ZENTARIAS TECHNOLOGIES LLC

2.1 "Applicable Law"

means any federal, state, or provincial statute, regulation, directive, or binding governmental guidance applicable to the products or services provided under the Terms that governs or relates to the confidentiality, security, permitted use, and availability of Personal Information, including but not limited to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and any other applicable U.S. state privacy laws.

2.2 "Personal Information"

means any data or information, in any form or medium, that relates to an identified or reasonably identifiable natural person ("Data Subject") as defined under Applicable Law. A natural person is considered identifiable when they can be identified, directly or indirectly, by reference to one or more identifiers such as a name, government-issued identification number, precise geolocation data, an online identifier, device identifier, or by reference to factors specific to the physical, physiological, genetic, psychological, economic, cultural, or social characteristics of that individual.

2.3 "Sale" / "Sell"

shall carry the meaning assigned to it under Section 1798.140(ad) of the California Civil Code, as amended from time to time, and any successor provision thereto.

2.4 "Security Incident"

means any confirmed or reasonably suspected breach of security affecting systems under the management, control, or responsibility of Service Provider, which results or may result in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Personal Information, as such events are defined under Applicable Law.

2.5 "Share"

shall carry the meaning assigned to it under Section 1798.140(ah) of the California Civil Code, as amended from time to time, and any successor provision thereto.

2.6 "Services"

means the fleet management technology services, including GPS tracking, telematics, driver management, predictive maintenance, fuel monitoring, and related features provided by Zentarias Technologies LLC to Company pursuant to the Terms.

3.1 Regulatory Classification

Zentarias Technologies LLC represents and warrants that, as of the effective date of this Addendum and throughout the duration of the Terms, it qualifies as a "service provider" as that term is defined under Applicable Law with respect to the Services rendered to Company. This representation is made in good faith based on the nature of the Services and the obligations undertaken herein, and Service Provider shall promptly notify Company if circumstances arise that may affect this classification.

3.2 Compliance Commitment

Service Provider further represents that it maintains and enforces internal policies, procedures, and technical measures designed to ensure ongoing compliance with the obligations set forth in this Addendum and with all requirements of Applicable Law relating to the handling of Personal Information.

4.1 Prohibition on Sale or Sharing

Zentarias Technologies LLC, and any subcontractor engaged by Service Provider, is strictly prohibited from Selling or Sharing any Personal Information received from, or collected on behalf of, Company. This prohibition applies regardless of the form, medium, or channel through which such Personal Information is obtained.

4.2 Purpose Limitation

Service Provider shall process Personal Information exclusively for the purpose of delivering the Services as described in the Terms and in any applicable Statement of Work. Any use, disclosure, or transfer of Personal Information beyond the scope of those stated purposes is prohibited unless expressly authorized in writing by Company or required by Applicable Law.

4.3 Retention and Use Restrictions

Neither Zentarias Technologies LLC nor any of its subcontractors shall retain, use, or disclose Personal Information received from, or on behalf of, Company for any purpose other than the performance of the Services specified in an applicable Statement of Work, or as otherwise explicitly authorized under Applicable Law.

4.4 Prohibition on Cross-Context Use

Service Provider, and any engaged subcontractor, is expressly prohibited from retaining, using, or disclosing Personal Information received from, or on behalf of, Company for any commercial purpose that falls outside the specific business purposes enumerated in the Terms — including the servicing of any other business or client relationship — unless such use is expressly authorized by Applicable Law.

4.5 Relationship Boundaries

Personal Information received from, or on behalf of, Company shall not be processed, used, or disclosed by Zentarias Technologies LLC outside the scope and context of the direct business relationship established between Service Provider and Company under the Terms, except as may be required or permitted under Applicable Law.

4.6 Compliance with Applicable Law

Service Provider shall comply with all applicable provisions of Applicable Law governing the processing of Personal Information. This obligation includes, without limitation: (i) affording Personal Information the equivalent level of privacy protection required of Company under Applicable Law; (ii) cooperating in good faith with Company in responding to, and facilitating compliance with, any Data Subject rights requests made pursuant to Applicable Law; and (iii) implementing and maintaining reasonable and appropriate technical, administrative, and organizational security measures commensurate with the sensitivity, volume, and nature of the Personal Information processed.

4.7 Company's Right to Verify

Company reserves the right to take reasonable and appropriate steps to verify and ensure that Zentarias Technologies LLC processes Personal Information in a manner consistent with Company's obligations under Applicable Law. Service Provider agrees to cooperate with such verification efforts, including by providing relevant documentation and access to information as reasonably requested.

4.8 Notification of Non-Compliance

In the event that Service Provider determines, at any point during the term of the Terms, that it is unable to fulfill or sustain any of its obligations under Applicable Law or this Addendum, Service Provider shall notify Company in writing no later than five (5) business days following the date on which such determination is made. Such notification shall describe the nature and scope of the non-compliance and the measures Service Provider intends to take to address it.

4.9 Documentation of Data Subject Rights

Upon Company's written request, Service Provider shall provide documentation sufficient to demonstrate: (i) that Personal Information of Data Subjects who have submitted a valid and unexcepted deletion request has been permanently removed from Service Provider's systems and no longer retained or used; (ii) that Personal Information of Data Subjects who have submitted a valid and unexcepted request to limit the processing of Sensitive Personal Information has been restricted in accordance with such request; and (iii) that Service Provider does not Sell or Share Personal Information of any Data Subject, as those terms are defined under Applicable Law.

4.10 Data Subject Request Forwarding

Upon receipt of any Data Subject request made pursuant to Applicable Law — whether directed to Zentarias Technologies LLC or to Company — Service Provider shall promptly inform Company of such request and shall provide all information reasonably necessary to enable Company to evaluate, respond to, and comply with the request within the timeframes required by Applicable Law.

5.1 Incident Notification

Upon becoming aware of a Security Incident, Zentarias Technologies LLC shall: (a) notify Company without undue delay and in sufficient time for Company to satisfy any notification obligations it may have under Applicable Law; and (b) take immediate and reasonable steps to contain, mitigate, and remediate the effects of the Security Incident and minimize any resulting harm to Data Subjects or Company.

5.2 Notification Content and Cooperation

The notification provided by Service Provider pursuant to Section 5.1 shall include, to the extent reasonably practicable and available at the time of notification, a description of: the nature and scope of the Security Incident; the categories and approximate number of Data Subjects and records affected; the likely consequences of the incident; and the measures taken or proposed to address it. Service Provider shall further assist Company in fulfilling any personal data breach notification obligations Company may have toward regulatory authorities or Data Subjects under Applicable Law.

5.3 Exclusion of Unsuccessful Incidents

The parties acknowledge and agree that not every security-related event constitutes a Security Incident subject to the notification obligations of this Section. Events that do not result in actual unauthorized access to Personal Information — including, without limitation, routine network probes, broadcast-level firewall pings, port scans, failed authentication attempts, volumetric denial-of-service attacks, and packet inspection that does not yield access to content beyond network headers — shall be classified as unsuccessful Security Incidents and are expressly excluded from the scope of this Section 5.