EU-U.S. PRIVACY SHIELD PROGRAM OVERVIEW The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. On July 12, the European Commission deemed the Privacy Shield Framework adequate to enable data transfers under EU law (see the adequacy determination). The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organizations to join the Privacy Shield Framework in order to benefit from the adequacy determination. While joining the Privacy Shield Framework is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. The U.S.-EU Privacy Shield Framework is set forth in a set of 7 privacy principles, 16 supplemental principles, binding arbitration requirements, explanatory and enforcement letters from the Secretary of Commerce, International Trade Administration, Federal Trade Commission, Department of Transportation, Department of State, the Director of National Intelligence, and the Department of Justice. All the above documents can be found and found and viewed at these websites: • https://www.privacyshield.gov/welcome • https://www.privacyshield.gov/EU-US-Framework • https://www.privacyshield.gov/Program-Overview ESR POLICY This Privacy Shield Policy (“Policy”) applies to personal information about an identified or identifiable person that is received by ESR from the European Union or other personally identifiable information (“PII”) that ESR acquires in the performance of services for its clients, or other third parties with whom ESR has contractually agreed to apply this privacy policy. This Policy does not apply to data collected and used by ESR which is within the scope of the Directive. Definitions: a. “Personal data”, “personal information”, and “EU-PII” refer to data about an identified or identifiable individual that are within the scope of the Directive, received by ESR in the United States from the European Union, and recorded in any form. b. “Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction. c. “Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data. d. “Department” means the U.S. Department of Commerce. Provisions of ESR U.S.-EU Privacy Shield Policy 1. NOTICE a. ESR is a voluntary participant in the U.S.-EU Privacy Shield Framework and self-certifies according to the requirements of the program. You can find Privacy Shield Framework participants at https://www.privacyshield.gov/PS-Application b. ESR gathers personal information regarding individuals, that have unambiguously consented to in writing, on behalf of its clients by manually or electronically contacting the appropriate sources of the data (court records, references, licensing bureaus, etc.) including but not limited to: o Criminal history at the federal, state and county levels; o Verification of credentials, including education and licensure; o State motor vehicle records abstracts; o Consumer Credit Reports; o Verification of present and past employment; o Personal and professional references; o National and international sanctions and exclusions database checks; o Sex offender registry checks; o Drug and occupations health screening; More information regarding the nature and scope of consumer data inquiries is available by contacting ESR in writing or by e-mail at the addresses listed on the Contact Us page or by writing to the contacts listed below. c. ESR is unequivocally committed to apply the U.S.-EU Privacy Shield Framework requirements in their entirety to all EU-PII received from the EU in reliance on the Privacy Shield. ESR hereby verifies adherence to the U.S.-EU Privacy Shield Framework via ongoing in-house verification of the internal policies and procedures implemented by the ESR’S management of our company. d. ESR collects and uses EU-PII to prepare and provide background checks reports to employers or their agents (such as recruiters or staffing firms) for use in making employment-related decisions, such as who to hire, retain, promote, or re-assign. These reports may at time be use for Investigation into a suspicion of work-related misconduct or wrongdoing; Investigation into matters of employee compliance with employer policies, or Investigation into matters of employee compliance with Federal, State, or local laws and regulations. e. Persons who would like to make any type of inquiry about the Policy or to register a complaint under it may contact ERS as follows: Employment Screening Resources Attention: Brad Landin, President and Chief Compliance Officer United States Telephone: +1-415-760-9018 Email: privacy@esrcheck.com f. With respect to the transfer of EU-PII to third parties (other than ESR agents), the principles of “Notice” and “Choice” apply. Accordingly, EU-PII is only provided to third parties for purposes described in the “Notice” section or otherwise disclosed to consumers, and will not be disseminated to a third party where a consumer has “opted-out” or, in the case of sensitive information, failed to “opt-in.” g. A person may request, in writing, access to all EU-PII collected and maintained about him or her by ESR. Upon receipt of such request ESR will provide all such information in a manner and form that maintains the security and confidentiality of the information. ESR affords the person a reasonable opportunity to correct, amend, or delete information that is inaccurate or incomplete, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual would be violated. In cases where the information is subject to the FCRA, ESR complies with the FCRA’s requirements regarding access and correction rights of consumers. To request information relating to his or her EU-PII, the party may contact ESR by fax or by e-mail at the following email address, Privacy@esrcheck.net or by fax at +1-678-623-3274. In addition, the consumer will be asked to provide sufficient evidence of his or her identity so we may ensure that information is being released only to the subject of the data. If we are unable to provide the consumer with access to his or her EU Personal Data or to correct the data, we will notify the consumer and provide all relevant details and circumstances preventing ESR from doing so. h. ESR offers individuals the opportunity to choose to “opt-out” or to “opt-in” whether their EU Personal Data will be disclosed to a third party (not including ESR agents). These options are detailed in section number 2. Choice of this Policy. i. ESR is committed to resolve complaints about privacy and our collection or use of personal information fairly and efficiently. Individuals should begin by first contacting ESR. For any unresolved privacy complaints, ESR has chosen the EU Data Protection Authorities (EU DPAs) to serve as the independent dispute resolution body to address complaints and provide appropriate recourse free of charge to the individual. ESR has agreed to fully participate in the EU PDA’s procedures to resolve disputes pursuant to the Privacy Shield Framework. j. ESR is subject to the to the investigatory and enforcement powers of the federal Consumer Financial Protection Bureau (CFPB), the federal Fair Trade Commission (FTC), the California Investigative Consumer Reporting Agency Act (ICRA), and the California Consumer Credit Reporting Agencies Act (CCRAA). k. An individual may invoke binding arbitration as the method for dispute resolution in accordance with the requirements and procedures set forth in Annex I of the Privacy Shield Framework. l. ESR is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. m. In the context of an onward transfer, ESR has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. ESR remains liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the ESR proves that it is not responsible for the event giving rise to the damage. n. ESR will provide a link to this notices when individuals are first asked to provide personal information to the ESR, or as soon thereafter as is practicable, but in any event before ESR uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party. 2. CHOICE a. ESR offers individuals the opportunity to opt-out of whether their personal information is i. To be disclosed to a third party, or ii. To be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. 1. Any third party ESR uses as an agent to perform task(s) on behalf of and under the instructions of the ESR are contractually bound to treat the information in a manner consistent with the Principles. 2. In accordance with ESR’s Written Information Security Policy, EU-PII is never used for a purpose other than what it was originally collected for and approved by the written consent of the subject person. iii. OPTING-OUT 1. Although ESR first obtains a person’s unambiguous consent in writing, and because of ESR’S commitment to afford individuals every possible protection, if you would like to opt-out from ESR using your EU-PII in either of the cases outlined in items i. and ii. above, simply send an email to privacyshieldopt-out@earcheck.com, or call by United States Telephone: +1-415-760-9018. a. If opting-out by email or telephone, please provide us with: i. Your complete legal name, ii. Month and year of birth, and iii. The name of the ESR client with whom you have applied for a position. 3. ACCOUNTABILITY FOR ONWARD TRANSFER a. When ESR transfers personal information to a third party acting as a controller, the third party must comply with the Notice and Choice Principles. ESR holds contracts with the third-party controllers that provide that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify ESR if it makes a determination that it can no longer meet this obligation. The contract provides that when such a determination is made the third party controller will cease processing or takes other reasonable and appropriate steps to remediate. b. When transferring EU-PII to a third party acting as its agent, ESR: (i) transfers such data only for limited and specified purposes; (ii) has ascertained that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) takes reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with ESR’s obligations under the Principles; (iv) requires the agent to notify ESR if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), ESR will take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) will provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request. 4. SECURITY ESR in creating, maintaining, using and/or disseminating EU-PII takes reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the personal data. To this end ESR undergoes annual SSAE 16 A Service Organization Control SOC 2 audits. A Service Organization Control (SOC) report is an audit of a service organization by an outside CPA firm using stringent criteria set by the American Institute of Certified Public Accountants (AICPA). This in-depth audit assesses ESR’S internal controls across areas related to delivery of its services. The SOC 2 audit report assesses security controls. ESR’S SSAE 16 SOC 2 annual audit reports examines these trust principles, Security, Privacy, and Confidentiality. In addition, ESR is PCI-DDS Security compliant and tested and is accredited by the National Association of Professional Background Screeners Background Screening Credentialing Council. 5. DATA INTEGRITY AND PURPOSE LIMITATION a. Consistent with the Principles, ESR use of EU-PII is limited to the information that is relevant for the purposes of processing. ESR does not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, ESR takes reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current. ESR adheres to the Principles for as long as it retains such information. b. ESR retains information in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing within the meaning of 5a, or as required by law or regulation. ESR takes reasonable and appropriate measures to comply with this provision. 6. ACCESS a. Individuals have access to their personal information held by ESR and are able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. Individuals may contact ESR using the contact information set forth in section 1.e. of this Policy. 7. RECOURSE, ENFORCEMENT AND LIABILITY a. ESR’S privacy protection includes robust mechanisms for assuring compliance with the Principles, recourse for individuals who are affected by non-compliance with the Principles, and acknowledges there are consequences for ESR when the Principles are not followed. ESR’S mechanisms include: i. EU Data Protection Authorities (EU DPAs) serve as the independent dispute resolution body to address complaints and provide appropriate recourse free of charge to the individual. ESR has agreed to fully participate in the EU PDA’s procedures to resolve disputes pursuant to the Privacy Shield Framework, and is subject to damages awarded where the applicable law or private-sector initiatives so provide; ii. Obtaining a copy of ESR’S annual SOC2 type 2 audit report is the procedure for verifying that the attestations and assertions ESR makes about its privacy practices are true and that privacy practices have been implemented as presented, including any areas of non-compliance; and iii. ESR by announcing its adherence to them acknowledges it obligation to remedy problems arising out of failure to comply with the Principles and realizes that there are consequences for failure to comply, and acknowledges that any sanctions levied will be sufficiently rigorous to ensure its future compliance. b. ESR will respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield. ESR will respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department. ESR as organizations that process human resources data has chosen to cooperate with DPAs, and will respond directly to such authorities with regard to the investigation and resolution of complaints. c. ESR acknowledges its obligation to arbitrate claims and follow the terms as set forth in Annex I, provided that an individual has invoked binding arbitration by delivering notice to ESR and following the procedures and subject to conditions set forth in Annex I. d. In the context of an onward transfer, ESR is responsible for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. ESR acknowledges it is liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless ESR proves that it is not responsible for the event giving rise to the damage. e. Should ESR become subject to an FTC or court order based on non-compliance, ESR will make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements. ESR acknowledges that the Department has established a dedicated point of contact for DPAs for any problems of compliance by Privacy Shield organizations, and that the FTC will give priority consideration to referrals of non-compliance with the Principles from the Department and EU Member State authorities, and will exchange information regarding referrals with the referring state authorities on a timely basis, subject to existing confidentiality restrictions.

Updated policy to include both EU and Swiss Privacy Shield policies