VETLOOP, INC. Data Processing Addendum Effective Date: March 2026 | Version 1.0 This Data Processing Addendum (“DPA”) supplements and forms part of the VetLoop Platform Terms and Conditions (“Agreement”) between VetLoop, Inc. (“Processor” or “VetLoop”) and the Customer identified in the Agreement (“Controller” or “Customer”). This DPA governs VetLoop’s processing of Personal Data on behalf of Customer under applicable Data Protection Laws. Where this DPA conflicts with the Agreement, this DPA shall control with respect to data processing matters. Where a Business Associate Agreement (“BAA”) is in effect between the parties, the BAA shall control with respect to PHI as defined therein. This DPA addresses obligations under state consumer privacy laws that are not covered by, or that supplement, the BAA. 1. Definitions “Data Protection Laws” means all applicable data privacy and protection laws and regulations, including without limitation the Texas Data Privacy and Security Act (TDPSA, Tex. Bus. & Com. Code §§ 541.001 et seq.), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Virginia Consumer Data Protection Act (VCDPA), and any other state, federal, or international data protection law that applies to VetLoop’s processing of Personal Data on behalf of Customer. “Personal Data” means any information that identifies or is reasonably capable of being associated with an identified or identifiable individual, as defined under applicable Data Protection Laws, that is processed by VetLoop on behalf of Customer through the VetLoop platform. Personal Data includes, without limitation, Owner PII, pet owner contact information, and any other data that constitutes “personal data,” “personal information,” or equivalent term under applicable Data Protection Laws. “Sensitive Data” means Personal Data that constitutes “sensitive data” or “sensitive personal information” under applicable Data Protection Laws, including precise geolocation data, and any data requiring express opt-in consent for processing. For the avoidance of doubt, veterinary clinical data (diagnoses, treatment records, and pet health information) is not classified as Sensitive Data under current Data Protection Laws; however, VetLoop applies equivalent safeguards to veterinary clinical data as a best practice. “Sub-processor” means any third-party engaged by VetLoop to process Personal Data on behalf of Customer in connection with the VetLoop platform. “De-Identified Data” means data that has been processed in accordance with industry-standard de-identification methods (including methods consistent with the HIPAA Safe Harbor standard at 45 C.F.R. § 164.514(b)) such that the data cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual. De-Identified Data is not Personal Data for purposes of this DPA. “Aggregated Data” means data that relates to a group or category of consumers or data subjects, from which individual identities have been removed, and that is not linked or reasonably linkable to any individual. Aggregated Data is not Personal Data for purposes of this DPA. 2. Roles, Scope, and Processing Purposes 2.1 Controller and Processor Roles. Customer is the Controller of Personal Data submitted to the VetLoop platform. VetLoop is the Processor of such Personal Data and processes it only in accordance with Customer’s documented instructions as set forth in this DPA, the Agreement, and any applicable order or onboarding communication. VetLoop shall not process Personal Data for purposes other than those set forth herein unless required by applicable law, in which case VetLoop shall inform Customer of such legal requirement prior to processing (unless prohibited by law from doing so). 2.2 Categories of Data Subjects. Personal Data processed under this DPA relates to the following categories of data subjects: pet owners and guardians; veterinary practice staff, clinicians, and administrators; referral coordinators; and any other individuals whose Personal Data is submitted to the VetLoop platform by Customer. 2.3 Categories of Personal Data. Personal Data processed under this DPA includes: names, email addresses, phone numbers, mailing addresses, and other contact information of pet owners and practice staff; Google OAuth authentication tokens; and any other Personal Data submitted to the VetLoop platform by Customer in connection with referral transactions, practice profiles, or account setup. 2.4 Documented Processing Purposes. Customer instructs VetLoop to process Personal Data for the following purposes, which together constitute Customer’s complete documented instructions to VetLoop: • Providing, operating, maintaining, and improving the VetLoop platform and its referral management, practice network, patient record, messaging, document management, and analytics features; • Creating, transmitting, tracking, completing, and archiving veterinary referrals and associated clinical data between general practice veterinarians and specialty/emergency clinics; • Facilitating real-time communication and collaboration between referring and receiving practices and practitioners; • Sending transactional and operational email notifications, reminders, and platform communications via SendGrid or equivalent service providers; • Authenticating users and managing account access, permissions, and role-based access controls; • Generating operational performance analytics, referral metrics, practice statistics, and network visualization dashboards for Customer and, in aggregated form, for VetLoop’s platform-wide reporting; • Fulfilling VetLoop’s obligations as a medical record custodian, including retaining referral records, clinical data, and discharge documentation for the periods required by applicable state veterinary practice acts (7-year baseline retention); • Responding to and processing consumer privacy rights requests (access, correction, deletion, portability, opt-out) on behalf of Customer and directly from data subjects; • Complying with applicable legal obligations, including responding to lawful requests from regulatory authorities, courts, and law enforcement; • Any other processing reasonably necessary to perform VetLoop’s obligations under the Agreement, as communicated by Customer to VetLoop in writing from time to time. 2.5 De-Identification and Aggregation. Customer hereby authorizes and instructs VetLoop to de-identify and aggregate Personal Data and Customer Data for the following purposes, which the parties agree fall outside the scope of “processing” of Personal Data once de-identification or aggregation is complete: • Improving the VetLoop platform, products, services, and features; • Developing new products, features, and service offerings; • Training, developing, and improving artificial intelligence, machine learning, and analytical models for operational efficiency optimization, referral workflow improvement, process modeling, capacity planning, and platform enhancement; • Analyzing, comparing, and benchmarking referral operations, conversion rates, scheduling performance, closed-loop rates, and other operational metrics across VetLoop’s customer base; • Producing de-identified industry insights, market intelligence, research, and reporting for publication or distribution to VetLoop’s customers, partners, and the veterinary industry; • Building and enriching VetLoop’s referral network intelligence, facility graph, and practice network analytics using de-identified referral flow patterns, geographic distribution data, and specialty utilization trends; • Any other use of De-Identified Data or Aggregated Data that is permitted under applicable Data Protection Laws without Controller authorization. VetLoop shall ensure that all de-identification is performed using methods that are consistent with industry standards (including the HIPAA Safe Harbor method) such that re-identification is not reasonably possible. VetLoop shall not attempt to re-identify De-Identified Data or Aggregated Data. Once data has been de-identified or aggregated in accordance with this Section 2.5, it ceases to constitute Personal Data and VetLoop may retain and use such data indefinitely, including after termination of the Agreement. 3. VetLoop’s Obligations as Processor 3.1 Processing Limitations. VetLoop shall process Personal Data only in accordance with Customer’s documented instructions as set forth in this DPA and the Agreement. VetLoop shall not sell Personal Data, share Personal Data for cross-context behavioral advertising, or process Personal Data for purposes materially different from or incompatible with the purposes described in Section 2.4 and Section 2.5, except where required by applicable law. 3.2 Confidentiality. VetLoop shall ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether by contract or by statutory obligation. VetLoop shall ensure that access to Personal Data is limited to those personnel who require access to perform VetLoop’s obligations under the Agreement. 3.3 Security. VetLoop shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. VetLoop’s current security measures are described in Section 5 of the Agreement and include encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls with practice-level data isolation, multi-factor authentication, web application firewall, API rate limiting, and comprehensive audit logging. VetLoop shall periodically review and update these measures to address evolving threats and industry practices. 3.4 Security Breach Notification. VetLoop shall notify Customer without undue delay (and in no event later than seventy-two (72) hours after confirmation) of any Security Breach involving Personal Data processed under this DPA. Such notification shall include, to the extent reasonably available: a description of the nature of the breach; the categories and approximate number of data subjects affected; the likely consequences of the breach; and the measures taken or proposed to address the breach and mitigate its effects. VetLoop shall cooperate with Customer and provide reasonable assistance in Customer’s compliance with breach notification obligations under applicable Data Protection Laws. 3.5 Assistance with Consumer Rights Requests. VetLoop shall provide reasonable assistance to Customer in responding to requests from data subjects exercising their rights under applicable Data Protection Laws, including the right to confirm processing, access, correct, delete, and port Personal Data, and the right to opt out of the sale of Personal Data, targeted advertising, and profiling. VetLoop’s consumer rights process is described in Section 4.5 of the Agreement. VetLoop shall respond to authenticated requests within forty-five (45) days, with a possible forty-five (45) day extension where reasonably necessary. Deletion requests are subject to VetLoop’s medical record retention obligations as described in Section 4.2 of the Agreement and Section 5 of this DPA. Where full deletion is not possible due to a medical record hold, VetLoop will offer de-identification as an alternative where feasible. 3.6 Data Protection Assessments. VetLoop shall provide reasonable assistance to Customer in conducting data protection assessments (or equivalent assessments required under applicable Data Protection Laws) to the extent that such assessments relate to VetLoop’s processing of Personal Data on behalf of Customer. VetLoop may charge reasonable fees for assistance beyond that which is required to comply with VetLoop’s own obligations under applicable Data Protection Laws. 3.7 Audits and Inspections. VetLoop shall make available to Customer, upon reasonable request and subject to appropriate confidentiality obligations, all information reasonably necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. VetLoop shall permit and contribute to audits and inspections conducted by Customer or a qualified third-party auditor designated by Customer, subject to reasonable advance notice (not less than thirty (30) days), scope limitations to avoid disruption of VetLoop’s operations, and reasonable confidentiality protections. Customer shall bear the costs of any audit it requests. VetLoop may satisfy audit requests by providing relevant SOC 2 reports, penetration test summaries, or other third-party certifications in lieu of on-site audits, where such documentation reasonably addresses Customer’s audit objectives. 4. Sub-processors 4.1 Authorization. Customer hereby provides general written authorization for VetLoop to engage Sub-processors to process Personal Data in connection with the VetLoop platform. VetLoop’s current Sub-processors are identified in Section 2(d) of the BAA and Section 8 of VetLoop’s Vendor Risk Assessment (available upon request or through VetLoop’s Trust Center). 4.2 Sub-processor Obligations. VetLoop shall enter into written agreements with each Sub-processor that impose data protection obligations no less protective than those set forth in this DPA, to the extent applicable to the nature of the processing performed by the Sub-processor. VetLoop shall remain liable to Customer for the acts and omissions of its Sub-processors to the same extent as if VetLoop had performed the processing itself. 4.3 Changes to Sub-processors. VetLoop shall notify Customer of any intended changes to its Sub-processors (additions or replacements) by updating the Sub-processor list on VetLoop’s website or Trust Center and providing at least thirty (30) days’ advance notice before the new Sub-processor begins processing Personal Data. If Customer objects to a new Sub-processor on reasonable grounds relating to data protection, Customer shall notify VetLoop in writing within fifteen (15) days of receiving notice. The parties shall work in good faith to resolve the objection. If resolution is not possible, Customer may terminate the affected portion of the Agreement without penalty. 5. Data Retention, Return, and Deletion 5.1 Retention During the Agreement. VetLoop shall retain Personal Data for the duration of the Agreement and for such additional periods as are necessary to comply with VetLoop’s legal obligations, including its obligations as a medical record custodian under applicable state veterinary practice acts. VetLoop’s Data Retention Policy (available at https://vet-loop.com/retention-policy or upon request) describes the specific retention periods applicable to each category of data. 5.2 Medical Record Data Hold. Personal Data that forms part of, or is linked to, Medical Record Data (as defined in the BAA and VetLoop’s Data Retention Policy) shall be retained for the duration of the applicable medical record retention period (7 years from the date of last treatment), regardless of the termination or expiration of the Agreement. This retention is a documented processing instruction from Customer, who acknowledges that VetLoop’s medical record custodian obligations require the continued processing (limited to secure storage, access control, and lawful disclosure) of such data after termination. VetLoop will not delete, destroy, or return Medical Record Data prior to the expiration of the applicable retention period, even upon Customer request, unless permitted by applicable law. 5.3 Return and Deletion Upon Termination. Upon termination or expiration of the Agreement, and subject to the medical record data hold described in Section 5.2: • VetLoop shall provide Customer with a complete export of Customer’s Personal Data within thirty (30) days of the effective termination date, in a structured, commonly used, and machine-readable format; • Following the export period, VetLoop shall delete or de-identify all Personal Data that is not subject to a medical record data hold or other legal retention obligation, within ninety (90) days; • VetLoop shall certify in writing, upon Customer’s request, that deletion has been completed in accordance with this Section 5.3; • For Personal Data subject to a medical record data hold, VetLoop shall continue to apply the protections of this DPA until the data is deleted or de-identified at the expiration of the retention period. 5.4 De-Identified and Aggregated Data Survival. For the avoidance of doubt, De-Identified Data and Aggregated Data derived from Personal Data during the term of the Agreement are not subject to deletion or return obligations under this Section 5. VetLoop may retain and use such data indefinitely in accordance with Section 2.5. 6. Data Transfers VetLoop processes Personal Data within the United States. If VetLoop transfers Personal Data outside the United States, VetLoop shall ensure that appropriate safeguards are in place in accordance with applicable Data Protection Laws, including standard contractual clauses or other approved transfer mechanisms. VetLoop shall notify Customer of any material change in the geographic location of Personal Data processing. 7. Sensitive Data To the extent Customer submits Sensitive Data (as defined in Section 1) to the VetLoop platform, Customer represents that it has obtained all required consents from data subjects for VetLoop to process such Sensitive Data in accordance with this DPA and the Agreement. VetLoop shall apply appropriate safeguards to Sensitive Data, including the technical and organizational measures described in Section 3.3. VetLoop shall not process Sensitive Data for any purpose other than those set forth in Section 2.4. 8. Liability Each party’s liability under this DPA shall be subject to the limitations and exclusions set forth in the Agreement. This DPA does not create any independent or additional liability beyond that established in the Agreement, except to the extent that applicable Data Protection Laws require otherwise and such requirements cannot be contractually limited. 9. General Provisions 9.1 Relationship to Agreement and BAA. This DPA supplements the Agreement and, where applicable, the BAA. In the event of a conflict: (a) the BAA controls with respect to PHI as defined therein; (b) this DPA controls with respect to Personal Data processing matters not addressed by the BAA; and (c) the Agreement controls with respect to all other matters. Terms not defined in this DPA have the meanings given in the Agreement or the BAA, as applicable. 9.2 Modification. VetLoop may update this DPA from time to time to reflect changes in applicable Data Protection Laws, VetLoop’s processing activities, or industry practices. VetLoop shall provide Customer with at least thirty (30) days’ advance written notice of material changes. Continued use of the VetLoop platform after the effective date of such changes constitutes acceptance. If Customer does not agree to the updated DPA, Customer may terminate the Agreement prior to the effective date of the changes without penalty. 9.3 Governing Law. This DPA shall be governed by and construed in accordance with the laws of the State of Texas, without regard to conflicts of law provisions. To the extent that a Data Protection Law of another jurisdiction applies to VetLoop’s processing of Personal Data on behalf of Customer, that law shall apply to the processing activities within its scope, and the parties shall comply with such law in addition to their obligations under this DPA. 9.4 Severability. If any provision of this DPA is found to be invalid or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid and enforceable, or if modification is not possible, severed from this DPA. The remaining provisions shall continue in full force and effect. 9.5 Entire Agreement on Processing. This DPA, together with the Agreement and, where applicable, the BAA, constitutes the complete agreement between the parties with respect to VetLoop’s processing of Personal Data on behalf of Customer, and supersedes all prior or contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such processing.  SCHEDULE A: Processing Details The following table summarizes the processing activities authorized under this DPA. This schedule is provided for reference and convenience; in the event of any conflict between this schedule and the body of the DPA, the body shall control. Element Details Subject Matter Processing of Personal Data in connection with VetLoop’s cloud-based veterinary referral management platform Duration Term of the Agreement plus any post-termination retention period required by applicable law or VetLoop’s Data Retention Policy Nature of Processing Collection, storage, organization, structuring, retrieval, consultation, use, disclosure by transmission, alignment, combination, restriction, erasure, destruction, de-identification, and aggregation Purpose of Processing As set forth in Section 2.4 (Documented Processing Purposes) and Section 2.5 (De-Identification and Aggregation) Data Subjects Pet owners/guardians, veterinary practice staff, clinicians, administrators, referral coordinators, and other individuals whose Personal Data is submitted to VetLoop by Customer Categories of Personal Data Names, email addresses, phone numbers, mailing addresses, Google OAuth tokens, and any other Personal Data submitted by Customer through referral transactions, practice profiles, or account management Sensitive Data Precise geolocation (if submitted); veterinary clinical data (not classified as Sensitive Data under current law, but treated with equivalent safeguards) Retention Per VetLoop Data Retention Policy: Medical Record Data (Tier 1): 7 years from last treatment. Owner PII (Tier 2): Relationship + 7 years or until deletion (subject to Tier 1 hold). Practice/Operational (Tier 3): Relationship + 3 years. Platform/System (Tier 4): Variable (30 days to 7 years by type). De-Identified/Aggregated: Indefinite. SCHEDULE B: Authorized Sub-processors The following Sub-processors are authorized as of the effective date of this DPA. VetLoop will maintain a current list at https://vet-loop.com/sub-processors or through VetLoop’s Trust Center. Sub-processor Service Data Processed Location / Certification Neon PostgreSQL Database All Customer Data (encrypted at rest) US / SOC 2 Type 2 DigitalOcean Cloud Infrastructure Infrastructure-level access US / SOC 2 Type 2, ISO 27001 Cloudflare CDN, WAF, DNS Traffic metadata Global / SOC 2 Type 2, ISO 27001 SendGrid (Twilio) Email Delivery Email addresses, message content US / SOC 2 Type 2, ISO 27001 Google Cloud OAuth Authentication User email for auth US / SOC 2 Type 2, ISO 27001 Amazon S3 File Storage Document attachments (encrypted) US / SOC 2 Type 2, ISO 27001 GitHub Source Code, CI/CD Source code (no Customer Data) US / SOC 2 Type 2 ACCEPTANCE By clicking “I Accept” or by executing the Agreement that incorporates this DPA, Customer confirms that it has read and understood this Data Processing Addendum, that it is authorized to bind Customer to this DPA, and that Customer agrees to be bound by all terms and conditions herein, including the processing instructions and authorizations set forth in Section 2. [ ☐ ] I Accept the VetLoop Data Processing Addendum This document is version 1.0, effective March 2026. Questions: legal@vet-loop.com | Privacy: privacy@vet-loop.com | Compliance: compliance@vet-loop.com