CCPA/CPRA Compliance Addendum

This CCPA/CPRA Addendum (“Addendum”) is incorporated into the MSA between AI Headcount, LLC (“Provider”) and [Client Legal Name] (“Client”) and applies whenever Provider processes California Personal Information (as defined below) on behalf of Client.

Provider and Client agree to maintain consistent global data protection obligations aligned with Exhibit D (GDPR Addendum)

1. Definitions California Personal Information or CPI: “Personal Information” as defined in Cal. Civ. Code § 1798.140(v) (CCPA/CPRA) that Provider processes on behalf of Client. Business Purpose: Use of CPI solely to perform Services under the MSA, SOW, or Order Form. Sale/Share: “Sale” or “sharing” as defined in CCPA/CPRA § 1798.140(ad), (ah).

2. Service Provider Obligations (Cal. Civ. Code § 1798.140(ag)) Provider certifies it: Processes CPI only for Business Purposes and as otherwise instructed in writing by Client. Does not sell or share CPI retain, use, or disclose CPI outside the direct business relationship combine CPI with data received from other sources except as expressly permitted by CCPA § 1798.100(d) Implements and maintains reasonable security procedures (per Exhibit D Annex I and ISO 27001-aligned controls). Notifies Client promptly (max 48 hours) after determining it can no longer meet these obligations.

3. Consumer Rights Pass-Through Right Provider Action Access / Portability Within 45 days (extendable once by 45 days), Provider will provide Client with CPI in a portable, readily usable format. Deletion Delete CPI within 30 days of verified request unless retention required by law or for internal uses permitted under CCPA § 1798.105(d) Correction Correct inaccurate CPI within 30 days of verified request. Opt-Out of Sale/Share Provider does not sell or share CPI, no action required. If future sharing is contemplated, Provider will give Client 30-day prior notice and implement opt-out mechanism. Limit Use of Sensitive PI Provider uses CPI only for Business Purposes; no further notice required. Cost: Client reimburses Provider’s reasonable costs for > 2 requests per 12-month period per consumer.

4. Verification & Flow-Down Client is responsible for verifying consumer identity before forwarding requests. Provider may require written confirmation that Client has done so. Provider will flow down equivalent CCPA obligations to sub-processors (AWS, OpenAI, SendGrid, etc.).

5. Audits & Metrics (CPRA § 1798.130(a)(6)) Requirement Frequency/Trigger Metrics Report (requests received, compliance timing, mean processing days) Annually or upon reasonable request Audit Max 1 per year, 30-day notice, at Client cost, under MNDA

6. Conflict In case of conflict between this Addendum and the MSA/DPA, this Addendum controls for California residents’ data.

7. Governing Law California law (without regard to conflicts). Venue: state/federal courts in San Francisco County, CA.