Data Protection Addendum & Security Schedule

DATA PROTECTION ADDENDUM & SECURITY SCHEDULE

(Integrated – Enterprise Version)

1. Purpose & Scope

This Data Protection Addendum and Security Schedule (“Addendum”) forms part of the Master Services Agreement (“MSA”) between Empera, Inc. (“Company”) and Customer. This Addendum applies to the extent Company processes Personal Data on behalf of Customer in connection with the Services.

2. Definitions

Personal Data means any information relating to an identified or identifiable individual.

Processing means any operation performed on Personal Data, whether automated or not.

Controller and Processor have the meanings assigned under applicable data protection laws.

3. Roles of the Parties

Customer acts as the Controller of Personal Data. Company acts as a Processor and shall process Personal Data solely in accordance with Customer’s documented instructions, this Addendum, and the MSA.

4. Scope of Processing

Processing may include the collection, transmission, storage, validation, matching, and reporting of employment, income, and identity-related information solely for the purpose of providing the Services.

5. Information Security Program (SOC-Adjacent)

Company maintains a written information security program designed to protect Personal Data against unauthorized access, disclosure, alteration, or destruction. The program includes administrative, technical, and physical safeguards aligned with generally accepted, risk-based industry security frameworks.

Company does not represent or warrant compliance with, or certification under, SOC 2, ISO 27001, or similar standards unless expressly agreed in writing.

6. Administrative Safeguards

Company implements administrative safeguards including:

• Documented security policies and procedures
• Workforce security awareness and training
• Role-based access controls
• Incident response and escalation procedures

7. Technical Safeguards

Company implements technical safeguards including:

• Encryption of data in transit
• Authentication and authorization controls
• System logging and monitoring
• Secure development and change management practices

8. Physical Safeguards

Company implements physical safeguards including:

• Restricted access to systems and infrastructure
• Use of secure, reputable hosting environments

9. Subprocessors

Company may engage subprocessors to assist in providing the Services. Company remains responsible for subprocessors’ compliance with this Addendum and shall make available a list of subprocessors upon request.

10. Data Subject Rights Assistance

Company shall reasonably assist Customer in responding to data subject requests, to the extent required by applicable law and limited to Personal Data processed by Company.

11. Personal Data Breach Notification

Company shall notify Customer without undue delay upon becoming aware of a confirmed Personal Data breach and shall cooperate in reasonable remediation efforts.

12. Data Retention and Deletion

Upon termination of the Services, Company shall delete or return Personal Data in accordance with Customer’s instructions, unless retention is required by applicable law.

13. Audit & Compliance Information

Upon reasonable written request and no more than once annually, Company shall make available information reasonably necessary to demonstrate compliance with this Addendum, which may include written security summaries or policies.

14. International Transfers

Where Personal Data is transferred internationally, such transfers shall be conducted in accordance with applicable data protection laws and recognized transfer mechanisms.

15. Limitation of Liability

Liability arising under this Addendum is subject to the limitations of liability set forth in the MSA.

16. Governing Law

This Addendum is governed by the governing law specified in the MSA.