on behalf of the Controller, incorporating the Standard Contractual Clauses issued by the European Commission pursuant to Art. 46 Para. 2 lit. c GDPR for the transfer of personal data to processors in third countries (currently Implementing Decision (EU) 2021/914 of June 4, 2021, Module 2 or a corresponding successor module). The Controller agrees to cooperate in fulfilling the requirements under Art. 49 GDPR to the extent necessary.

Rights of Data Subjects

1. The Processor will support the Controller with technical and organizational measures within reason in fulfilling its obligation to respond to requests for exercising the rights of data subjects.

2. If a data subject asserts a request for exercising his or her rights directly against the Processor, the Processor will forward this request to the Controller promptly.

3. The Processor will inform the Controller about the Controller Data stored, the recipients of Controller Data to whom the Processor forwards them as per the order, and the purpose of storage, provided that the Controller does not have this information itself or cannot obtain it itself.

4. The Processor will enable the Controller, within the scope of what is reasonable and necessary, and against reimbursement of the demonstrable expenses and costs incurred by the Processor, to correct, delete, or restrict the further processing of Controller Data, or will undertake the correction, blocking, or restriction of further processing itself at the Controller's request, if and to the extent that this is impossible for the Controller itself.

5. To the extent that the data subject has a right to data portability regarding the Controller Data according to Art. 20 GDPR, the Processor will support the Controller within the scope of what is reasonable and necessary, and against reimbursement of the demonstrable expenses and costs incurred by the Processor, in providing the Controller Data in a common and machine-readable format, if the Controller cannot obtain the data otherwise.

Processor's Notification and Support Obligations

1. To the extent that the Controller is subject to a legal reporting or notification obligation due to a breach of protection of Controller Data (in particular according to Art. 33, 34 GDPR), the Processor will promptly inform the Controller about any reportable events in its area of responsibility. The Processor will support the Controller in fulfilling the reporting and notification obligations at the Controller's request, within the scope of what is reasonable and necessary, and against reimbursement of the demonstrable expenses and costs incurred by the Processor.

2. The Processor will support the Controller within the scope of what is reasonable and necessary, and against reimbursement of the demonstrable expenses and costs incurred by the Processor, in data protection impact assessments to be conducted by the Controller and, if applicable, subsequent consultations with the supervisory authorities according to Art. 35, 36 GDPR.

Data Deletion

1. The Processor will delete the Controller Data after termination of this agreement, unless there is a legal obligation for the Processor to continue storing the Controller Data.

2. Documentation that serves as proof of the orderly and proper processing of Controller Data may be retained by the Processor even after the end of the contract.

Evidence and Audits

1. The Processor will provide the Controller, upon request, with all necessary information available to the Processor to demonstrate compliance with its obligations under this agreement.

2. The Controller is entitled to audit the Processor regarding compliance with the provisions of this agreement, in particular the implementation of technical and organizational measures.

3. To conduct audits according to Section 11.2, the Controller is entitled, during normal business hours (Monday to Friday from 10 am to 6 pm), after timely advance notice in accordance with Section 11.5, at its own expense, without disrupting operations and under strict confidentiality of the Processor's trade and business secrets, to enter the Processor's business premises where Controller Data is processed.

4. The Processor is entitled, at its own discretion and considering the legal obligations of the Controller, not to disclose information that is sensitive with regard to the Processor's business or if the Processor would violate legal or other contractual provisions by disclosing it. The Controller is not entitled to access data or information about other customers of the Processor, information regarding costs, quality inspection and contract management reports, and any other confidential data of the Processor that is not directly relevant for the agreed audit purposes.

5. The Controller shall inform the Processor in good time (usually at least two weeks in advance) about all circumstances related to the conduct of the audit. The Controller may conduct one audit per calendar year. Additional audits are carried out against cost reimbursement and after coordination with the Processor.

6. If the Controller commissions a third party to conduct the audit, the Controller must obligate the third party in writing in the same way as the Controller is obligated to the Processor based on Section 11 of this agreement. In addition, the Controller must obligate the third party to confidentiality and secrecy, unless the third party is subject to professional confidentiality. At the Processor's request, the Controller shall immediately present the commitment agreements with the third party to the Processor. The Controller may not commission a competitor of the Processor to conduct the audit.

7. At the Processor's discretion, proof of compliance with the obligations under this agreement can be provided, instead of through an audit, by presenting a suitable, current certificate or report from an independent entity (e.g., auditor, internal audit, data protection officer, IT security department, data protection auditors, or quality auditors) or a suitable certification through IT security or data protection audit — e.g., according to BSI Basic Protection — ("Audit Report"), if the Audit Report reasonably enables the Controller to satisfy itself of compliance with the contractual obligations.

Contract Duration and Termination

The term and termination of this agreement are governed by the provisions on the term and termination of the Main Contract. Termination of the Main Contract automatically results in termination of this agreement. Isolated termination of this agreement is excluded.

Liability

1. For the Processor's liability under this agreement, the liability exclusions and limitations according to the Main Contract apply. Insofar as third parties make claims against the Processor that have their cause in a culpable breach of this agreement by the Controller or one of its obligations as the data protection controller, the Controller shall indemnify the Processor against these claims upon first request.

2. The Controller undertakes to indemnify the Processor upon first request against any fines imposed on the Processor to the extent to which the Controller shares responsibility for the violation sanctioned by the fine.

Final Provisions

1. Should individual provisions of this agreement be invalid or contain a gap, the remaining provisions shall remain unaffected. The Parties undertake to replace the invalid provision with a legally permissible provision that comes closest to the purpose of the invalid provision and meets the requirements of Art. 28 GDPR.

2. In case of contradictions between this agreement and other agreements between the Parties, in particular the Main Contract, the provisions of this agreement shall prevail.

Agreement Version: June 16, 2025