Data Processing Addendum

(Last Updated on June 9, 2026)

This Data Processing Addendum (“Addendum”) sets forth the terms and conditions relating to the privacy and security of Personal Information (as defined below) associated with services to be rendered by Employee Navigator LLC, with an address at 7700 Wisconsin Ave, Suite 900, Bethesda, MD 20814, United States (“Employee Navigator”), pursuant to the Master Terms and Conditions for Subscriptions and Services or other Employee Navigator agreement that references this Addendum (the “Agreement”). The terms set forth herein shall apply to entities that have entered into the Agreement with Employee Navigator (hereafter, each such entity is referred to as “Company”). All capitalized terms not defined herein shall have the meanings set forth in Exhibit A or, if not defined therein, in the Agreement.

WHEREAS, Company shall provide Employee Navigator with access to Personal Information in connection with certain services performed and certain solutions provided by Employee Navigator for or on behalf of Company and/or its Authorized Users pursuant to the Agreement (“Services”).

NOW THEREFORE, in consideration of the mutual covenants and agreements in this Addendum and the Agreement and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, Company and Employee Navigator agree as follows:

I. Roles and Responsibilities of the Parties

(A) The Parties acknowledge and agree that with respect to the Processing of Personal Information under this Addendum, Employee Navigator shall process Personal Information as a processor or sub-processor on behalf of and under the Instructions of Company.

(B) The Personal Information that Company discloses to Employee Navigator is provided to Employee Navigator for the limited and specified purposes described in Schedule 1 of this Addendum.

II. Obligations of Employee Navigator

(A) Employee Navigator shall Process Personal Information in accordance with the Instructions of Company, and as necessary to perform the Services specified in Schedule 1 of this Addendum (which the Parties acknowledge and agree are for Company’s Business Purposes), unless otherwise required by law, in which case Employee Navigator shall inform Company of that legal requirement before Processing the Personal Information, unless informing Company is prohibited by law. Employee Navigator shall inform Company if, in Employee Navigator’s opinion, an Instruction provided infringes applicable Data Protection Law.

(B) Employee Navigator shall ensure that any person authorized by Employee Navigator to Process Personal Information is subject to a duly enforceable contractual or statutory confidentiality obligation;

(C) Employee Navigator shall not (1) Sell or Share Personal Information; (2) collect, retain, use, disclose or otherwise Process Personal Information (a) for any purpose, including a commercial purpose, other than for the specific purpose of providing the Services specified in Schedule 1, or (b) otherwise outside of the Parties’ business relationship;

(D) Employee Navigator shall not combine Personal Information received pursuant to the Agreement with personal information received from or on behalf of another person(s), or collected from Employee Navigator’s own interaction with individuals, unless permitted by applicable Data Protection Law;

(E) Employee Navigator shall promptly inform Company of any requests from Data Subjects to exercise their rights under Data Protection Law. Taking into account the nature of the Processing of Personal Information, Employee Navigator shall reasonably assist Company in fulfilling Company’s obligations to respond to a Data Subject’s request, including by providing relevant information in Employee Navigator’s possession that is not otherwise reasonably available to Company, and including, where applicable, by ceasing to process a Data Subject’s Personal Information at the request of Company.

(F) Personal Information may be Deidentified or Aggregated in the course of providing the Services. Employee Navigator shall not attempt to reidentify Deidentified information. If Employee Navigator Deidentifies Personal Information or receives Deidentified information from Company, Employee Navigator will: (1) take reasonable measures to ensure that the Deidentified information cannot be associated with a Data Subject or household, (2) publicly commit to maintain and use the data in Deidentified form and not to attempt to reidentify the information, and (3) contractually obligate recipients of the Deidentified data to comply with Data Protection Law and the terms of this Section II(F) of this Addendum;

(G) There may be instances where the Company may be replaced by a separate entity (“Successor Entity”) at the direction of Client. In such cases, Company will assign its rights and obligations under this Addendum to the Successor Entity and such Successor Entity shall become the “Company” under this Addendum. Employee Navigator shall retain, process and disclose the Personal Information to the Successor Entity as needed in order to facilitate continuity of the Services; and

(H) Employee Navigator will notify Company if Employee Navigator makes a determination that it can no longer meet its obligations under this Addendum.

III. Sub-Processing

(A) Employee Navigator may engage Sub-Processors to Process Personal Information on behalf of Company.

(B) Employee Navigator shall enter into a written agreement with each Sub-Processor that imposes obligations on the Sub-Processor that are substantially similar to those imposed on Employee Navigator under this Addendum.

(C) Employee Navigator shall maintain a list of Sub-Processors at http://www.employeenavigator.com/dpa-subprocessors.

IV. Compliance with Data Protection Law

(A) Employee Navigator shall comply with applicable Data Protection Law and provide the level of privacy protection for Personal Information as is required by applicable Data Protection Law.

(B) Company may take reasonable and appropriate steps, upon reasonable prior notice and to the extent required by applicable Data Protection Law, to ensure that Employee Navigator uses Personal Information in a manner consistent with Company’s obligations under applicable Data Protection Laws. If Company reasonably determines that Employee Navigator’s processing of Personal Information is unauthorized and not in compliance with applicable Data Protection Laws, Company may notify Employee Navigator of such concern and the parties shall cooperate in good faith to investigate and, where necessary, remediate the issue. Any actions taken by Company under this Section shall be reasonable, proportionate, and shall not unreasonably interfere with Employee Navigator’s business operations or performance of the Services.

(C) Company shall (i) ensure that it complies with its obligations under Data Protection Law in respect of any Personal Information it provides to Employee Navigator, including obligations to provide notice of Processing and obtain consent, to the extent applicable, and (ii) not provide any Instructions that would cause Employee Navigator to infringe applicable Data Protection Law.

V. Data Security

Employee Navigator shall maintain appropriate safeguards and security measures designed to ensure the security and confidentiality of Personal Information.

VI. Data Breach Notification

(A) Employee Navigator shall promptly inform Company of any Information Security Incident of which Employee Navigator becomes aware involving Personal Information in its possession.  Employee Navigator shall inform Company of such information known by Employee Navigator regarding such Information Security Incident that is necessary for the Company to comply with its obligations under Data Protection Law.

(B) Employee Navigator shall reasonably cooperate with Company in Company’s reasonable and lawful efforts to mitigate such Information Security Incident, and shall provide such reasonable assistance as is reasonably required to enable Company to satisfy Company’s obligation to notify the relevant supervisory authority and Data Subjects of an Information Security Incident.

VII. Audit

(A) Employee Navigator shall, upon Company’s request and no more than once per calendar year, make available to Company information reasonably necessary to demonstrate compliance with the obligations set forth in this Addendum. If such information is insufficient to demonstrate compliance and Company has a reasonable, documented basis to believe that Employee Navigator is in material breach of its obligations under this Addendum, to the extent required by applicable Data Protection Law, Company may request an audit of Employee Navigator’s compliance with this Addendum. Any such audit shall: (1) occur no more than once per calendar year; (2) be conducted by an independent third-party auditor reasonably acceptable to Employee Navigator and bound by written confidentiality obligations no less protective than those contained herein; (3) be limited to records and systems directly relevant to the Processing of Personal Information under this Addendum; (4) exclude access to information relating to Employee Navigator’s other customers, internal financial information, trade secrets, proprietary information, and any information that could compromise the security or confidentiality of Employee Navigator’s systems; (5) be conducted in accordance with Employee Navigator’s security policies and procedures; (6) be conducted remotely, if requested by Employee Navigator, where reasonably feasible; and (7) be scheduled upon at least thirty (30) days’ prior written notice at a mutually agreed time and in a manner that does not unreasonably interfere with Employee Navigator’s business operations.

(B) Employee Navigator shall determine the reasonable scope, timing, duration, and manner of any audit. Company shall bear all costs and expenses associated with any audit, including any reasonable internal costs incurred by Employee Navigator in responding to or facilitating the audit. Company shall provide Employee Navigator with a copy of any audit findings and shall treat all audit results as Employee Navigator’s Confidential Information.

(C) Except as required by applicable law, Company shall have no right to conduct on-site inspections, penetration testing, vulnerability scanning, or other testing of Employee Navigator’s systems.

VIII. Termination

Upon termination of the Agreement, Employee Navigator shall, at Company’s election, delete all Personal Information in Employee Navigator’s possession, unless retention is required by applicable law. If Company does not provide instructions within thirty (30) days following termination, such lack of instruction shall be deemed authorization for Employee Navigator to delete the Personal Information.

EXHIBIT A

DEFINITIONS

(A) “Aggregate” means removing Data Subject identities from a group or category of Data Subjects, such that the resulting data is not linked or reasonably linkable to any Data Subject or household.

(B) “Business Purpose” shall have the meaning ascribed to it in the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) and its implementing regulations (collectively, the “CCPA”).

(C) “Controller” means the entity that determines the purposes and means of the Processing of Personal Information, and includes equivalent terms such as a “business” as defined under Data Protection Law.

(D) “Data Protection Law” means all applicable U.S. laws currently in effect and as they become effective relating to the privacy and security of Personal Information.

(E) “Data Subject” means an identified or identifiable natural person to whom the Personal Information pertains, including equivalent terms such as “consumer” under Data Protection Law.

(F) “Deidentified” shall have the meaning ascribed to it under Data Protection Law.

(G) “Information Security Incident” means a breach of security leading to the unauthorized or unlawful access to or loss, use, disclosure, alteration, destruction, acquisition or Processing of unencrypted or unredacted Personal Information. An inadvertent disclosure of Personal Information by Employee Navigator to another person or entity, where such recipient is contractually bound by confidentiality and data protection obligations substantially similar to those set forth herein, shall not be deemed an Information Security Incident.

(H) “Instructions” means this Addendum and any further written agreement through which a Controller or Processor instructs a Processor or Sub-Processor to Process Personal Information.

(I) “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could be linked, directly or indirectly, with a particular individual or household, that is provided or made accessible to Employee Navigator by or at the direction of Company or an Authorized User.

(J) “Process” (and its derivatives) means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(K) “Processor” is any person or entity that Processes Personal Information on behalf of a Controller, and includes equivalent terms such as a “service provider” as defined under applicable Data Protection Law.

(L) “Sell” and “Share” (and their derivatives) shall have the meaning ascribed to them in Data Protection Law.

(M) “Sub-Processor” means any entity engaged by a Processor (or further Sub-Processor) to Process Personal Information.

SCHEDULE 1

DESCRIPTION OF PROCESSING

Data Subjects

Categories of Data Subjects whose Personal Information the Processing concerns:

• Authorized Users, Client’s former employees (including COBRA participants), dependents, beneficiaries and emergency contacts of employees/former employees, and any other individuals whose Personal Information is provided to Employee Navigator by or at the direction of Company or an Authorized User in connection with the Services.

Categories of Personal Information

Categories of Personal Information Processed:

• Identity data: e.g., full name, date of birth, gender, Social Security number / national ID, employee ID
• Contact data: e.g., home address, personal and work email, phone numbers
• Employment data: e.g., job title, department, hire date, termination date, employment status (full/part-time), work location, salary/compensation, hours worked
• Benefits enrollment data: e.g., plan selections (medical, dental, vision, life, disability), plan IDs, coverage tiers, enrollment elections, beneficiary designations
• Dependent data: e.g., dependent names, dates of birth, SSNs, relationship to employee
• Financial/payroll data: e.g., bank account details for deductions, payroll deduction amounts, salary for benefits calculations, flexible spending/HSA contributions
• Account/technical data: e.g., login credentials, IP address, device/session data, audit logs, usage activity
• Government/compliance data: e.g., ACA reporting data, citizenship/work authorization status where relevant, tax withholding info
• Health/Medical information (PHI): e.g., medical/clinical information required for medical enrollment or underwriting purposes
• Cookies and browsing behavior: e.g., cookie information, browsing/navigation activity
• Any other information that is provided to Employee Navigator by or at the direction of Company or an Authorized User in connection with the Services

Nature of the Processing

• Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, access, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, restriction, erasure or destruction.

Purpose(s) and duration of the Processing

The Processing is made for the following Purposes:

• The Personal Information will be transferred to and Processed by Employee Navigator to perform the Services under the Agreement.

To the extent the CCPA applies, Employee Navigator Processes Personal Information on behalf of Company for the following Business Purposes under the Agreement:

1. Helping to ensure security and integrity, to the extent the use of Personal Information is reasonably necessary and proportionate for these purposes.

2. Debugging to identify and repair errors that impair existing intended functionality.

3. Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of an individual’s current interaction with Company and/or Authorized Users, provided that the individual’s Personal Information is not disclosed to another third party and is not used to build a profile about the individual or otherwise alter the individual’s experience outside the current interaction with Company and/or Authorized Users.

4. Performing services on behalf of Company and/or Authorized Users, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of Company and/or Authorized Users.

5. Providing advertising and marketing services, except for cross-context behavioral advertising, to an individual provided that, for the purpose of advertising and marketing, Employee Navigator shall not combine the Personal Information of opted-out individuals that Employee Navigator receives from, or on behalf of, Company with personal information that Employee Navigator receives from, or on behalf of, another person or persons or collects from Employee Navigator’s own interaction with individuals.

6. Undertaking internal research for technological development and demonstration.

7. Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by Company, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by Company.

• The duration of the Processing is equal to the duration of the Agreement, or until otherwise instructed by Company.