EverCompliant Inc., G2 Web Services Inc., and G2RS Inc.

Data Privacy Framework (“DPF”) Program Notice

Effective: January 16, 2026

This DPF notice (“Notice”) governs EverCompliant Inc., G2 Web Services Inc., and G2RS Inc (collectively, “we”, “us” or“our”) participation in the EU-U.S. DPF, UK-DPF extension to the EU-U.S. DP,F and the Swiss U.S. DPF programs with respect to the Processing of Personal Data, as further explained in Section 1 below. If there is any conflict between the terms in this Notice and the DPF principles, the DPF principles shall govern. To learn more about the DPF and its principles, please visit https://www.dataprivacyframework.gov.


“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Process”, “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1. Scope

Our participation in the DPF applies to Personal Data that is subject to the EU, UK and Swiss data protection laws that we receive in the context of the provision of our Services (as defined below) including, from customers, our affiliates or other third parties.

2. Purposes of data processing

We comply with the principles of the EU-U.S. DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S.
DPF regarding the collection, use, and retention of Personal Data transferred to the United States from the European Union, the United Kingdom, and Switzerland. Our DPF program covers transfers of Personal Data in the following cases: (i) to discuss or execute contracts, (ii) to offer and provide our Services, to provide support for customer operations, to provide maintenance (including proactive and preventative actions) and to correct and address technical or service problems; (iii) for us to communicate with our customers; (vi) to assist in or to perform research, (v) for administrative purposes; (vi) to comply with applicable laws, regulations and orders from public authorities or courts and/or for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of- court procedures; and/or (vii) to comply with other documented reasonable instructions provided by our customers (the “Services”). The categories of Personal Data collected and processed by us include, without limitation, merchant details, URL, customer contact information, login details for our platform, and IP address. We have certified to the DoC that it adheres to the DPF Principles, and our DPF certification isavailable here.

3. Onward transfers of personal data

3.1. We will not transfer Personal Data originating in the EU, UK and/or Switzerland to third parties
unless such third parties have entered into an agreement in writing with us requiring them to provide
at least the same level of protection to the Personal Data as required by the Principles of the EU
U.S. DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. We may transfer Personal
Data to processors, service providers, vendors, contractors, partners, third party integrations and
agents (collectively “Processors”) who need the information in order to provide services to or
perform activities on our behalf. We are responsible for such onward transfers to third pursuant to
the EU-U.S. DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. In cases of onward
transfer to third parties of Personal Data received pursuant to the EU-U.S. DPF, UK Extension to
the EU-U.S. DPF and the Swiss-U.S. DPF, we are potentially liable.

The above mentioned Processors and the description of the services that they provide and/or the
activities that they perform are set out in the table below:

3.2. To the extent necessary, with regulators, courts or competent authorities, to comply with applicable
laws, regulations and rules (including, without limitation, federal, state or local laws), and requests
of law enforcement, regulatory and other public or governmental agencies, or if required to do so by
court order (including to meet national security or law enforcement requirement);

3.3. In addition, we may disclose or allow government and law enforcement officials access to Personal
Data, in response to a subpoena, search warrant, or court order (or similar requirement), or in
compliance with applicable laws and regulations, and/or if We believe in good faith that this will
help protect the rights, property or personal safety of us, any of our partners, customers (including,
their administrators and/or users), or any member of the general public;

3.4. We may share your Personal Data internally within our group of companies, when they have
a need to know;

3.5. If, in the future, we sell or transfer, or we consider selling or transferring, some or all of our business,
shares or assets to a third party, we will disclose your Personal Data to such third party (whether actual or potential) in connection with the foregoing events;

3.6. In the event that we are acquired by, or merged with, a third party entity, or in the event of bankruptcy or a comparable event, we reserve the right to transfer, disclose or assign your Personal Data in connection with the foregoing events, including, in connection with, or during negotiations of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or aportion of our business by or to another company; and/or

4. Data subject rights

You have the right to access Personal Data about you, and in some cases you are also allowed to correct,
amend, or delete that Personal Data where it is inaccurate, or has been processed in violation of the DPF
principles. In addition, you have the opportunity to choose (opt out) whether our Personal Data is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s)
for which it was originally collected or subsequently authorized by the individuals. You can submit your request to: privacy@everc.com or legal@g2risksolutions.com and provide your name, contact information and observe the required formalities under applicable law.

Please be aware that in specific situations where fulfilling access or other requests might impose a
disproportionate burden or expense, or potentially infringe upon the rights of others, we may be required
to carefully review and, if permissible under applicable law, respectfully decline your request.

5. Independent recourse mechanism, arbitration

In compliance with the DPF principles, we are committed to resolve complaints about our collection
or use of your Personal Data. EU, UK and Swiss individuals with inquiries or complaints regarding
our DPF policy should first contact us at: privacy@everc.com or legal@g2risksolutions.com or by
postal mail sent to:

G2 Web Services
Attn: DPF Inquiry
25 Wall Street, 10th Floor, Suite 1022
NY, NY 10004

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, we commit to referring unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, a non-profit alternative dispute resolution provider located in the United States, to assistwith the complaint resolution process. If you do not receive a timely acknowledgment of your complaint or if your complaint is not satisfactorily addressed, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information and to file a complaint. The services of JAMS are provided at no cost to you.

Under certain conditions, more fully described on the DPF website (available here), you may also be able to invoke binding arbitration to determine whether a participating organization has violated its obligations under the DPF principles as to that individual and whether any such violation remains fully or partially unremedied (“residual claims”) after you approached us and you used the independent recourse mechanism. The International Centre for Dispute Resolution-American Arbitration Association (“ICDR-AAA”) was selected by the U.S. Department of Commerce to administer arbitrations pursuant to and manage the arbitral fund. Please visit ICDR-AAA’s website for more information.

6. Federal Trade Commission enforcement

We are subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”) to ensure compliance with the EU-US DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF outlined in this
DPF Notice.

7. Arbitration

Under certain conditions, more fully described on the DPF website (available here), you may also
be able to invoke binding arbitration to determine whether a participating organization has
violated its obligations under the DPF principles as to that individual and whether any such
violation remains fully or partially unremedied (“residual claims”) after you approached us and
you used the independent recourse mechanism. The International Centre for Dispute Resolution
American Arbitration Association (“ICDR-AAA”) was selected by the U.S. Department of
Commerce to administer arbitrations pursuant to and manage the arbitral fund. Please visit ICDR
AAA’s website for more information.