Data Protection Policy

This Data Protection Policy (“DPP”) is between Client and JumpCrew LLC (“JumpCrew”) and forms a part
of the Master Services Agreement, and any applicable Statement of Work, entered into between Client and
JumpCrew under which JumpCrew provides Services to Client as described therein (“Agreement”).

1. Purpose. This DPP describes the minimum information security standards that JumpCrew maintains to
protect the confidentiality, integrity and availability of the information that Client provides to JumpCrew
under the Agreement (“Client Materials”).

2. Security Program. JumpCrew maintains a written security program that includes administrative,
technical and physical safeguards reasonably designed to protect the confidentiality, integrity and
availability of Client Materials. JumpCrew agrees that it will not materially diminish the protections and
controls of its Security Program during the term of the Agreement with Client.

3. Pseudonymization and Encryption of Personal Data. JumpCrew pseudonymizes Personal Data (as that
term is defined in the General Data Protection Regulation (GDPR) and as applicable in analogous US
federal and state privacy laws and regulations) where appropriate and encrypts Client Personal Data in
transit and at rest using encryption in accordance with its Security Documentation.

4. Business Continuity Plan. JumpCrew has a business continuity and disaster recovery plan in place to
manage significant disruptions to JumpCrew’s operations and infrastructure. The plan is appropriate
based on the size, scope and complexity of JumpCrew’s operations.

5. Access Control. JumpCrew has access controls in place designed to maintain the confidentiality and
security of Client Materials. Controls include as appropriate, authorization and authentication processes
for physical and logical access to facilities, systems, networks and devices that handle Client Materials.
Access is granted based on the principal of least privilege. As appropriate JumpCrew logs, monitors, and
reviews access on a regular basis at a frequency commensurate with risk. JumpCrew will enforce its then-
current password policy with respect to password management.

6. Physical Security. JumpCrew has physical and environmental controls that are commensurate to the risk
for Client Materials and for the JumpCrew equipment, assets, or facilities used to hold and process Client
Materials.

7. Log Management. JumpCrew collects and records log information and maintain system logs based on
residual risk and commensurate with industry expected operating practices. System logs include, but are
not limited to, operating system event logs, administrative access logs, user access logs and security event
logs. Such logs facilitate identifying the root cause issues associated with a system issues or a Client
Materials Incident.

8. Asset Management. JumpCrew has an asset management program in place that appropriately classifies
and facilitates control and management of hardware and software assets throughout their lifecycle.

9. Risk Management. JumpCrew has a risk assessment and management process to identify, rate and treat
all identified risks to JumpCrew’s organization.

10. Human Resources Security. Prior to hiring, engaging or granting access to JumpCrew systems that store
Client Materials, JumpCrew conducts background checks for its employees that will have access to Client
Materials (“JumpCrew Personnel”) and provides security and privacy training. JumpCrew Personnel are 

4894-5286-4540, v. 1

subject to confidentiality provisions in their employment agreements or service contracts. JumpCrew
ensures responsibilities for information security and privacy are acknowledged by JumpCrew Personnel
and that JumpCrew Personnel comply with the terms of this DPP. JumpCrew is responsible to Client for
any acts or omissions of JumpCrew Personnel that result in a breach of this DPP. JumpCrew has a
disciplinary process for violations of Security Program requirements by JumpCrew Personnel.

11. Network Security. JumpCrew has appropriate network perimeter defense solutions in place, such as
Intrusion Detection System (IDS)/Intrusion Prevention System(IPS) and firewalls to monitor, detect, and
prevent malicious network activity and restrict access to authorized users and services. JumpCrew will
have appropriate monitoring in place to detect and take appropriate action. JumpCrew reviews firewall
configurations and rules at least annually, and any significant changes to firewall rules will follow a
documented change management process.

12. Data Minimization. JumpCrew collects and processes data as necessary to provide the Services as set
forth in the Agreement and in accordance with this DPP and JumpCrew’s Privacy Policy, available at:
https://jumpcrew.com/privacy-policy/.

13. Secure Development. JumpCrew has a software development lifecycle (“SDLC”) methodology in place
that governs the acquisition, development, implementation, configuration, maintenance, modification and
management of JumpCrew’s infrastructure and software components as applicable. JumpCrew has
defined secure coding guidelines applicable to JumpCrew Personnel. Developers will receive secure code
training. JumpCrew’s SDLC program will include secure code reviews, vulnerability scanning and
security architecture reviews as appropriate.

14. Change Management. JumpCrew follows documented change management policies and procedures for
requesting, testing, and approving application, infrastructure, and product related changes. Changes will
undergo review and testing prior to approval for implementation. Changes are approved prior to
implementation to production, and only authorized individuals are allowed to move code into production.
JumpCrew maintains separate environments for development, testing and production.

15. Threat and Vulnerability Management and Security Testing. JumpCrew has threat and vulnerability
management processes that includes on-going monitoring for vulnerabilities that are acknowledged by
JumpCrew, reported by researchers, or discovered internally through vulnerability scans, or identified by
JumpCrew’s personnel. JumpCrew has processes in place to document vulnerabilities and take appropriate
steps to remediate vulnerabilities based on risk. JumpCrew performs regular internal and external
vulnerability scans. JumpCrew conducts internal and external penetration tests to remediate vulnerabilities
identified in accordance with its Security Program.

16. Third Party Security. JumpCrew assesses the risks associated with any new and existing service
providers that access to Client Materials. JumpCrew communicates security and confidentiality
requirements, as well as operational responsibilities, through contractual agreements that are as
substantially as protective of Client Materials as the obligations within this DPP, with such service
providers. JumpCrew is responsible to Client for the performance of service providers that JumpCrew
uses to perform the Agreement and will remain liable to Client for the acts or omissions of its service
providers.

17. Security Breach and Notification. “Security Breach” means a security event that results in the accidental
or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Materials stored or
otherwise processed by JumpCrew. If there is a Security Breach, JumpCrew will (A) notify Client via
email without undue delay upon confirmation of a Security Breach, (B) reasonably cooperate with Client

4894-5286-4540, v. 1
with respect to any such Security Breach, and (C) take appropriate action as JumpCrew deems necessary
to mitigate risks or damages associated with the Security Breach to protect Client Materials from further
compromise. JumpCrew will take such other actions that may be required by applicable law as a result of
the Security Breach.

18. Data Portability and Erasure. JumpCrew processes support data portability and erasure.

19. Data Subject Requests. CRM or MAP data may be synced automatically with the JumpCrew Platform
depending on the CRM or MAP system used by the Client. Additionally, Data Subject Requests can be
submitted via [email protected].

20. Subprocessors. JumpCrew’s contracts with subprocessors that have access to Client Materials contain
technical and organizational measures substantially as protective as those outlined herein.

21. Termination. Upon expiration or termination of the Agreement, JumpCrew will delete or return Client
Materials pursuant to the terms of the Agreement regarding transition of Client Materials. The method of
destruction will be accomplished by purging or physical destruction commensurate with the Security
Program. Upon Client’s written request, JumpCrew will promptly certify in writing to Client that such
return or destruction has been completed.

22. CCPA. To the extent that in connection with the performance of the Services JumpCrew processes data
on Client;s behalf that is subject to the California Consumer Privacy Act of 2018 (CCPA), JumpCrew
shall (i) process Client Materials that is personal data subject to the CCPA only on Client’s instructions
and as set forth in this Agreement in accordance with the applicable terms of the CCPA, (ii) act as a
service provider with respect to such Client Materials that qualifies as personal information under the
CCPA, in accordance with the applicable terms of the CCPA, (ii) neither JumpCrew nor any subprocessor
of JumpCrew will disclose to nor transfer personal data to a subprocessor or any third party that qualifies
as “selling” personal data under the CCPA; and (iv) JumpCrew will maintain reasonable security
procedures and practices appropriate to the nature of the personal data disclosed by Client to JumpCrew,
to protect such personal data from unauthorized access, destruction or use, in accordance with applicable
requirements of the CCPA.