Company LogoRush OnDemand

Data Processing Agreement

Data Processing Agreement (DPA) Effective Date: 12/7/2025 Last Updated: April 29, 2026 This Data Processing Agreement (“Agreement”) forms part of the Terms of Service or other written contract (“Service Agreement”) between Rush OnDemand, Inc., a Florida corporation (“Company”) and the Service Provider (“Processor”) that processes Personal Information on behalf of the Company through the Platform.

1. Purpose and Scope

This Agreement governs how the Processor handles Personal Information on behalf of the Company. The Company acts as a Controller, and the Processor acts as a Processor or Service Provider under applicable privacy laws.

2. Definitions

Capitalized terms not otherwise defined in this Agreement have the meanings given in the Company’s Master Glossary, a copy of which is attached hereto as Exhibit C and incorporated by reference. In the event of any conflict between definitions in this Agreement and the Master Glossary, the definitions in this Agreement shall control.

3. Nature and Purpose of Processing

The Processor will process Personal Information only as necessary to:

  • Authenticate and manage Accounts.
  • Facilitate Service Requests and related communications between Consumers and third-party Service Providers.
  • Provide analytics, security monitoring, and fraud prevention.
  • Comply with legal obligations and maintain Platform integrity. The Processor will not sell or share Personal Information, use it for advertising, or combine it with other data except as required to provide services or permitted by law.

4. Compliance with Privacy Laws

The Processor acknowledges its role as a “service provider” or “processor” under the California Consumer Privacy Act (CCPA/CPRA) and similar laws in other states. It will:

  • Process Personal Information only for the specific business purposes in this Agreement.
  • Not sell, share, or retain Personal Information except to fulfill these purposes.
  • Not combine Personal Information received from the Company with other data sources except as legally allowed.
  • Maintain compliance with all applicable federal and state privacy, security, and consumer- protection laws.

5. Security and Confidentiality

The Processor must implement and maintain appropriate technical and organizational measures, including at a minimum:

  • Encryption in transit and at rest (TLS 1.3 / AES-256 or equivalent).
  • Access controls, multi-factor authentication, and audit logging.
  • Regular security patching and vulnerability management.
  • Confidentiality agreements and privacy training for personnel.

6. Security Incidents and Regulatory Inquiries

The Processor will notify the Company without undue delay, and in any event within twenty-four (24) hours, after the Processor becomes aware or reasonably should have become aware of a Security Incident. The notice must be provided in writing to the Company's designated security contact and legal counsel, and must describe: (i) the nature and cause of the Security Incident; (ii) the types and categories of Personal Information affected; (iii) the number of individuals whose Personal Information was or may have been affected; (iv) the date or estimated date of the Security Incident and the date of discovery; (v) the likely consequences and potential harm to affected individuals; (vi) remedial measures taken or planned by the Processor; (vii) the Processor's contact information for further inquiries; and (viii) any other information reasonably requested by the Company to assess the incident and comply with legal obligations. The Processor will cooperate fully to assist the Company in meeting any legal notification requirements. The Processor shall promptly notify and cooperate with the Company in connection with any inquiry, investigation, or audit by a regulatory authority relating to Personal Information processed under this Agreement.

7. Processor Assistance and Consumer Rights

The Processor will assist the Company, within 10 days of request, in responding to verified consumer requests under state privacy laws. Assistance includes responding to access, correction, deletion, portability, or appeal requests.

8. Subprocessors

The Processor may engage Subprocessors only with the Company’s prior written approval, which the Company may grant or withhold in its sole discretion. The Processor must provide the Company with at least thirty (30) days' advance written notice before engaging any new Subprocessor or materially changing an existing Subprocessor arrangement, including the Subprocessor's identity, location, and processing activities. Each Subprocessor must sign a written agreement imposing data-protection obligations no less protective than those in this Agreement, and the Processor must provide a copy of such agreement to the Company upon request. The Processor remains fully liable to the Company for all acts and omissions of its Subprocessors as if they were the Processor's own acts or omissions, and such liability shall not be limited by any agreement between the Processor and its Subprocessors.

9. Artificial Intelligence and Automated Processing

If the Processor uses AI Features or automated tools to process Personal Information, it will maintain documentation describing:

  • The scope and purpose of such processing.
  • Datasets used for training or inference.
  • Validation and bias-mitigation procedures.
  • Human-review and oversight mechanisms. The Processor will provide this documentation to the Company upon request, and in any event no less than annually. The Processor will not use AI systems, machine learning models, or automated decision-making tools to make or materially assist in decisions that produce legal effects or similarly significant effects concerning individuals (including but not limited to decisions affecting employment, credit eligibility, housing, insurance, education, or access to services) without the Company's prior written approval for each specific use case. For any approved AI-based decision- making, the Processor must implement meaningful human review and intervention mechanisms, maintain detailed records of all automated decisions, and provide explanations of decision logic upon request. If a Data Protection Impact Assessment (DPIA) or Automated Decision-Making Technology (ADMT) assessment is required under law or Company policy, the Processor will cooperate and provide all relevant information to support that assessment.

10. Data Retention and Deletion

The Processor will retain Personal Information only for the minimum period necessary to perform the services specified in this Agreement and will not retain Personal Information for any other purpose. Upon termination or expiration of this Agreement, or within ten (10) business days of the Company's written request (whichever is earlier), the Processor will, at the Company's election, either: (i) securely return to the Company all Personal Information and copies thereof in a commonly used, machine-readable format; or (ii) permanently and irreversibly delete or destroy all Personal Information and copies thereof using industry-standard data sanitization methods (e.g., NIST SP 800-88 guidelines). The Processor will provide written certification of deletion or return, signed by an officer of the Processor, within five (5) business days of completion. If applicable law requires the Processor to retain certain Personal Information, the Processor must: (a) notify the Company in writing of the specific legal requirement and the categories of data that must be retained; (b) isolate and protect such data from any further processing except as required by law; and (c) delete such data as soon as the legal retention requirement expires.

11. International Transfers

All Personal Information processed under this Agreement must remain in the United States unless the Company gives prior written authorization. Any approved transfer must use appropriate safeguards consistent with applicable laws.

12. Audits and Verification

Upon reasonable written notice, the Company may audit the Processor’s compliance with this Agreement. The Processor will make available documentation, security certifications, and personnel as reasonably necessary to verify compliance.

13. Liability and Indemnification

To the fullest extent permitted by the laws of the State of Florida, the Processor shall indemnify, defend, and hold harmless the Company, and its parents, subsidiaries, affiliates, officers, directors, employees, contractors, agents, representatives, successors, and assigns (collectively, the “Company Indemnified Parties”), from and against any and all claims, demands, suits, actions, causes of action, losses, liabilities, damages, judgments, penalties, fines, settlements, costs, and expenses (including reasonable attorneys’ fees and costs of investigation and enforcement) arising out of or relating to: (a) the Processor’s performance or failure to perform its obligations under this Agreement or any related agreement; (b) any breach or alleged breach by the Processor or its Subprocessors of applicable privacy, data-protection, consumer-protection, or information security laws, regulations, or standards; (c) any Security Incident, data breach, or unauthorized access, use, storage, disclosure, transfer, or destruction of Personal Information in the possession or control of the Processor or its Subprocessors; (d) the Processor’s negligence, gross negligence, or willful or intentional misconduct; (e) any violation of applicable law, regulation, ordinance, or industry standard, including without limitation those relating to data privacy, consumer protection, workplace monitoring, or export control; (f) any claim that the Processor’s software, systems, technology, data handling, or other materials infringe, misappropriate, or otherwise violate the intellectual property, proprietary, privacy, or publicity rights of any third party; (g) any unauthorized or improper collection, labeling, tracking, profiling, or AI-based processing of Personal Information; (h) the Processor’s failure to obtain required consents, authorizations, or licenses for its use or processing of data or materials; and (i) any breach or alleged breach of any representation, warranty, or covenant contained in this Agreement.

a. Integration and Configuration

This indemnity includes, without limitation, any claim alleging that the Processor’s integration, configuration, or modification of the Company’s systems, or use of the Company’s data in combination with other hardware, software, or systems, infringes or misappropriates the intellectual property or proprietary rights of any third party, or otherwise causes damage or injury to any person, property, or data.

b. Duty to Defend

The Processor’s duty to defend the Company Indemnified Parties under this section is separate and independent from its duty to indemnify and shall arise immediately upon written notice of any claim, demand, or investigation covered by this section, regardless of whether liability is ultimately established. The Processor shall, at its sole cost and expense, provide a prompt and complete defense to the Company using counsel reasonably acceptable to the Company and shall pay all costs of defense as incurred. The Company shall have the right, at its option and expense, to participate in the defense of any claim with counsel of its choosing, without relieving the Processor of its obligations hereunder. The Processor shall not settle or compromise any claim without the c. Company’s prior written consent if the settlement imposes any obligation, liability, or admission upon the Company or affects the Company’s rights or reputation. Limit of Indemnity: This indemnity applies regardless of whether such claims are alleged to have been caused in part by the negligence, strict liability, or other fault of the Company, provided, however, that the Processor shall not be obligated to indemnify the Company to the extent a claim arises from the Company’s sole gross negligence or willful misconduct, as determined by a final, non-appealable judgment of a court of competent jurisdiction. The obligations set forth in this section are independent of and in addition to any other rights or remedies of the Company and shall survive termination, cancellation, or completion of this Agreement.

d. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE COMPANY SHALL NOT BE LIABLE TO THE PROCESSOR OR TO ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES OF ANY KIND, INCLUDING WITHOUT LIMITATION LOSS OF PROFITS, LOSS OF REVENUE, LOSS OF BUSINESS OPPORTUNITY, LOSS OF GOODWILL, BUSINESS INTERRUPTION, DOWNTIME COSTS, OR LOSS OR CORRUPTION OF DATA, ARISING OUT OF OR RELATED TO THIS AGREEMENT OR THE PROCESSING OF DATA, REGARDLESS OF THE THEORY OF LIABILITY (WHETHER IN CONTRACT, TORT, STRICT LIABILITY, WARRANTY, OR OTHERWISE) AND EVEN IF THE COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL THE COMPANY’S AGGREGATE CUMULATIVE LIABILITY FOR ANY AND ALL CLAIMS, DAMAGES, LOSSES, COSTS, AND EXPENSES ARISING OUT OF OR RELATING TO THIS AGREEMENT EXCEED THE TOTAL AMOUNT ACTUALLY PAID TO OR RECEIVED FROM THE PROCESSOR DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO SUCH CLAIM. THE EXISTENCE OF MULTIPLE CLAIMS OR TRANSACTIONS SHALL NOT INCREASE THIS LIMITATION, AND EACH ENGAGEMENT SHALL BE TREATED AS A SEPARATE AND INDEPENDENT TRANSACTION FOR PURPOSES OF THIS LIMITATION. ALL CLAIMS OR ACTIONS AGAINST THE COMPANY MUST BE COMMENCED WITHIN ONE (1) YEAR AFTER THE CAUSE OF ACTION ACCRUES, OR THEY SHALL BE DEEMED WAIVED AND FOREVER BARRED. THE PROCESSOR ACKNOWLEDGES AND AGREES THAT THE PRICES AND TERMS AGREED TO BY THE COMPANY ARE BASED ON, AND IN RELIANCE UPON, THE RISK ALLOCATIONS AND LIMITATIONS OF LIABILITY SET FORTH HEREIN.

14. Arbitration, Dispute Resolution, and Waiver of Jury Trial

TO THE FULLEST EXTENT PERMITTED UNDER STATE AND FEDERAL LAW, ANY CONTROVERSY OR CLAIM ARISING OUT OF OR RELATING TO THIS AGREEMENT, OR THE BREACH THEREOF, SHALL BE DETERMINED BY FINAL AND BINDING ARBITRATION ADMINISTERED BY THE AMERICAN ARBITRATION ASSOCIATION (“AAA”) UNDER ITS COMMERCIAL ARBITRATION RULES AND MEDIATION PROCEDURES (“COMMERCIAL RULES”). THE AWARD RENDERED BY THE ARBITRATOR SHALL BE FINAL AND BINDING ON THE PARTIES AND MAY BE ENTERED AND ENFORCED IN ANY COURT HAVING JURISDICTION. JUDGMENT ON THE AWARD SHALL BE FINAL AND NON- APPEALABLE. THERE SHALL BE ONE ARBITRATOR AGREED TO BY THE PARTIES WITHIN FIFTEEN (15) DAYS OF RECEIPT BY THE RESPONDENT OF THE REQUEST FOR ARBITRATION OR, IN DEFAULT THEREOF, APPOINTED BY THE AAA IN ACCORDANCE WITH ITS COMMERCIAL RULES. THE SEAT OR PLACE OF ARBITRATION SHALL BE HILLSBOROUGH COUNTY, FLORIDA; HOWEVER, THE PARTIES AGREE THAT THEY MAY ATTEND ALL OR PART OF THE PROCEEDINGS REMOTELY TO AVOID INCONVENIENCE. THE ARBITRATION SHALL BE CONDUCTED, AND THE AWARD SHALL BE RENDERED, IN THE ENGLISH LANGUAGE. WITHOUT LIMITING THE FOREGOING, IN ANY ACTION BROUGHT BY ONE OF THE PARTIES TO ENFORCE OR INTERPRET THIS AGREEMENT, THE PREVAILING PARTY SHALL BE ENTITLED TO REASONABLE ATTORNEYS’ FEES AND COSTS IN ADDITION TO ANY OTHER RELIEF TO WHICH IT MAY BE ENTITLED. JUDGMENT UPON THE AWARD RENDERED BY THE ARBITRATOR MAY BE ENTERED IN ANY COURT OF COMPETENT JURISDICTION.

a. Waiver of Jury Trial and Class Actions

THE PARTIES EXPRESSLY AGREE TO WAIVE ANY RIGHT TO TRIAL BY JURY AND ANY RIGHT TO PARTICIPATE IN OR PURSUE ANY CLAIMS ON A CLASS OR REPRESENTATIVE BASIS IN ANY FORUM, INCLUDING CLASS ACTION LITIGATION. THE PARTIES FURTHER AGREE THAT ANY CLAIMS SHALL BE BROUGHT SOLELY IN THEIR INDIVIDUAL CAPACITIES AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING.

b. Injunctive Relief

NOTWITHSTANDING THE FOREGOING, NOTHING IN THIS CLAUSE SHALL PREVENT EITHER PARTY FROM SEEKING INJUNCTIVE RELIEF IN A COURT OF COMPETENT JURISDICTION IN HILLSBOROUGH COUNTY, FLORIDA (OR THE FEDERAL DISTRICT COURT SERVING HILLSBOROUGH COUNTY, IF APPLICABLE) IF SUCH RELIEF IS NECESSARY TO PREVENT IRREPARABLE HARM PRIOR TO THE COMMENCEMENT OR COMPLETION OF THE DISPUTE RESOLUTION PROCEDURES DESCRIBED HEREIN.

c. Governing Law and Construction

This Agreement shall be governed by and construed in accordance with the laws of the State of Florida, without regard to its conflict-of-laws principles. The parties agree that this Section shall be governed by and construed in accordance with the Federal Arbitration Act, and, to the extent that state law applies, by the laws of the State of Florida. If any provision of this Section is for any reason held unenforceable or invalid, it shall be entirely severable from this Agreement, and the balance shall remain in full force and effect.

d. Costs

The parties shall each pay one-half of the administrative costs and expenses of the arbitration and shall separately pay their own counsel fees and expenses, unless otherwise required by law or determined by the arbitrator.

e. Acknowledgment

EACH PARTY ACKNOWLEDGES THAT IT HAS READ AND UNDERSTANDS THIS SECTION, INCLUDING THAT BY ENTERING INTO THIS AGREEMENT, EACH PARTY AGREES TO SUBMIT ANY CLAIMS ARISING OUT OF, RELATING TO, OR IN CONNECTION WITH THIS AGREEMENT TO BINDING ARBITRATION AS PROVIDED HEREIN, AND THAT THIS ARBITRATION CLAUSE CONSTITUTES A WAIVER OF THE RIGHT TO A JURY TRIAL AND PARTICIPATION IN ANY CLASS OR REPRESENTATIVE PROCEEDING.

15. Term and Termination

This Agreement remains in effect while the Processor processes Personal Information for the Company. It automatically terminates when processing ends, subject to the data- return and deletion provisions.

a. Survival

The provisions of Sections 11-14 shall survive termination of this Agreement, indefinitely.

16. Miscellaneous Provisions

a. Entire Agreement

This Agreement is part of the Service Agreement between the parties. If there is a conflict, this Agreement controls for data-processing and privacy matters. This Agreement, together with any related Service Agreement, Statement of Work, or supplemental privacy and data-protection terms incorporated by reference, constitutes the entire agreement between the parties regarding its subject matter and supersedes all prior or contemporaneous communications, proposals, or agreements, whether oral or written. Any conflicting or additional terms contained in any document issued by the Processor are expressly rejected and shall have no force or effect.

b. Assignment

The Processor may not assign, delegate, sublicense, or otherwise transfer any of its rights or obligations under this Agreement, whether by operation of law, merger, change of control, or otherwise, without the prior written consent of the Company. Any attempted assignment in violation of this section shall be null, void, and of no effect. The Company may assign or transfer this Agreement, in whole or in part, at any time and in its sole discretion, including to any affiliate, successor, purchaser of assets, or other entity designated by the Company, without notice or consent. This Agreement shall be binding upon and inure to the benefit of the parties and their respective permitted successors and assigns.

c. Severability

If any provision of this Agreement is held to be invalid, illegal, or unenforceable by a court or arbitrator of competent jurisdiction, the remaining provisions shall remain in full force and effect. The invalid or unenforceable provision shall be replaced with a valid provision that most closely reflects the intent of the parties.

d. Waiver

No waiver by the Company of any breach or default by the Processor shall be deemed a waiver of any preceding or subsequent breach or default. Any waiver must be in writing and executed by an authorized representative of the Company to be effective. Failure or delay by the Company in exercising any right or remedy shall not constitute a waiver thereof or preclude any future exercise of that right or any other right or remedy.

e. Cumulative Remedies

The rights and remedies provided in this Agreement are cumulative and are in addition to any other rights and remedies available at law or in equity, unless expressly stated otherwise.

f. Notices

Any notice required or permitted under this Agreement shall be in writing and shall be deemed duly given: (a) upon personal delivery; (b) when sent by confirmed email or other electronic transmission; (c) one (1) business day after deposit with a recognized overnight courier service; or (d) three (3) business days after being mailed by certified or registered mail, postage prepaid, return receipt requested. Notices to the Company shall be sent to its principal business address as specified in the Service Agreement or as otherwise designated in writing. Notices to the Processor shall be sent to the contact information provided in its registration, contract, or order form.

g. Amendment

This Agreement may be amended or modified only by a written instrument executed by authorized representatives of both parties. The Company may, in its sole discretion, update its standard data protection terms or privacy compliance documentation as required by law, and such updates shall automatically apply to this Agreement upon notice to the Processor, provided that the update does not materially diminish the Processor’s obligations or expand its rights.

h. Interpretation and Construction

The headings in this Agreement are for convenience only and shall not affect its interpretation. References to sections or subsections are to those contained herein unless otherwise specified. The words “including,” “includes,” and “include” shall be deemed to be followed by “without limitation.” Words in the singular include the plural and vice versa, and references to any gender include all genders. This Agreement shall be construed fairly and not strictly for or against either party, regardless of which party drafted it.

i. Third-Party Beneficiaries

Except as expressly stated herein, this Agreement is intended solely for the benefit of the parties and their respective permitted successors and assigns. Nothing in this Agreement, express or implied, shall confer upon any other person or entity any legal or equitable right, benefit, or remedy of any kind. No third party shall be deemed a beneficiary of or entitled to enforce any provision of this Agreement.

j. Suspension of Performance

Without limiting any other rights or remedies available under this Agreement or at law, the Company may, in its sole discretion, immediately suspend the Processor’s access to systems, data, or performance of services if: (a) the Processor breaches this Agreement; (b) the Company reasonably believes that the Processor’s actions present a security or compliance risk; or (c) such suspension is necessary to protect the Company’s systems, data, or business interests. Any suspension shall not extend any delivery schedule or relieve the Processor of its obligations. The Processor shall bear all reasonable costs of suspension and resumption of services. The Processor will maintain at least the following safeguards: Exhibit A – Security Controls

  • Encryption of Personal Information in transit (TLS 1.3) and at rest (AES-256 or better).
  • Access limited to authorized personnel through unique credentials and MFA.
  • Network segmentation, firewalls, and intrusion detection systems.
  • Comprehensive logging and audit trails retained for at least 12 months.
  • Regular security testing, vulnerability scans, and prompt patch management.

Incident-response plan designating a security contact reachable 24 × 7.

  • Annual employee training on privacy, data handling, and security awareness.
  • Disaster-recovery and business-continuity plans reviewed annually. Exhibit B – Approved Subprocessors The following Subprocessors are authorized to process Personal Information on behalf of the Company: Subprocessor Purpose Location Google Cloud Firestore Google Gemini AI / Firebase / Google Maps Platform GitHub Actions Office 365 Exchange Online for authentication, interpretation Hosting, notifications, analytics Text/voice service-matching AI features Geolocation services Continuous deployment and code security Email and communication and mapping integration, business United States United States United States United States United States The Processor must obtain written approval from the Company before adding or changing any Subprocessor and must give at least 30 days’ notice for review.