GC AI Information Security Addendum

General Counsel AI, Inc. (“GC AI”) maintains a commercially reasonable information security program with technical and organizational measures designed to protect User Data from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. This Information Security Addendum (“Security Addendum”) details GC AI’s security program and forms part of the GC AI Services Agreement or other mutually executed agreement governing Customer’s use of the Services (“Agreement”). Capitalized terms not defined herein have the meanings in the Agreement and/or DPA.

1. Security Program

1.1 SOC 2 Type 2 Certification. GC AI maintains SOC 2 Type 2 certification and will complete annual audits throughout the Subscription Term. GC AI makes available a summary of its then-current certifications and audit reports at https://trust.gc.ai/ (the “GC AI Trust Center”). Such reports are GC AI’s Confidential Information.

1.2 Security Governance. GC AI meets regularly to review security risks, threats, and remediation actions. All security and privacy policies are documented, reviewed, and approved by management at least annually.

1.3 Incident Response. GC AI maintains policies and procedures to investigate, classify, and respond to security incidents, including defined remediation steps and evidence collection procedures.

1.4 Security Incident Notification. Upon becoming aware of a reasonably suspected Security Incident involving Customer Data, GC AI will promptly investigate to determine whether a Security Incident has occurred. GC AI will notify Customer without undue delay after confirming a Security Incident. GC AI will make reasonable efforts to identify the cause of the Security Incident, mitigate the effects, and remediate the cause to the extent within GC AI’s reasonable control, and provide timely information as it becomes available. GC AI’s notification of a Security Incident is not an acknowledgment of fault or liability.

2. Personnel Security

2.1 Background Screening and Training. Employees with access to Customer Data undergo background screening (as permitted by law), are bound by confidentiality obligations, and receive security awareness training upon hire and annually thereafter.

2.2 Confidentiality Obligations. Employees and contractors who have access to Customer Data shall be subject to a binding contractual obligation with GC AI to keep the Customer Data confidential.

2.3 Code of Conduct. GC AI shall maintain a code of conduct and business ethics policy requiring ethical behavior and compliance with applicable laws and regulations.

3. Physical and Data Center Security. GC AI’s systems are protected by measures designed to control logical and physical access. GC AI leverages third-party data centers, and Customer Data is hosted from the United States.

4. Platform Security

4.1 Platform Security. GC AI maintains a secure software development life cycle (SDLC) policy aligned with industry practices such as OWASP Top 10. GC AI conducts vulnerability scans and annual third-party penetration testing. Upon Customer’s written request (no more than once annually), and subject to NDA, GC AI will provide an executive summary of the most recent penetration test.

4.2 Secure Development. Product management, development, test and deployment teams are required to follow secure application development policies and procedures that are aligned to industry-standard practices, such as OWASP Top 10.

4.3 Vulnerability Assessment. GC AI shall conduct risk assessments, vulnerability scans and audits (including third-party penetration testing of a representative instance of the Services at least annually). Identified product solution issues shall be scored using the Common Vulnerability Scoring System (CVSS) risk-scoring methodology based on risk impact level and the likelihood and potential consequences of an issue occurring. Vulnerabilities are remediated on the basis of assessed risk. GC AI shall make available to Customer an executive summary of the most recent third-party penetration test through the GC AI Trust Center. Such summary is GC AI’s Confidential Information.

5. Operational Security

5.1 Malware. As of the date of the Agreement, the Services contain no time bombs, Trojan horses, root kits, worms, spyware, ransomware, viruses, or other malicious code (“Malware”) known to GC AI. GC AI shall implement security monitoring on production systems, including measures designed to detect and remediate Malware. During the Subscription Term, GC AI will exercise reasonable care to ensure that GC AI-managed code used to provide the Platform is scanned daily with a current, supported, and updated version of a commercially available technology product intended to detect Malware.

5.2 Encryption. GC AI shall implement encryption designed to protect Customer Data in transit and at rest using industry-standard cryptographic algorithms. Customer Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption. All laptops and other removable media, including backups, on which Customer Data is stored shall be encrypted.

5.3 Business Continuity and Disaster Recovery (BCDR). GC AI shall maintain formal BCDR plans designed to ensure GC AI’s systems and services remain resilient in the event of a failure, including natural disasters or system failures, and such plans shall be reviewed, updated, and approved by management at least annually.

5.4 Data Backups. GC AI shall backup Customer Data and systems using secure cloud platforms with data replication for redundancy and disaster recovery. All backups shall use industry-standard encryption methods to protect backups in transit and at rest.

5.5 Change Management. GC AI shall maintain change management policies and procedures to plan, test, schedule, communicate, and execute changes to the infrastructure, systems, networks, and applications applicable to the Services.

5.6 Data Segregation. GC AI shall store Customer Data in a logically segregated manner , including logical separation, access controls and encryption, designed to segregate Customer Data from data of other GC AI customers in the Services and prevent Customer Data from being accessible to other users of the Services outside Customer’s organization.

6. Security Assessments GC AI conducts regular internal security assessments and engages independent third-party auditors for annual assessments reflected in its SOC 2 Type 2 report. Customer may review GC AI’s security posture through documentation available through the GC AI Trust Center. Customer shall not conduct penetration tests or vulnerability scans of the Services without GC AI’s prior written consent.

7. Audit Rights GC AI’s SOC 2 Type 2 report, penetration test summaries, and Trust Center documentation are intended to satisfy Customer’s reasonable audit and security assessment needs. If Customer cannot reasonably verify GC AI’s compliance with the DPA through those materials, GC AI will provide written responses to reasonable requests for information in accordance with the DPA. GC AI is not obligated to complete custom security questionnaires outside the scope required by the DPA or Applicable Data Protection Law, but may do so at its discretion, subject to reasonable fees for extensive requests.

8. Data Disposal GC AI maintains procedures for secure disposal of media containing Customer Data using industry-standard sanitization methods. GC AI’s cloud infrastructure provider maintains its own secure disposal procedures.

9. Customer Responsibilities Customer is responsible for maintaining the security of its account credentials, Customer’s Accounts, Customer Data, and systems used to access the Services, and for promptly notifying GC AI of any suspected credential compromise. GC AI is not liable for Security Incidents resulting from Customer’s compromised credentials or misconfiguration of the Services.