This Data Protection Addendum ("Addendum"), dated the date You accept this Addendum, and effective as of the Addendum Effective Date (as defined below), forms part of the Terms of Service ("Terms") between (i) Juntrax Solutions LLC and (ii) (the "Customer"), each being a "Party" and together the "Parties". The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Terms and references in this Addendum to the Terms are to the Terms as amended by, and including, this Addendum.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

• (a) "Addendum Effective Date" has the meaning given to it in Section 2;
• (b) "Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Customer or Juntrax Solutions LLC (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
• (c) "Customer Personal Data" means any Personal Data Processed by Juntrax Solutions LLC (i) on behalf of Customer (including, for the sake of clarity, any Customer Affiliate), or (ii) otherwise Processed by Juntrax Solutions LLC, in each case pursuant to or in connection with instructions given by Customer in writing, consistent with the Terms;
• (d) "Controller to Processor SCCs" means the standard contractual clauses for controller-to-processor transfers approved by the European Commission, as revised or replaced from time to time;
• (e) "Data Protection Laws" means (i) Regulation (EU) 2016/679 ("GDPR") together with applicable EU and UK implementing legislation; (ii) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, "CCPA"); and (iii) any other applicable data protection or privacy law, regulation, or guidance relating to the Processing of Personal Data.
• (f) "Services" means the services to be supplied by Juntrax Solutions LLC to Customer or Customer Affiliates pursuant to the Terms.

1.2 The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Process", "Processor" and "Supervisory Authority" have the same meanings as described in applicable Data Protection Laws and cognate terms shall be construed accordingly.

1.3 Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Terms.

2. Formation of this Addendum

This Addendum is deemed agreed by the Parties, and comes into effect on the Addendum Effective Date, being the later of (i) the date that this Addendum is accepted by Customer; and (ii) the effective date of the Terms.

3. Roles of the Parties

For purposes of the CCPA, the Parties acknowledge that Customer is a Business and Juntrax Solutions LLC is a Service Provider (and.latestly a Processor) as those terms are defined under the CCPA, and Juntrax Solutions LLC shall not Sell or Share Personal Information, nor retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the Services specified in the Terms or as otherwise permitted under the CCPA.

The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data, and as more fully described in Annex 1 hereto, Customer acts as a Controller and Juntrax Solutions LLC acts as a Processor.

Customers shall be solely responsible for ensuring timely communications to its Affiliates or the relevant Controller(s) who receive the Services, insofar as such communications may be required under applicable Data Protection Laws.

4. Description of Personal Data Processing

In Annex 1 to this Addendum, the Parties have mutually set out their understanding of the details of the Processing of the Customer Personal Data by Juntrax Solutions LLC pursuant to this Addendum, as required by Article 28(3) of the GDPR. Either Party may make reasonable amendments to Annex 1 by written notice to the other Party as necessary to meet legal requirements. Annex 1 does not create any obligation or rights for any Party.

5. Data Processing Terms

5.1 Customer Obligations

Customers shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum. As between the Parties, Customer shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to Juntrax Solutions LLC of Customer Personal Data.

5.2 Juntrax Solutions LLC Obligations

In addition to its obligations under the GDPR, Juntrax Solutions LLC shall comply with the CCPA requirements applicable to Service Providers, including Sections 1798.100(d), 1798.140(ag), and related provisions. Juntrax Solutions LLC shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data and shall:

• 5.2.1 Process Customer Personal Data solely on documented instructions of Customer and only for the purposes of providing the Services;
• 5.2.2 Ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations;
• 5.2.3 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
  • pseudonymization and encryption;
  • ongoing confidentiality, integrity, availability, and resilience;
  • timely restoration of availability following incidents; and
  • regular testing and evaluation of security measures;
• 5.2.4 Be authorized to engage sub-processors listed in Annex 2, subject to equivalent data protection obligations and prior notification to Customer;
• 5.2.5 Assist Customer, where reasonably required, in responding to Data Subject requests;
• 5.2.6 Notify Customer without undue delay of any Personal Data Breach involving Customer Personal Data;
• 5.2.7 Assist Customer with compliance obligations under Articles 32–36 of the GDPR, where applicable;
• 5.2.8 Upon termination or expiry of the Terms, delete or return Customer Personal Data, including CCPA Personal Information, at Customer's direction, unless retention is required by applicable law;
• 5.2.9 Make available information reasonably necessary to demonstrate compliance with this Addendum and allow audits on reasonable notice.

6. Transfers

For the avoidance of doubt, CCPA does not restrict cross-border transfers, provided that Juntrax Solutions LLC acts solely as a Service Provider and processes Personal Information in accordance with this Addendum.

Juntrax Solutions LLC maintains an Information Security Management System aligned with ISO/IEC 27001:2022. Where transfers of Personal Data outside the EEA or UK occur, the Parties agree to rely on appropriate safeguards, including the Controller to Processor SCCs, as required under applicable Data Protection Laws.

7. Precedence

In the event of any inconsistency between this Addendum and the Terms, this Addendum shall prevail.

8. Indemnity

To the extent permitted by law, Customer shall indemnify and hold harmless Juntrax Solutions LLC against losses, claims, fines, and expenses arising from Customer's breach of this Addendum or applicable Data Protection Laws.

9. Severability

If any provision of this Addendum is held unenforceable, the remaining provisions shall remain in full force and effect.

10. Additional Privacy Commitments

Juntrax Solutions LLC further represents and warrants that, with respect to CCPA-regulated Personal Information:

• it shall not Sell or Share Personal Information;
• it shall not combine Personal Information with data received from other sources except as permitted under the CCPA;
• it shall notify Customer if it determines it can no longer meet its obligations as a Service Provider;
• it shall allow and cooperate with reasonable assessments to verify compliance with CCPA Service Provider obligations.

In addition, Juntrax Solutions LLC confirms that:

• Processing follows privacy by design and by default;
• Personal Data is not used for marketing or advertising;
• Breaches involving Personal Data are notified without undue delay;
• Data is deleted or de-identified after completion of the agreed retention period;
• Legally binding requests for disclosure are notified to customers in advance where permitted by law.

Data Protection Officer (DPO)

For access, correction, erasure, or privacy-related concerns, contact:

Name: Harsh Gupta

Email: dpo@juntrax.com

Contact Number: 510-516-2549

Annex 1 – Description of Processing of Customer Personal Data

• Subject matter and duration: As set out in the Terms.
• Nature and purpose: Due diligence and background verification services.
• Categories of Data Subjects: Employees and contractors of Customer.
• Types of Personal Data: Name, address, date of birth, contact details, education, employment details, identifiers.
• Special categories: None.
• Data exporter: Customer.
• Data importer: Juntrax Solutions LLC.

Annex 2 – Authorized Sub-processors