April 28, 2023 We comply with both the EU and the UK GDPR and the UK Data Protection Act (DPA) as applicable to the size of our organization and the nature of our business. As more fully set forth in SI’s EU GDPR Data Privacy Notice, both our client (“Controller”) and SI have their respective compliance obligations under the GDPR. SI process Personal Data (as defined by the GDPR) concerning Data Subjects (as defined by the GDPR) for the necessary time, nature, and purpose to fulfill its obligations as provided in a written agreement between Controller and SI. At any time during which SI processes Controller’s Personal Data of natural persons located in the European Economic Area (EEA), SI will: (A) process the Personal Data only in accordance with the documented (i.e., written) instructions of Controller, as set forth in any written agreement between Controller and SI (unless required by law to act without such instructions); (B) ensure that persons authorized to process the Personal Data on behalf of SI have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (C) take all measures to protect the security of processing all Personal Data that is required pursuant to Article 32 of the GDPR; (D) wherever feasible by taking into account the nature of SI’s processing of Personal Data, assist Controller by appropriate technical and organizational measures, to fulfill Controller’s obligation to respond to requests for exercising the Data Subject’s rights as provided in Chapter III (Articles 15 through 22) of the GDPR; (E) assist Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the purpose of the written agreement between Controller and SI; (F) at the choice of Controller, delete or return all Personal Data to Controller after the end of the provision of services relating to the processing, and delete existing copies unless union or member state law requires storage of the personal data; (G) to the extent that SI engages a sub-processor, it will only do so with the prior consent of Controller and a written contract that complies with all necessary obligations under the GDPR; (H) make available to Controller all information necessary to demonstrate compliance with the obligations set forth under Article 28 of the GDPR; and (I) allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller. The UK-GDPR is significantly derived from the EU’s GDPR and generally the terms and core concepts used in the UK-GDPR have the same meaning as they do in the EU’s GDPR. As more fully set forth in SI’s UK-GDPR and DPA Data Privacy Notice, the Controller and SI are required to comply with their respective obligations as provided in the (1) Data Protection Act (DPA) of 2018 to implement the EU’s GDPR into United Kingdom (UK) law; and (2) the UK-GDPR that took effect on January 31, 2020, which alongside the DPA governs all processing of personal data from individuals located inside the UK. With regard to the transfer of data, SI relies on standard contractual clauses promulgated by the European Commission, and additionally abides by the EU-US Privacy Shield and the Swiss-U.S. Privacy Shield Framework (collectively “Privacy Shield”) when transferring Personal Data of Data Subjects, as more fully set forth in SI’s EU-U.S. and Swiss-U.S. Privacy Shield Policy. (SI’s certification to the U.S. Department of Commerce, which administers the Privacy Shield program is current and in good standing.) SI continually monitors the above-references laws and related regulations for changes requiring SI to revise its compliance procedures and privacy protection practices.