Data Processing Addendum

1. Introduction and Scope

This Data Processing Addendum ("DPA") forms part of our agreement with customers, tenants, and service providers ("Customer") and governs the processing of Personal Data by Business Solutions LLC ("Company," "we," or "us") on behalf of the Customer.

This DPA applies when:

• We process personal data on behalf of the Customer as a data processor
• The Customer is subject to data protection regulations
• Personal data is transferred to or processed by our service providers

2. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Data Controller" means the entity that determines the purposes and means of processing Personal Data
• "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller
• "Data Subject" means the individual to whom Personal Data relates
• "Processing" means any operation performed on Personal Data
• "Sub-processor" means any third party engaged by us to process Personal Data

3. Data Processing Details

Categories of Personal Data

• Identity data (names, contact details, identification documents)
• Financial data (payment information, credit checks, banking details)
• Professional data (business information, employment details)
• Communication data (emails, messages, call records)
• Technical data (IP addresses, device information, usage analytics)
• Security data (access logs, CCTV footage, entry records)

4. Data Processing Principles

We commit to processing Personal Data in accordance with the following principles:

• Lawfulness: Processing only with valid legal basis and appropriate consent
• Purpose Limitation: Processing only for specified, legitimate purposes
• Data Minimization: Collecting and processing only necessary data
• Accuracy: Ensuring data is accurate and kept up to date
• Storage Limitation: Retaining data only for necessary periods
• Security: Implementing appropriate technical and organizational measures
• Accountability: Demonstrating compliance with data protection principles

5. Security Measures

We implement and maintain appropriate technical and organizational security measures:

Technical Measures

• Encryption of data in transit and at rest
• Access controls and authentication systems
• Network security and firewalls
• Regular security updates and patches
• Backup and disaster recovery procedures
• Security monitoring and incident detection

Organizational Measures

• Staff training on data protection and security
• Confidentiality agreements for all personnel
• Clear data handling procedures and policies
• Regular security risk assessments
• Incident response and breach notification procedures
• Vendor management and due diligence processes

6. Sub-processors

We may engage sub-processors to assist with data processing activities. Current sub-processors include:

We will notify customers of any changes to sub-processors and provide opportunity to object to new sub-processors that may affect data processing activities.

7. Data Subject Rights

We assist customers in fulfilling data subject rights requests, including:

• Access: Providing copies of personal data being processed
• Rectification: Correcting inaccurate or incomplete data
• Erasure: Deleting personal data when no longer needed
• Restriction: Limiting processing in certain circumstances
• Portability: Providing data in a structured, machine-readable format
• Objection: Ceasing processing based on legitimate interests

Data subject requests should be directed to info@rivierabusinesspark.com.

8. Data Breach Notification

In the event of a personal data breach, we will:

• Notify affected customers without undue delay and within 72 hours where feasible
• Provide details of the nature, scope, and likely consequences of the breach
• Describe measures taken to address the breach and mitigate harm
• Provide contact information for further inquiries
• Assist with regulatory notifications as required

9. International Data Transfers

Personal data may be transferred to and processed in countries outside the United States, including:

• European Union (for certain service providers)
• Other countries where our service providers operate

All international transfers are protected by appropriate safeguards, including standard contractual clauses, adequacy decisions, or other approved transfer mechanisms.

10. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill processing purposes:

• Customer data: Duration of relationship plus 7 years for legal requirements
• Marketing data: Until consent is withdrawn or 3 years of inactivity
• Security data: 12 months unless required for investigations
• Communication data: 3 years for business purposes

Upon contract termination, we will delete or return personal data as directed by the customer, except where retention is required by law.

11. Compliance and Audit

We maintain compliance with applicable data protection laws and regulations:

• Regular compliance assessments and reviews
• Documentation of processing activities and security measures
• Staff training and awareness programs
• Cooperation with regulatory authorities

Customers may request information about our compliance measures and, upon reasonable notice, conduct audits of our data processing activities.

12. Contact Information

For questions about this DPA or our data processing activities: