This Master Services Agreement (this "Agreement") is entered into between Jombone Inc., a Delaware corporation with its principal office at 3300 Dallas Pkwy, Suite 200, Plano, TX 75093, United States, and registered to carry on business across Canada with its Canadian headquarters at 2233 Argentia Road, Suite 302A, East Tower, Mississauga, ON L5N 2X7 ("Jombone"), and the customer identified in the applicable Order Form or the entity or individual accepting this Agreement ("Customer").

This Agreement governs Customer's access to and use of the Jombone Staffing Operations Platform (the "Platform"), including the web application, mobile applications, time-clock applications, APIs, and all related services, whether accessed on a free, trial, or paid subscription basis.

Effective Date. This Agreement takes effect on the earliest of: (i) the date Customer clicks "I Agree" or any equivalent acceptance mechanism; (ii) the date Customer or any of its authorized representatives executes an Order Form referencing this Agreement; or (iii) the date Customer first accesses or uses any part of the Platform, including any free tier or trial.

By accepting this Agreement, the individual accepting represents that they have authority to bind the Customer entity and its Affiliates. Direct competitors of Jombone are prohibited from accessing the Platform without Jombone's prior written consent. Where Customer is located in Canada outside the Province of Quebec, acceptance also constitutes acceptance of the Canadian provisions of Exhibit E.

Integrated Agreement. This Agreement consists of (i) this Main Master Services Agreement; (ii) Exhibit A — Data Processing Addendum; (iii) Exhibit B — Service Level Agreement; (iv) Exhibit C — Security and Architecture; (v) Exhibit D — Acceptable Use Policy; (vi) Exhibit E — Regional Provisions; (vii) Exhibit F — Worker and Candidate Platform Terms; (viii) Exhibit G — End-Client Access Terms; and (ix) the Jombone Privacy Policy located at www.jombone.com/privacy-policy. By accepting this Agreement, Customer accepts all components as a single integrated agreement.

1. Definitions

"Affiliate" means with respect to a party, any entity that directly or indirectly controls, is controlled by, or is under common control with that party, where "control" means ownership of more than fifty percent (50%) of the voting equity or the power to direct management and policies.

"Aggregated Statistics" means data derived from Customer's, Authorized Users', Workers', candidates', or End-Clients' use of the Platform that is: (i) aggregated with data from multiple Customers; (ii) de-identified such that no individual or Customer can be identified; and (iii) used for the purposes set out in Section 5.3.

"Applicable Law" means all federal, state, provincial, and local laws and regulations applicable to the parties' respective obligations under this Agreement, as determined by Customer Jurisdiction.

"AUP" means the Acceptable Use Policy set out in Exhibit D.

"Authorized User" means an individual (such as an employee or contractor of Customer) who is permitted by Customer to occupy a Seat and access the Platform under Customer's account.

"Billing Cycle" means the recurring monthly billing period anchored to the Subscription Start Date specified in the Order Form.

"Billing Cycle Days" means with respect to any Billing Cycle, the number of days from the prior billing date to the next billing date, used by Jombone's billing system to calculate proration.

"Buyout Amount" means the amount payable by Customer to exercise the Buyout Option under Section 12.3.

"Change of Control" means with respect to Customer: (i) a merger, consolidation, or reorganization with or into another entity; (ii) a sale, transfer, or disposition of all or substantially all of Customer's assets; (iii) a sale, transfer, or issuance of equity interests resulting in a change of more than fifty percent (50%) of the voting power or economic interest of Customer; (iv) a change in the composition of Customer's governing body such that the individuals constituting that body as of the Effective Date cease to constitute a majority; or (v) the dissolution, liquidation, or winding up of Customer's business.

"Co-Term" means the mechanism described in Section 3.4 by which Seats added during a Subscription Term expire on the same Subscription End Date as the original subscription.

"Competitor" means any entity that, directly or through an Affiliate, develops, markets, sells, or licenses applicant tracking, staffing operations, staffing-agency management, vendor management systems (VMS), or substantially similar software products that compete with the Platform. Jombone may, acting reasonably and in good faith, designate specific entities as Competitors by written notice from time to time.

"Customer Data" means all data, including Personal Data, submitted by or on behalf of Customer, its Authorized Users, End-Clients, or Workers to the Platform, as further addressed in the DPA. Customer Data does not include Aggregated Statistics.

"Customer Jurisdiction" means the country and, where applicable, province or state in which Customer is organized or primarily conducts business, as identified in the applicable Order Form or otherwise communicated to Jombone. The Province of Quebec is not a permitted Customer Jurisdiction.

"DPA" means the Data Processing Addendum set out in Exhibit A.

"Documentation" means Jombone's published user guides, knowledge-base articles, and API documentation, as made available at docs.jombone.com or as otherwise updated by Jombone.

"Enabled User" means an Authorized User whose account status in the Platform is "Enabled" (i.e., active and capable of logging in), excluding Jombone Internal Support Accounts and accounts disqualified from billing under Section 3.7(a).

"End-Client" means a customer or client of Customer that has been invited by Customer to access the Platform through an end-client login created and managed by Customer, as further governed by Exhibit G.

"Incidental Charges" means usage-based fees for ancillary Platform services, including eSign, Background Checks, and SMS/messaging, as further described in Section 3.13.

"Initial Term" means the subscription term specified in the applicable Order Form, commencing on the Subscription Start Date (typically twelve (12) months).

"Jombone Internal Support Account" means a user account created for Jombone personnel to administer, support, or troubleshoot Customer's instance, subject to Section 2.7.

"Licensed Seat Count" means the total number of Seats licensed by Customer at any given time under the Order Form, as may be increased during the Subscription Term in accordance with Section 3.4 or Section 3.7.

"Material Degradation" means a Platform modification by Jombone that: (i) removes or materially impairs a feature expressly listed in the Order Form; (ii) reduces measured Platform performance by more than twenty percent (20%); (iii) materially increases Customer's costs of using the Platform; or (iv) prevents Customer from using the Platform for its intended purpose. Routine product updates, security patches, user-interface refinements, deprecation of unused or beta features, changes to non-core features, and changes to third-party integrations not under Jombone's exclusive control do not constitute Material Degradation.

"Order Form" means the document executed (electronically or otherwise) by Customer and Jombone, or accepted by Customer through Platform sign-up flows, that specifies the services purchased, Initial Term, Subscription Start Date, Licensed Seat Count, per-Seat rate, Incidental Charge rates, and other commercial terms. An Order Form is incorporated into and forms part of this Agreement.

"Overage" means the condition described in Section 3.7 in which the number of Activated Enabled Users on the Platform exceeds the Licensed Seat Count.

"Permitted Assignment" means an assignment by Customer to an Affiliate or successor entity that satisfies the conditions of Section 13.3.

"Personal Data" means data subject to applicable Data Protection Laws, as defined in the DPA.

"Platform" means Jombone's cloud-based staffing operations platform, including modules for applicant tracking, candidate sourcing, AI matching and screening, onboarding, credentialing, scheduling and dispatch, time capture, learning management, workforce communication, payroll-data export, billing and invoicing, analytics, the Jombone web application, the Jombone candidate and supervisor mobile applications, the iPad/tablet time-clock application, and the related APIs.

"Renewal Term" means each successive term following the Initial Term, as described in Section 12.1.

"Seat" means a single license slot — not a named-user license — that entitles one Authorized User at a time to access the Platform during the Subscription Term, as described in Section 3.2.

"SLA" means the Service Level Agreement set out in Exhibit B.

"Slot Reassignment Right" means Customer's right under Sections 2.6 and 3.3 to deactivate an Authorized User and reassign the underlying Seat to a new Authorized User during the Subscription Term, at no additional charge.

"Subscription End Date" means the last day of the then-current Subscription Term.

"Subscription Start Date" means the date specified in the Order Form on which the Subscription Term commences. The Subscription Start Date also serves as the permanent Billing Cycle anchor under Section 3.10.

"Subscription Term" means collectively, the Initial Term and any then-current Renewal Term.

"Subprocessor" means any third-party service provider engaged by Jombone to process Customer Data in connection with the Platform, as further set out in the DPA. A current list is maintained at www.jombone.com/subprocessors.

"Triggering Event" means any event described in Section 3.15 that, subject to the terms of that Section, accelerates Customer's remaining fixed subscription fees.

"User Activation" means the moment at which an Enabled User first performs any of the following acts: (i) accepting an invitation email and authenticating into the Platform; (ii) completing a first login through any Platform interface (web, mobile, or time clock); (iii) initiating any Incidental Charge; or (iv) taking any other action within the Platform that requires authenticated access. Creation of an Enabled User account alone, without any of the foregoing acts, does not constitute User Activation.

"Worker" means an individual who accesses the Platform through any Worker-facing interface (candidate mobile application, candidate web portal, time-clock application, or similar) to seek work through, or perform work for, one or more Customers, as further governed by Exhibit F.

2. License and Access Rights

2.1 Grant of License. Subject to Customer's compliance with this Agreement (including payment of all fees, adherence to the Licensed Seat Count, and compliance with the AUP), Jombone grants Customer a non-exclusive, non-transferable, non-sublicensable, limited license during the Subscription Term to access and use the Platform solely for Customer's internal business purposes, up to the Licensed Seat Count specified in the Order Form.

2.2 Scope. The license permits Customer to: (a) access the Platform via supported web browsers and mobile applications; (b) use the features included in the subscription tier specified in the Order Form; and (c) permit Authorized Users to access the Platform under Customer's account, up to the Licensed Seat Count, provided Customer remains responsible for each Authorized User's compliance with this Agreement and the AUP.

2.3 Restrictions. Customer's use of the Platform is subject to the AUP set out in Exhibit D, which is incorporated by reference. Without limiting Exhibit D, Customer shall not, and shall not permit any Authorized User, Worker, or End-Client to:

• Sublicense, sell, lease, rent, distribute, or commercially exploit the Platform;

• Reverse-engineer, decompile, disassemble, or attempt to derive the source code, models, training data, weights, or architectures of the Platform, except as expressly permitted by Applicable Law;

• Modify, adapt, translate, or create derivative works of the Platform;

• Permit access to the Platform by more concurrent Authorized Users than the Licensed Seat Count, or otherwise circumvent the Seat-based licensing model (including by sharing login credentials across multiple individuals);

• Attempt to gain unauthorized access to the Platform, other Customer tenants, or any underlying systems;

• Monitor the Platform's performance for benchmarking, competitive analysis, or for the development of a competing product without Jombone's prior written consent;

• Use the Platform to develop, train, evaluate, or improve any artificial intelligence or machine-learning model that competes with the Platform or replicates Platform functionality (further restricted in Exhibit D);

• Use automated tools (including bots, scrapers, or robotic process automation) to extract data from the Platform beyond normal user-interface or API use; or

• Use the Platform to violate Applicable Law, including data protection, anti-spam, employment, anti-discrimination, and biometric privacy laws.

Material breach of this Section 2.3 or the AUP entitles Jombone, in addition to all other remedies, to suspend Customer's access to the Platform under Section 12.5 and to seek injunctive relief.

2.4 Usage Audit Rights. Jombone may audit Customer's use of the Platform to verify compliance with this Agreement, including the Licensed Seat Count, Incidental Charge usage, and AUP compliance. Audits will be conducted: (a) not more than once in any twelve (12)-month period (or more frequently if a prior audit revealed an Overage exceeding ten percent (10%) of the Licensed Seat Count); (b) upon at least ten (10) business days' written notice for remote audits, or twenty (20) business days' notice for on-site audits; (c) via automated reporting, written questionnaires, or, where reasonable, on-site review; and (d) during normal business hours with reasonable cooperation from Customer. If an audit reveals an Overage exceeding five percent (5%) of the Licensed Seat Count, Customer shall (i) immediately purchase additional Seats to cover the Overage, (ii) pay past Overage fees at Jombone's list per-Seat rate (notwithstanding any volume discount in the Order Form), and (iii) reimburse Jombone's reasonable audit costs, not to exceed ten thousand U.S. dollars ($10,000) for a remote audit or twenty-five thousand U.S. dollars ($25,000) for an on-site audit.

2.5 Geographic Restriction — Quebec. The Platform is not offered to, and may not be used by, any Customer whose Customer Jurisdiction is the Province of Quebec, Canada. Any entity in Quebec that accesses the Platform does so in violation of this Agreement, and Jombone reserves the right to immediately terminate such access without notice or refund. This restriction does not affect Canadian Customers outside Quebec whose individual employees or contractors may be temporarily located in Quebec.

2.6 Intellectual Property. Jombone retains all right, title, and interest in and to the Platform and all related intellectual property, including without limitation the Software, design, architecture, user interfaces, workflows, models, methodologies, algorithms, AI features, Aggregated Statistics, and improvements. Customer receives no ownership rights in the Platform, only the limited license described in this Section 2.

2.7 User Accounts; Seat Reassignment. Customer must create individual user accounts using valid email addresses and passwords for each Authorized User. Each individual user account is personal to the Authorized User to whom it is issued and must not be shared. A Seat, however, is a license slot — not a named-user license — and Customer may deactivate any Authorized User and reassign the underlying Seat to a new Authorized User at any time during the Subscription Term, at no additional charge and without modification to the Subscription Term, the Licensed Seat Count, or the Billing Cycle (the "Slot Reassignment Right"). Customer is responsible for maintaining the confidentiality of login credentials and for all activities conducted under accounts associated with its Seats.

2.8 Jombone Internal Support Accounts. Jombone may create and maintain one or more Jombone Internal Support Accounts within Customer's Platform instance for support, configuration, troubleshooting, customer success, and account administration. Jombone Internal Support Accounts: (a) do not count toward the Licensed Seat Count and are not billable; (b) require multi-factor authentication and are access-controlled in accordance with Jombone's security controls described in Exhibit C; (c) are limited to support, configuration, and incident-response purposes; (d) are logged in a manner accessible to Customer upon written request (subject to redaction of personal information of Jombone personnel and operational sensitivities); and (e) may be suspended by Customer, on written notice to Jombone, during a confirmed security incident, audit event, or where Customer reasonably believes such accounts are being misused, provided Customer notifies Jombone within twenty-four (24) hours of such suspension. The parties will cooperate in good faith to restore appropriate support access as soon as practicable after the incident is contained.

2.9 Sandbox Environment. Jombone may provide a temporary sandbox environment for testing during onboarding. The sandbox will be decommissioned within thirty (30) days of onboarding completion and all data therein will be securely deleted unless Customer requests transfer in writing within that period.

2.10 Updates and Modifications. Jombone may update or modify the Platform at its discretion to enhance functionality, security, performance, or compliance, including by adding, modifying, deprecating, or removing features. Routine updates do not require notice. Material Degradation requires ninety (90) days' prior written notice to Customer; in such case, if the Material Degradation substantially impairs Customer's intended use of the Platform, Customer's sole remedy is to terminate the affected Order Form within thirty (30) days of the modification effective date and receive a pro-rata refund of prepaid fees for the post-termination portion of the Subscription Term. Scheduled maintenance is governed by the SLA. End-of-life and version-support practices are governed by Section 14.

3. Subscription Model, Licensing, and Fees

3.1 Freemium Model. The Platform operates on a freemium model, offering limited features under a free tier and additional features via paid subscriptions, as detailed in the Order Form. Sections 3.2 through 3.16 apply to paid subscriptions; the free tier is provided "as is" and may be modified or discontinued by Jombone at any time without notice.

3.2 Seat License Model. The Platform is licensed on a per-Seat, annual subscription basis. When Customer subscribes, Customer purchases a fixed number of Seats (the Licensed Seat Count) for the Subscription Term at the per-Seat rate specified in the Order Form, invoiced monthly. The per-Seat rate is fixed at the time of Order Form signing and reflects volume- and term-based discounts agreed between the parties; the per-Seat rate applies to all Seats licensed during the Subscription Term, including additional Seats added under Section 3.4 (unless a Negotiated Mixed-Rate Arrangement is expressly agreed in writing under Section 3.9). All user roles on the Platform are billed at the same per-Seat rate within a given subscription plan, except as otherwise expressly set out in the Order Form.

3.3 Slot Reassignment. A Seat is a license slot and not a named-user license. Customer may deactivate any Authorized User and reassign the underlying Seat to a new Authorized User at any time during the Subscription Term, at no additional charge. Reassigning a Seat does not extend, restart, or otherwise modify the Subscription Term, the Licensed Seat Count, or the Billing Cycle.

3.4 Adding Seats During the Subscription Term; Co-Terming. Customer may purchase additional Seats at any time during the active Subscription Term. The following terms apply:

• Same Per-Seat Rate. Additional Seats are priced at the same per-Seat rate as Customer's original subscription, as agreed in the Order Form, reflecting the volume- and term-based discount applicable to the Subscription Term, unless a different rate is expressly agreed in writing under Section 3.9 (a "Negotiated Mixed-Rate Arrangement").

• Co-Terming. Additional Seats are co-termed to Customer's existing Subscription End Date; they do not commence a new term. Customer will be charged from the date of addition through to the Subscription End Date.

• Per-Seat Rate Lock. The per-Seat rate is fixed at deal signing for the entire Subscription Term and does not change mid-Subscription Term except by mutual written agreement.

• Effective Date. Additional Seats are effective on the date the Order Form (or written amendment) is executed and Jombone's billing system is updated.

3.5 Proration for Mid-Cycle Seat Additions. When additional Seats are added mid-Billing Cycle, a one-time prorated charge will be applied for the partial billing period from the date the Seats are added through to the next regular billing date, calculated as: Seats Added × Monthly Per-Seat Rate × (Days from Add Date to Next Billing Date ÷ Billing Cycle Days). The denominator is Billing Cycle Days, not the number of days in the applicable calendar month. From the next Billing Cycle, the additional Seats are included in Customer's regular monthly invoice at the full monthly per-Seat rate.

3.6 No Mid-Term Seat Reductions; Reduction at Renewal. Once purchased, Seats are non-cancellable and non-refundable during the active Subscription Term. The Licensed Seat Count is locked from the date of purchase (and, for additional Seats added under Section 3.4 or Section 3.7, from the date of addition) until the Subscription End Date. Deactivating Authorized Users does not reduce the Licensed Seat Count or the monthly subscription fee; Customer's remedy is the Slot Reassignment Right under Section 3.3. Customer may reduce the Licensed Seat Count effective on the first day of any Renewal Term by providing Jombone with written notice at least thirty (30) days prior to the then-current Subscription End Date. Absent such written notice, the Subscription Term will auto-renew at the same Licensed Seat Count then in effect in accordance with Section 12.1.

3.7 Overage and Grace Period; Activation Trigger. The following provisions govern situations in which the number of Activated Enabled Users on the Platform exceeds the Licensed Seat Count (an "Overage"):

(a) 48-Hour Grace Period for Pre-Activation Accounts. Creation of an Enabled User account alone does not constitute an Overage. An Enabled User created in excess of the Licensed Seat Count will not result in an Overage charge if the account is deactivated within forty-eight (48) hours of creation and has not undergone User Activation.

(b) Overage Triggered by User Activation. If, at any time, an Enabled User in excess of the Licensed Seat Count undergoes User Activation, that Enabled User shall, from the date of User Activation, count toward the Licensed Seat Count, and an Overage shall be deemed to have occurred.

(c) Overage Charge. On the occurrence of an Overage, Jombone may, in its discretion: (i) raise a one-time prorated charge in respect of the excess Seats for the applicable Billing Cycle, calculated in accordance with Section 3.5; and (ii) increase the Licensed Seat Count and Customer's ongoing monthly invoice to reflect the new total Seat count, effective from the next Billing Cycle. The applicable per-Seat rate for Overage Seats is the same per-Seat rate as Customer's then-current subscription.

(d) Notice. Jombone will provide Customer with written notice of any Overage adjustment within ten (10) business days of the adjustment. Customer's failure to dispute the adjustment in writing within thirty (30) days of such notice shall constitute Customer's acceptance of the adjustment.

(e) Seat Lock Following Overage. Customer remains liable for all charges arising from an Overage. Following an Overage adjustment under subsection (c), the increased Licensed Seat Count shall become part of Customer's locked Licensed Seat Count under Section 3.6 for the remainder of the Subscription Term.

3.8 No End-of-Term Proration. Because all Seats co-term to the same Subscription End Date and Billing Cycles are anchored to the Subscription Start Date, no proration is calculated at the end of the Subscription Term.

3.9 Negotiated Mixed-Rate Arrangements. Customer and Jombone may, by express written agreement in the Order Form or a written amendment, agree to a different per-Seat rate for a defined subset of additional Seats. Any such Negotiated Mixed-Rate Arrangement shall be administered by Jombone as a flat-fee plan adjustment in Jombone's billing system and shall not modify the per-Seat rate applicable to Customer's base Seats.

3.10 Billing Cycle Anchor; Invoicing. Customer's Billing Cycle is permanently anchored to the Subscription Start Date and does not change during the Subscription Term. Monthly invoices are issued on the same day of each month as agreed in the Order Form. Each invoice covers (a) the monthly subscription fee at the then-current Licensed Seat Count multiplied by the per-Seat rate; (b) any one-time prorated charge for Seats added during the prior Billing Cycle; and (c) Incidental Charges, billed in arrears.

3.11 Fees and Payment. Fees are specified in the Order Form. Unless otherwise stated, invoices are due on receipt. All fees for the Subscription Term are non-cancellable and non-refundable, regardless of actual usage, Customer's deactivation of Authorized Users, or early termination by Customer (other than payment of the Buyout Amount under Section 12.3). Late payments accrue interest at 1.5% per month or the maximum rate permitted by Applicable Law, whichever is lower. Jombone may suspend access to the Platform for non-payment after ten (10) days' written notice. For Canadian Customers, fees may be invoiced in CAD or USD as specified in the Order Form; the late-payment interest rate of 1.5% per month (18% per annum) is within the permitted range under section 347 of the Criminal Code of Canada.

3.12 Non-Cancellable Commitment. All subscription fees for the Initial Term and any Renewal Term are firm, non-cancellable, and non-refundable commitments, subject only to Customer's Buyout Option under Section 12.3. Monthly billing is a payment convenience and does not create a month-to-month arrangement.

3.13 Incidental Charges. Incidental Charges for eSign (per envelope sent), Background Checks (per check initiated), SMS/messaging (per unit), and similar usage-based services are billed in arrears. Rates are agreed in the Order Form and are fixed for the duration of the Subscription Term unless adjusted at renewal. Incidental Charges incurred through the effective date of termination remain due and payable in full and are not subject to refund, proration, or acceleration.

3.14 Enterprise and Mid-Market Agreements. This Agreement is the standard click-wrap MSA for Jombone's commercial and SMB customer segment. Customers in Jombone's Mid-Market or Enterprise segments may negotiate a separate Master Services Agreement with Jombone; in such cases, the separately negotiated agreement supersedes this Agreement to the extent expressly stated therein. Provisions in an Order Form prevail over conflicting provisions in this Agreement.

3.15 Acceleration of Fees. Upon the occurrence of any of the following events (each, a "Triggering Event"), all remaining fixed subscription fees for the balance of the then-current Subscription Term shall become immediately due and payable in full, without notice, demand, or further action by Jombone:

• (a) Customer requests, initiates, or purports to effect early termination of this Agreement or any Order Form prior to the Subscription End Date for any reason other than (i) Jombone's uncured material breach under Section 12.2, or (ii) Customer's exercise of the Buyout Option under Section 12.3 with full payment of the Buyout Amount;

• (b) Customer fails to cure a payment default within ten (10) days of written notice;

• (c) Customer ceases to conduct business in the ordinary course, becomes insolvent, makes a general assignment for the benefit of creditors, suffers the appointment of a receiver or trustee, or files (or has filed against it) any petition under any bankruptcy or insolvency law;

• (d) Customer undergoes a Change of Control and fails to provide the notice required by Section 13.8 within the cure period set out in that Section, or the successor entity refuses to provide the written assurances required;

• (e) Customer purports to reduce the Licensed Seat Count during an active Subscription Term in violation of Section 3.6;

• (f) Customer purports to assign this Agreement to a Competitor or otherwise in violation of Section 13.3 and fails to cure within the period set out in that Section.

3.15(g) Jombone Termination for Customer Material Breach. Where Jombone terminates this Agreement for Customer's material breach under Section 12.2, the acceleration mechanism in this Section 3.15 shall not apply; instead, Jombone shall be entitled to recover its actual damages, including all unpaid fees accrued through the date of termination plus its reasonable wind-down costs. Jombone's election under Section 12.2 to terminate Customer is in addition to, and not in lieu of, all other rights and remedies available to Jombone at law or in equity.

The accelerated amount shall equal the Licensed Seat Count at the time of the Triggering Event multiplied by the then-current per-Seat monthly rate, multiplied by the number of full and partial calendar months remaining in the then-current Subscription Term. Incidental Charges accrued prior to the Triggering Event remain due under Section 3.11 and are not subject to acceleration.

LIQUIDATED DAMAGES ACKNOWLEDGMENT. THE PARTIES ACKNOWLEDGE THAT: (I) JOMBONE HAS COMMITTED INFRASTRUCTURE, SUPPORT, AND OPERATIONAL CAPACITY IN RELIANCE ON CUSTOMER'S FULL-TERM COMMITMENT; (II) JOMBONE'S ACTUAL DAMAGES IN THE EVENT OF A TRIGGERING EVENT WOULD BE DIFFICULT OR IMPOSSIBLE TO CALCULATE PRECISELY; (III) THE ACCELERATED AMOUNT REPRESENTS A FAIR AND REASONABLE ESTIMATE OF JOMBONE'S ANTICIPATED LOSS, AGREED BETWEEN SOPHISTICATED COMMERCIAL PARTIES; (IV) THE ACCELERATED AMOUNT IS LIQUIDATED DAMAGES AND IS NOT A PENALTY; AND (V) THE BUYOUT OPTION IN SECTION 12.3 AFFORDS CUSTOMER A CONTRACTUALLY DEFINED EXIT AT THE SAME ECONOMIC VALUE.

Accelerated amounts accrue interest at the rate in Section 3.11 from the date of the Triggering Event until paid in full. Customer is liable for all reasonable costs of collection, including attorneys' fees.

3.16 Taxes. All fees are exclusive of applicable taxes (sales, use, value-added, GST, HST, and similar), except taxes based on Jombone's net income. For Canadian Customers, Jombone will add applicable HST or GST to invoices as required. QST does not apply as Jombone does not serve Quebec Customers.

4. Platform Functionality Representations

4.1 Pure Technology Platform; Scope of This Agreement. This Agreement governs only Customer's access to and use of the Jombone Staffing Operations Platform (the "Platform"), a hosted software-as-a-service technology offering. Under this Agreement, Jombone provides software functionality only; Jombone does not, under this Agreement, provide staffing, recruiting, employment, payroll, employer-of-record, or other professional services to Customer, to Customer's Workers or candidates, or to Customer's End-Clients. Customer is solely responsible for its own staffing, recruiting, employment, classification, payroll, and client-relationship decisions and operations.

4.1A Separate Services Outside This Agreement. From time to time, Customer and Jombone may enter into separate written agreements for additional services not provided under this Agreement (each, a "Separate Services Agreement"). Any such Separate Services Agreement is independently negotiated, separately executed, and separately governed; this Agreement does not authorize, govern, create, or imply any such additional engagement, and any such additional engagement does not affect, modify, or expand this Agreement. The terms of the Separate Services Agreement govern that engagement exclusively. This Agreement governs only Customer's access to and use of the Platform.

4.2 No Employer, Co-Employer, or Joint-Employer Status Under This Agreement. By reason of Customer's use of the Platform under this Agreement, Jombone is not, and shall not be deemed to be, an employer, co-employer, joint employer, employer-of-record, professional employer organization, or paymaster of any Worker, candidate, contractor, or other individual who accesses or whose data is processed through the Platform. The Platform is a technology tool used by Customer to manage Customer's own staffing, recruiting, or workforce-management operations. Customer is solely responsible for: (a) classifying its Workers as employees or independent contractors; (b) compliance with all wage, hour, overtime, minimum-wage, workers' compensation, unemployment insurance, employment-eligibility verification, and tax-withholding laws; (c) maintaining all employment records required by Applicable Law; (d) responding to claims by Workers, candidates, or government agencies relating to the foregoing; and (e) ensuring that Customer's use of the Platform does not cause any third party to assert that Jombone is an employer, co-employer, joint employer, or paymaster by reason of Customer's use of the Platform.

4.3 No Money Movement; No Paymaster Services Under This Agreement. Under this Agreement, Jombone does not move funds. The Platform does not process payments to Workers or candidates and does not collect funds from Customer's End-Clients on Customer's behalf. The Platform's payroll and invoicing modules generate data files that Customer transmits to Customer's own third-party payroll provider, employer-of-record provider, or to Customer's End-Clients for payment processing. All Worker wages, taxes, deductions, End-Client invoices, and related payments are processed by Customer or by Customer's third-party providers, into and out of Customer's own bank accounts. Under this Agreement, Jombone is not a money transmitter, money services business, payment processor, or financial institution and does not require licensing as any of the foregoing.

4.4 Time-Clock Functionality; No Biometric Identifiers. The Platform's time-clock application captures a photograph at clock-in and clock-out for the purpose of supervisor visual verification — to enable a human supervisor to verify, by visual inspection, that the Worker clocking in or out is the assigned Worker, and to deter buddy-punching and time theft. The Platform does NOT collect, compute, derive, store, compare, or otherwise process any "biometric identifier" or "biometric information" as those terms are defined under the Illinois Biometric Information Privacy Act (740 ILCS 14/1 et seq.), the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001), the Washington biometric identifier law (RCW 19.375 et seq.), or analogous law of any other jurisdiction. Specifically, the Platform does not derive any scan of facial geometry, facial template, facial vector, eigenfaces, facial embeddings, or other mathematical representation of facial features, and does not perform algorithmic facial identification. Photographs are stored as standard image files for human supervisor visual review during the Subscription Term and are deleted thereafter in accordance with the DPA.

4.5 No Protected Health Information by Default. Customer shall not upload, transmit, or process Protected Health Information ("PHI") as defined under HIPAA through the Platform unless Customer and Jombone have entered into a separate written Business Associate Agreement. Absent a BAA, Customer represents that none of the Customer Data constitutes PHI subject to HIPAA. Jombone is not, and is not held out as, a HIPAA business associate in the absence of a signed BAA.

4.6 AI Features; No Reliance on AI Outputs. The Platform includes AI-powered features (including AI matching, AI screening agents, AI sourcing, and the candidate employability rating known as the "JScore"). These features may use Jombone's proprietary models, third-party AI service providers, or a combination of both, at Jombone's discretion. AI outputs may be inaccurate, incomplete, or biased and are not a substitute for Customer's independent judgment. Customer is solely responsible for all hiring, screening, scheduling, and other employment-related decisions made in connection with use of the Platform. Where Customer's use of AI features constitutes use of an Automated Employment Decision Tool ("AEDT") under Applicable Law (including NYC Local Law 144, the Colorado AI Act, the Illinois Artificial Intelligence Video Interview Act, or analogous law), Customer is the "deployer," "user," "employer," or "controller" of the AEDT and is solely responsible for compliance, including bias audits, candidate notices, accommodations, and recordkeeping. The AUP at Exhibit D contains additional restrictions on AI usage.

4.7 Worker Multi-Tenancy. The Platform is multi-tenant. A Worker may be invited into the networks of multiple Customers through the same mobile application or web portal. Data, communications, shifts, and timesheets are segregated by Customer network. One Customer cannot access another Customer's data even where the Customers share a common Worker.

5. Data Ownership, Self-Service Export, and Aggregated Statistics

5.1 Ownership of Customer Data. As between the parties, Customer retains all rights, title, and interest in and to Customer Data. Jombone processes Customer Data solely as set out in this Agreement, the DPA, and Applicable Law.

5.2 Customer Self-Service Export. The Platform provides reporting and data-export functionality through which Customer may download Customer Data — including candidate records, timesheets, placements, invoices, payroll-export files, and configuration data — in standard formats (CSV, PDF, JSON, or as made available) at any time during the Subscription Term.

CUSTOMER IS SOLELY RESPONSIBLE FOR EXPORTING ANY CUSTOMER DATA IT WISHES TO RETAIN PRIOR TO THE EFFECTIVE DATE OF TERMINATION OR EXPIRATION OF THIS AGREEMENT. FOLLOWING TERMINATION OR EXPIRATION, JOMBONE IS NOT OBLIGATED TO PROVIDE POST-TERMINATION ACCESS, DATA EXTRACTION, TRANSITION ASSISTANCE, OR BACKUPS. CUSTOMER DATA WILL BE DELETED IN ACCORDANCE WITH SECTION 5.4 AND THE DPA. CUSTOMER SHOULD PLAN ITS EXPORT STRATEGY WELL IN ADVANCE OF ANY TERMINATION OR EXPIRATION.

5.3 Aggregated Statistics; AI Training and Improvement Rights. Customer agrees that Jombone may collect, process, and use Customer Data and Authorized User, Worker, candidate, and End-Client interaction data on the Platform to generate Aggregated Statistics. Jombone owns and retains all right, title, and interest in and to Aggregated Statistics and may use Aggregated Statistics for any lawful purpose, including: (a) providing, supporting, securing, and operating the Platform; (b) developing, training, fine-tuning, testing, evaluating, validating, and improving Jombone's proprietary and third-party AI and machine-learning models, AI matching tools, AI screening agents, AI sourcing tools, the JScore, and other Platform features, using de-identified or aggregated data; (c) generating industry insights, benchmarks, and analytics that do not identify Customer or any individual; (d) detecting and remediating model bias, drift, and error; (e) marketing, research, and product development; and (f) public reporting and thought-leadership materials. Aggregated Statistics do NOT constitute Customer Confidential Information. Jombone's rights to Aggregated Statistics survive termination of this Agreement.

"De-identified" means data from which all direct identifiers, and any indirect identifiers that could reasonably be used to identify an individual, have been removed, obscured, hashed, or aggregated. Jombone uses commercially reasonable technical and organizational measures to prevent re-identification, does not attempt to re-identify, and contractually obligates Subprocessors not to attempt re-identification.

5.4 Data Retention and Deletion. Upon termination or expiration of this Agreement, or upon Customer's written request prior to termination, Jombone will delete or anonymize Customer Data within thirty (30) days, except to the extent (i) Jombone is required to retain such data by Applicable Law; (ii) such data has been converted into Aggregated Statistics, in which case Jombone may continue to retain and use such Aggregated Statistics indefinitely; or (iii) such data is held in routine backup systems, which will be overwritten or deleted in the ordinary course.

5.5 Data Security. Jombone will maintain administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Customer Data, as further set out in Exhibit C and the DPA. Jombone has implemented controls aligned with the SOC 2 Type II framework and is undergoing a third-party SOC 2 Type II audit, with the report anticipated to be available in Q2 2026. Upon completion of the audit, the report will be made available to Customer under a customary mutual non-disclosure agreement upon written request. In the case of a confirmed security incident affecting Customer Data, Jombone will notify Customer in accordance with the DPA and Applicable Law.

5.6 CASL — Canadian Customers. Customer represents and warrants that it has obtained all required consents under Canada's Anti-Spam Legislation (CASL) for any Commercial Electronic Message sent by Customer using the Platform's communication features. Customer indemnifies Jombone from any CRTC enforcement action or third-party CASL claim arising from Customer's non-compliance.

6. Third-Party Integrations and Subprocessors

6.1 Authorization. The Platform integrates with third-party services (including background-check providers, e-signature providers, messaging providers, mapping providers, AI service providers, hosting providers, and payroll-data integration partners) via APIs, webhooks, and file transfers. Customer authorizes Jombone to share Customer Data with these Subprocessors as necessary to deliver the integrated features. Usage of certain third-party services results in Incidental Charges under Section 3.13. The current list of Subprocessors is maintained at www.jombone.com/subprocessors.

6.2 Due Diligence. Jombone conducts due diligence on Subprocessors and contracts with them to require compliance with applicable data-protection obligations comparable to those in this Agreement and the DPA. Jombone will notify Customer of known third-party service disruptions within twenty-four (24) hours.

6.3 Liability for Third-Party Services. Jombone is not liable for damages, delays, or failures caused by third-party services or providers, provided Jombone has exercised reasonable care in their selection and contractual management.

6.4 Subprocessor Changes. Jombone will update the Subprocessors page at least fourteen (14) days before engaging a new Subprocessor that will process Personal Data. Customer may object on reasonable data-protection grounds within fourteen (14) days; if the parties cannot resolve the objection within thirty (30) days, Customer's sole remedy is to terminate the affected services with thirty (30) days' written notice. Such termination is not a Triggering Event under Section 3.15.

7. Service Levels

Jombone's commitments to Platform uptime, incident response, and service credits are governed by the SLA at Exhibit B, incorporated by reference. Service credits are Customer's sole and exclusive financial remedy for SLA failures.

8. Acceptable Use

Customer's and its Authorized Users', Workers', and End-Clients' use of the Platform is governed by the AUP at Exhibit D, incorporated by reference. AUP violations constitute material breach of this Agreement and entitle Jombone to suspend, with notice where reasonably practicable, access to the Platform under Section 12.5 and to seek all available remedies.

9. Warranties and Disclaimers

9.1 Mutual Warranty of Authority. Each party represents and warrants that it has the legal authority to enter into this Agreement and that the individual accepting this Agreement on its behalf has been duly authorized to do so.

9.2 Jombone Warranty. Jombone warrants that during the Subscription Term, the Platform will materially perform the functions described in the Documentation, subject to the SLA. Customer's exclusive remedy for breach of this warranty is the service-credit remedy in the SLA.

9.3 Disclaimer of Other Warranties. Except as expressly set out in Section 9.2 and the SLA, the Platform is provided "AS IS" and "AS AVAILABLE." To the fullest extent permitted by Applicable Law, Jombone disclaims all warranties, express, implied, statutory, or otherwise, including warranties of merchantability, fitness for a particular purpose, non-infringement, accuracy, completeness, and uninterrupted operation. Jombone does not warrant that the Platform meets all Customer requirements, is completely error-free, that all defects will be corrected, or that the Platform is free from vulnerabilities (which Jombone addresses through its security program described in Exhibit C).

9.4 Marketing Claims Disclaimer. Performance metrics, statistics, and outcome statements published on Jombone's website, in marketing materials, case studies, return-on-investment calculators, and similar collateral (including stated uptime, time-to-fill, timesheet accuracy, payroll exception rate, deployment time, fill rate, and productivity metrics) reflect aggregate aspirational targets and prior-customer outcomes, are not specific to any individual Customer's deployment, and do not constitute warranties, representations, or contractual commitments. Jombone's only binding service-level commitment is set out in the SLA, and Jombone's only binding performance warranty is set out in Section 9.2.

9.5 No Hazardous Use. The Platform is general-purpose business software and is NOT designed, manufactured, intended, or warranted for use in hazardous environments requiring fail-safe performance, including in the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control, medical life support, weapons systems, or other applications in which the failure of the Platform could result in death, personal injury, or severe physical or environmental damage. Customer is solely responsible for determining whether the Platform is suitable for Customer's intended use.

9.6 No Warranty Regarding AI Outputs. Without limiting Section 9.3, Jombone makes no warranty whatsoever regarding the accuracy, fairness, completeness, reliability, or fitness for any particular purpose of any output, score, recommendation, or other result produced by the AI features of the Platform, whether powered by Jombone's own models or by third-party AI service providers. AI outputs may be inaccurate, incomplete, or biased. Customer's use of AI features is at Customer's own risk and Customer is solely responsible for the use it makes of AI outputs, as further set out in Section 4.6 and Exhibit D.

9.7 No Liability for Employment Decisions. Jombone is not responsible for, and disclaims all liability arising from, Customer's employment, hiring, screening, scheduling, classification, discipline, termination, wage-and-hour, anti-discrimination, accommodation, or other labor and employment decisions or compliance obligations.

9.8 B2B Acknowledgment. This Agreement is a B2B commercial agreement; consumer-protection statutes intended for individual consumers do not apply.

10. Limitation of Liability

10.1 Cap on Direct Damages. Except as set out in Section 10.4, each party's total cumulative liability arising out of or relating to this Agreement, whether in contract, tort (including negligence), or otherwise, shall not exceed the fees paid by Customer under the applicable Order Form during the twelve (12) months preceding the event giving rise to liability.

10.2 Exclusion of Indirect Damages. Except as set out in Section 10.4, in no event shall either party be liable to the other for any indirect, incidental, special, consequential, exemplary, or punitive damages, including loss of profits, loss of revenue, loss of business, loss of data, business interruption, or cost of substitute services, even if such party has been advised of the possibility of such damages.

10.3 Third-Party Services. Jombone is not liable for damages caused by third-party services or providers, provided Jombone has exercised reasonable care in selection and contractual management.

10.4 Carve-Outs. The cap in Section 10.1 does not apply to: (a) Customer's payment obligations under Section 3 (including accelerated fees under Section 3.15 and the Buyout Amount under Section 12.3); (b) either party's indemnification obligations under Section 15; (c) damages arising from a party's gross negligence, willful misconduct, or fraud; (d) Customer's breach of Section 2.3 (Restrictions), Section 2.6 (Intellectual Property), or the AUP; or (e) the Canadian carve-out in Section 10.5.

10.5 Canadian Carve-Out. Neither the cap in Section 10.1 nor the exclusion in Section 10.2 applies to: (a) damages arising from Jombone's breach of its obligations under PIPEDA or other Applicable Canadian Data Protection Laws; or (b) claims arising from Jombone's intentional misconduct, fraud, or violations of applicable Canadian law that cannot be contractually excluded.

10.6 Allocation of Risk. The parties acknowledge that the limitations and exclusions in this Section 10 reflect a negotiated allocation of risk, that the fees payable under this Agreement reflect such allocation, and that this Section 10 shall apply notwithstanding the failure of any essential purpose of any limited remedy. The parties further acknowledge that Jombone would not enter into this Agreement on the fees agreed without the limitations in this Section.

10.7 Aggregation. All claims arising in any twelve (12)-month period are aggregated for purposes of calculating the liability cap in Section 10.1. Multiple claims arising from a single event, occurrence, set of related facts, or series of related events or occurrences shall be treated as a single claim. Customer may not split, segregate, or characterize claims to evade the limitations of this Section 10.

11. Confidentiality

11.1 Definition. "Confidential Information" means any non-public information disclosed by one party (the "Discloser") to the other (the "Recipient") that is identified as confidential or that, given the nature of the information and the circumstances of disclosure, a reasonable person would understand to be confidential. Customer Data is the Confidential Information of Customer (but Aggregated Statistics are not — see Section 5.3). The Platform's non-public technical features, source code, architecture, algorithms, pricing, roadmaps, and the terms of this Agreement are the Confidential Information of Jombone.

11.2 Obligations. Recipient shall (a) use Confidential Information solely to exercise its rights and perform its obligations under this Agreement; (b) protect Confidential Information using at least the same degree of care that it uses to protect its own confidential information of like importance, but in no event less than reasonable care; and (c) restrict disclosure to its employees, contractors, and advisors who have a need to know and who are bound by confidentiality obligations at least as protective as those in this Section 11.

11.3 Exclusions. The obligations in this Section 11 do not apply to information that (a) is or becomes publicly known through no fault of Recipient; (b) was rightfully known to Recipient prior to disclosure; (c) is rightfully received from a third party without confidentiality obligations; (d) is independently developed without reference to Discloser's Confidential Information; or (e) is required to be disclosed by law or court order, provided Recipient gives prompt notice (where lawful) and reasonable cooperation.

11.4 Duration. The confidentiality obligations in this Section 11 survive termination of this Agreement for five (5) years, except that trade secrets remain protected for as long as they retain trade-secret status under Applicable Law.

12. Term and Termination

12.1 Term and Auto-Renewal. This Agreement begins on the Effective Date and continues for the Initial Term specified in the Order Form. Unless either party provides written notice of non-renewal at least thirty (30) days prior to the Subscription End Date, the subscription shall automatically renew for successive Renewal Terms of equal length to the Initial Term, at the same Licensed Seat Count then in effect and at Jombone's then-current pricing. Customer may, by written notice delivered at least thirty (30) days prior to the Subscription End Date, request (a) a reduction in the Licensed Seat Count effective on the first day of the Renewal Term, or (b) non-renewal of the Agreement.

12.2 Termination for Cause. Either party may terminate this Agreement for the other party's material breach if the breaching party fails to cure such breach within thirty (30) days following written notice of breach. Either party may also terminate immediately upon written notice if the other party becomes insolvent, files (or has filed against it) any bankruptcy petition, or ceases to conduct business in the ordinary course. Where Jombone terminates this Agreement for Customer's material breach, Jombone's remedies are as set out in Section 3.15(g) and not subject to the acceleration mechanism in Section 3.15.

12.3 No Termination for Convenience; Buyout Option. Customer may not terminate this Agreement, or reduce the Licensed Seat Count, for convenience during the Initial Term or any Renewal Term, except as expressly provided in this Section 12.3.

Buyout Option. Customer may terminate this Agreement for convenience at any time during the Subscription Term by (a) providing Jombone with at least thirty (30) days' prior written notice of termination; and (b) paying, on or before the effective date of termination, the full balance of remaining fixed subscription fees for the then-current Subscription Term (the "Buyout Amount"). The Buyout Amount is calculated as the Licensed Seat Count at the time of the buyout notice multiplied by the then-current per-Seat monthly rate, multiplied by the number of full and partial calendar months remaining in the then-current Subscription Term. Incidental Charges incurred through the effective date of termination remain due separately under Section 3.11 and are not included in the Buyout Amount.

Upon Jombone's receipt of the Buyout Amount in full, Customer's access to the Platform ceases on the effective date specified in the notice. The Buyout Amount is non-refundable and constitutes Customer's sole and exclusive exit right for convenience.

No Other Convenience Rights. Other than the Buyout Option, Customer has no right to terminate, cancel, suspend, or reduce its commitments for convenience. A Change of Control does not constitute grounds for termination. Any purported termination or reduction by Customer without payment of the Buyout Amount in full constitutes a Triggering Event under Section 3.15.

12.4 Effect of Termination. Upon any termination, Customer's access to the Platform ceases, and Jombone will handle Customer Data as specified in the DPA. Sections 1, 3 (to the extent of accrued and accelerated fees), 4, 5, 9, 10, 11, 12.4, 13, 14, 15, and 16, and any other provision which by its nature is intended to survive, shall survive expiration or termination. Termination does not relieve Customer of any obligation to pay fees accrued prior to termination, the Buyout Amount, or accelerated fees due under Section 3.15.

12.5 Suspension. Without limiting Jombone's termination rights, Jombone may suspend Customer's access to the Platform (in whole or in part), with notice where reasonably practicable, if Jombone reasonably determines that: (a) Customer's payment is overdue under Section 3.11; (b) Customer or any Authorized User is materially breaching this Agreement or the AUP; (c) continued access poses a security or integrity risk to the Platform or other Customers; (d) Customer's use is causing damage to Jombone's brand or violates Applicable Law; or (e) suspension is required by Applicable Law, court order, or regulatory request. Jombone will restore access as soon as the cause of suspension is remediated. Suspension does not relieve Customer of payment obligations.

13. General Provisions

13.1 Governing Law; Dispute Resolution. The governing law and dispute-resolution forum applicable to this Agreement are determined by Customer Jurisdiction as follows:

(a) United States Customers. This Agreement is governed by the laws of the State of Texas, without regard to conflict-of-law principles. All disputes shall be resolved through binding arbitration in Dallas County, Texas, under the rules of the American Arbitration Association, except that either party may seek injunctive or equitable relief in any court of competent jurisdiction for violations of Section 2.3 (Restrictions), Section 2.6 (Intellectual Property), the AUP, or Section 11 (Confidentiality). Prior to initiating arbitration, the parties shall attempt good-faith negotiation for fifteen (15) days, followed by executive-level escalation for an additional fifteen (15) days.

(b) Canadian Customers (excluding Quebec). This Agreement is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict-of-law principles. All disputes shall be resolved through binding arbitration in Toronto, Ontario, under the rules of the ADR Institute of Canada (ADRIC), with the same court-injunctive exceptions and the same pre-arbitration negotiation/escalation as in subsection (a).

13.1(C) ATTORNEYS' FEES. THE PREVAILING PARTY IN ANY ARBITRATION OR COURT PROCEEDING ARISING OUT OF OR RELATING TO THIS AGREEMENT IS ENTITLED TO RECOVER ITS REASONABLE ATTORNEYS' FEES, EXPERT FEES, COSTS, AND EXPENSES FROM THE NON-PREVAILING PARTY. IF JOMBONE RETAINS AN ATTORNEY OR COLLECTION AGENCY TO COLLECT AMOUNTS DUE FROM CUSTOMER, CUSTOMER IS LIABLE FOR ALL REASONABLE COSTS OF COLLECTION.

13.2 Force Majeure. Neither party is liable for delays or failures due to events beyond its reasonable control, including natural disasters, government actions, pandemics, internet outages, or third-party-service outages, provided the affected party gives prompt written notice and uses commercially reasonable efforts to mitigate. Customer's payment obligations are not excused by force majeure. If a force majeure event continues for more than ninety (90) consecutive days, either party may terminate the affected Order Form with thirty (30) days' written notice, in which case Customer shall pay all fees accrued through the effective date of termination but shall not be liable for acceleration under Section 3.15.

13.3 Assignment. Jombone may assign this Agreement, in whole or in part, without Customer's consent, to an Affiliate or to a successor entity in connection with a merger, acquisition, reorganization, or sale of all or substantially all of Jombone's assets. Customer may not assign this Agreement without Jombone's prior written consent, except that Customer may assign, upon written notice to Jombone but without Jombone's prior consent (a "Permitted Assignment"): (a) to an Affiliate that has the financial and operational capacity to perform Customer's obligations and assumes such obligations in writing; or (b) to a successor entity in connection with a merger, acquisition, reorganization, or sale of all or substantially all of Customer's assets or equity, provided that (i) the successor is not a Competitor, (ii) the successor assumes Customer's obligations in writing, (iii) Customer or the successor provides Jombone with written notice within ten (10) business days of closing, and (iv) the successor is not on any US, Canadian, or applicable international sanctions or restricted-party list.

Cure Period for Late Notice. If Customer fails to provide the notice required by subsection (b)(iii), Customer (or its successor) has a further ten (10) business days following written notice from Jombone to cure such failure. Failure to cure within such extended period constitutes a Triggering Event under Section 3.15.

Any purported assignment by Customer (i) to a Competitor without Jombone's prior written consent, or (ii) otherwise in violation of this Section 13.3, is null and void ab initio and constitutes a Triggering Event under Section 3.15. This Agreement is binding upon and inures to the benefit of the parties and their respective successors and permitted assigns.

13.4 Notices. Notices to Jombone must be in writing, sent via email to [email protected] with confirmation of delivery, and (for critical notices including termination, breach, indemnity, Change of Control, and assignment) also by courier or certified mail to Jombone Inc., Attn: General Counsel, 3300 Dallas Pkwy, Suite 200, Plano, TX 75093, USA. Notices to Customer will be sent to the email address designated in the Order Form or, if none, to the email address most recently used by Customer to access the Platform. Notices are deemed received upon confirmed delivery.

13.5 Entire Agreement; Order of Precedence. This Agreement (Main MSA, Exhibits A through G, the Order Form, and the Privacy Policy) constitutes the entire agreement between the parties on the subject matter hereof and supersedes all prior agreements. In case of conflict, the following order of precedence applies (highest to lowest): (i) the Order Form; (ii) any separately negotiated and signed MSA for Mid-Market or Enterprise Customers; (iii) the Exhibits, in alphabetical order; (iv) the body of this Agreement; (v) the Privacy Policy (for privacy-specific conflicts, the Privacy Policy prevails).

13.6 Severability. If any provision is held invalid, the remaining provisions remain in full force. Unenforceable provisions are modified to the minimum extent necessary while preserving the parties' original commercial intent.

13.7 Modifications. Jombone may update this Agreement with thirty (30) days' written notice (by email or by posting at jombone.com/terms-of-use). Continued use of the Platform after the notice period constitutes acceptance. For changes that materially reduce Customer's rights, Customer may terminate during the notice period without further obligation other than payment of fees accrued through the effective date. Jombone maintains a version history and makes prior versions available on request.

13.8 Change of Control. Customer shall provide Jombone with written notice within ten (10) business days following consummation of any Change of Control. If Customer fails to provide such notice, Customer (or its successor) has a further ten (10) business days following written notice from Jombone to cure. This Agreement survives and remains binding upon Customer's successor. No Change of Control relieves Customer or its successor of any obligation to pay fees through the end of the then-current Subscription Term. Jombone may, within sixty (60) days of receiving notice, require the successor to provide written assurances of its ability to perform. Failure to cure under this Section 13.8 constitutes a Triggering Event under Section 3.15.

13.9 Electronic Signatures and Counterparts. This Agreement and any Order Form may be executed in counterparts. Electronic signature (DocuSign, SignNow, or similar) constitutes valid and binding execution. For US Customers, electronic signatures are enforceable under the ESIGN Act (15 U.S.C. §§ 7001–7006) and applicable state UETA. For Canadian Customers (excluding Quebec), electronic signatures are enforceable under Ontario's Electronic Commerce Act, 2000 and applicable provincial law.

13.10 WAIVER OF JURY TRIAL. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY IRREVOCABLY WAIVES ALL RIGHT TO TRIAL BY JURY IN ANY ACTION ARISING OUT OF OR RELATING TO THIS AGREEMENT. THIS PROVISION APPLIES TO US-BASED CUSTOMER DISPUTES ONLY; IT DOES NOT APPLY WHERE PROHIBITED BY APPLICABLE LAW IN CANADA.

13.11 Language. This Agreement is drawn up in English. As Jombone does not serve Quebec Customers, the requirements of the Charter of the French Language do not apply. All communications shall be in English.

13.12 Waiver. No waiver is effective unless in writing and signed by the waiving party. A waiver of one breach is not a waiver of any subsequent breach.

13.13 Independent Contractors. The parties are independent contractors. Nothing in this Agreement creates a partnership, joint venture, agency, franchise, employer-employee, or fiduciary relationship.

13.14 Export and Trade Compliance; U.S. Government Rights. Customer shall comply with all applicable U.S. and other export, re-export, and import control laws and regulations, including the U.S. Export Administration Regulations and economic sanctions administered by the U.S. Department of the Treasury Office of Foreign Assets Control. Customer represents that it is not located in, organized under the laws of, or ordinarily resident in any country or territory subject to comprehensive U.S. sanctions, and is not identified on any U.S. or applicable international restricted-party or sanctions list. If Customer is a U.S. Federal Government entity, the Platform is provided as "commercial computer software" and "commercial computer software documentation" with only those rights granted to all other end users under this Agreement, pursuant to FAR 12.212 and DFARS 227.7202.

14. Updates, Backward Compatibility, and End-of-Life

14.1 Included Maintenance. The subscription fee includes all updates, upgrades, patches, enhancements, and bug fixes that Jombone generally makes available to similarly situated Customers during the Subscription Term, as well as standard Documentation updates and security patches.

14.2 Continuous Delivery. The Platform uses a continuous-delivery model. Updates deploy automatically to production without requiring Customer action. Material new features are typically released approximately twice per year.

14.3 API Backward Compatibility. Jombone uses commercially reasonable efforts to maintain backward compatibility for material public API endpoints for a reasonable transition period following any breaking change, and to announce deprecations in advance through Documentation and Customer communications. Jombone does not commit to a specific backward-compatibility window and may shorten the transition period in cases of security, compliance, or technical infeasibility.

14.4 End-of-Life. Jombone fully supports only the current major version of the Platform. Jombone may, in its sole discretion and subject to additional fees, provide limited support for prior major versions for up to twelve (12) months after a new major version is released. After such period, legacy support is unavailable and Customer must operate on the current version. Where a legacy version creates security risks, violates third-party license terms, or is no longer technically feasible (including due to infrastructure-provider end-of-life), Jombone may require Customer to upgrade upon ninety (90) days' written notice.

15. Customer Representations and Warranties

Customer represents and warrants on a continuing basis throughout the Subscription Term that:

• (a) Customer is duly organized and validly existing under the laws of its jurisdiction of formation and has full power and authority to enter into and perform this Agreement;

• (b) The individual accepting this Agreement on behalf of Customer is duly authorized to bind Customer;

• (c) Customer's use of the Platform complies with all Applicable Law, including employment, wage-and-hour, anti-discrimination, data-protection, anti-spam (including CASL for Canadian Customers), biometric privacy, anti-corruption, and export-control laws;

• (d) Customer is solely responsible for classifying its Workers, for payment of wages and taxes, and for compliance with all employer obligations;

• (e) Customer has obtained all necessary consents from candidates, Workers, End-Clients, and other individuals whose Personal Data is processed through the Platform, including consents required under PIPEDA, CASL, CCPA/CPRA, BIPA, CUBI, and AEDT laws (including NYC Local Law 144, Colorado AI Act, and Illinois Artificial Intelligence Video Interview Act);

• (f) Customer shall not upload PHI to the Platform absent a signed BAA (per Section 4.5);

• (g) Customer shall not exceed the Licensed Seat Count except by adding Seats in accordance with Section 3.4, and acknowledges Jombone may invoice for Overage under Section 3.7 and conduct audits under Section 2.4;

• (h) Where Customer's use of AI features constitutes deployment of an AEDT, Customer is the deployer and is solely responsible for bias audits, candidate notices, accommodations, and recordkeeping (further detailed in Exhibit D);

• (i) All information provided by Customer in connection with any Order Form is accurate and complete in all material respects; and

• (j) Customer is not on any restricted-party or sanctions list and is not organized in or primarily doing business from any country or territory subject to comprehensive U.S. sanctions or the Province of Quebec.

16. White-Label Deployments

White-label deployments — under which Customer offers the Platform to its End-Clients or Workers under Customer's branding — are available to qualifying Customers and are NOT covered by this Agreement. White-label deployments are governed by a separately negotiated White-Label Addendum executed between Jombone and Customer, which addresses, among other matters, attribution requirements, branding guidelines, mobile-app distribution, additional fees, intellectual-property restrictions, post-termination removal obligations, and enhanced indemnification. Customers interested in white-label deployments should contact [email protected].

Any unauthorized white-labeling of the Platform — including rebranding, removal of Jombone trademarks or attribution, distribution under Customer's branding, or offering of the Platform under any name other than Jombone — without a fully executed White-Label Addendum is a material breach of this Agreement and constitutes a Triggering Event under Section 3.15.

17. Indemnification

17.1 Customer Indemnification. Customer shall indemnify, defend, and hold harmless Jombone and its officers, directors, employees, agents, and Affiliates from and against any third-party claims, damages, losses, settlements, and expenses (including reasonable attorneys' fees) arising from or relating to: (a) Customer's breach of this Agreement or the AUP; (b) Customer's misuse of the Platform; (c) Customer Data, including any allegation that Customer Data infringes the rights of a third party or violates Applicable Law; (d) Customer's violation of Applicable Law, including employment, wage-and-hour, classification, data-protection, biometric, anti-spam, and AEDT laws; (e) any claim that Jombone is an employer, co-employer, joint employer, paymaster, or payroll provider of Customer's Workers or candidates; (f) any claim by Customer's Worker, candidate, or End-Client arising out of Customer's staffing, recruiting, or employment operations; (g) for Canadian Customers, any CRTC enforcement action or third-party CASL claim arising from Customer's use of the Platform's communication features; (h) any AEDT, algorithmic-hiring, or automated-decisioning claim arising from Customer's use of AI features; (i) any unauthorized white-labeling under Section 16; and (j) Customer's violation of third-party rights.

17.2 Jombone Indemnification — IP Infringement. Jombone shall indemnify, defend, and hold harmless Customer against any third-party claim that the Platform, as provided by Jombone and used in accordance with this Agreement, infringes such third party's U.S. or Canadian patent, copyright, trade secret, or (where the claim arises from Jombone branding only) trademark rights.

Jombone's indemnification under this Section 17.2 does not apply to claims arising from (i) Customer Data; (ii) Customer's use of the Platform in combination with any third-party software, data, or services not provided by Jombone; (iii) modifications to the Platform made by Customer or a third party at Customer's direction; (iv) Customer's continued use after Jombone notifies Customer of an alleged infringement and provides a non-infringing alternative; (v) Customer's branding or any unauthorized white-labeling; (vi) AI outputs (see Section 9.6 and Exhibit D); or (vii) third-party products or services.

If the Platform is, or is likely to become, subject to an infringement claim, Jombone may, at its option and expense: (1) modify the Platform to make it non-infringing; (2) procure a license permitting continued use; or (3) terminate the affected portion and refund any prepaid fees for the unused portion of the Subscription Term. This Section 17.2 states Customer's sole and exclusive remedy, and Jombone's sole and exclusive liability, for IP infringement claims.

17.3 Procedure. The indemnified party shall (a) promptly notify the indemnifying party of any claim (failure to provide prompt notice relieves the indemnifying party of its obligations only to the extent it is materially prejudiced); (b) grant the indemnifying party sole control of the defense and settlement (provided that the indemnifying party shall not enter into any settlement imposing any obligation or admission of liability on the indemnified party without the indemnified party's prior written consent, not to be unreasonably withheld); and (c) cooperate in the defense at the indemnifying party's expense.

18. Additional Services and Premium Support

18.1 Implementation and Professional Services. Implementation, configuration, integration, data migration, training, and consulting services are not included in the standard subscription and are available for purchase under a separate Statement of Work executed by Customer and Jombone.

18.2 Premium Support. Premium Support, including extended support hours, dedicated customer-success management, priority response, and similar enhancements, is available for an additional fee as set out in the Order Form. The specific deliverables of Premium Support are determined at the time of purchase and are not warranted under this Agreement except as expressly stated in the Order Form.

19. Acceptance

By clicking "I Agree," by executing an Order Form referencing this Agreement, or by using the Platform, Customer acknowledges that it has read and understood this Agreement in its entirety — including the Main MSA, Exhibits A through G, the Order Form (if any), and the Privacy Policy — and agrees to be bound by all of them as a single integrated agreement. Customer confirms that the individual accepting this Agreement has actual authority to bind the Customer entity.

— End of Main Master Services Agreement —

EXHIBIT A — DATA PROCESSING ADDENDUM (DPA)

This DPA supplements the Main MSA and governs the processing of Personal Data by Jombone in connection with the Platform. This DPA applies to all Customers; region-specific obligations are set out in Section 6.

A1. Definitions

"Data Protection Laws" means all laws applicable to the processing, privacy, and use of Personal Data, including, as applicable: (i) for US Customers — CCPA/CPRA (California), TDPSA (Texas), CDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), OCPA (Oregon), MTCDPA (Montana), and other US federal or state privacy laws; (ii) for Canadian Customers (excluding Quebec) — PIPEDA, PIPA Alberta, PIPA BC, and successor legislation; and (iii) any other applicable jurisdiction-specific privacy law. Quebec Law 25 is not addressed in this DPA as Jombone does not offer the Platform to Quebec Customers.

"Customer Data" means Personal Data processed by Jombone on behalf of Customer through the Platform.

"Subprocessor" means any third-party service provider engaged by Jombone to process Personal Data, listed at www.jombone.com/subprocessors.

"Sensitive Personal Information" has the meaning given under the applicable Data Protection Law.

"Security Incident" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Customer Data processed by Jombone.

A2. Processing of Personal Data

A2.1 Roles and Scope. As between the parties, Customer is the controller (or analogous role) of Customer Data, and Jombone is the processor / service provider acting on Customer's documented instructions. Jombone will process Customer Data only for the following purposes (which constitute Customer's documented instructions): (a) providing, supporting, securing, and operating the Platform; (b) communicating with Customer about the Platform; (c) the Aggregated Statistics uses described in Section 5.3 of the Main MSA; (d) responding to Customer's lawful requests; and (e) complying with Applicable Law. Jombone will not retain, use, sell, share, or disclose Personal Data outside the direct business relationship with Customer except as expressly permitted by this DPA or Applicable Law.

A2.2 Service-Provider Certifications (CCPA/CPRA). Jombone certifies, with respect to California Personal Information processed under this DPA, that: (a) Jombone is a "service provider" as defined under the CCPA/CPRA; (b) Jombone will not sell or share Personal Information; (c) Jombone will not retain, use, or disclose Personal Information for any purpose other than the business purposes in Section A2.1, including not for a commercial purpose other than the specified business purposes; (d) Jombone will not retain, use, or disclose Personal Information outside the direct business relationship between Customer and Jombone, except as CCPA/CPRA permits; (e) Jombone will not combine Personal Information received from Customer with Personal Information from another person except as CCPA/CPRA permits; and (f) Jombone will notify Customer if Jombone determines it can no longer meet these obligations.

A2.3 Processor Obligations Under Other US State Privacy Laws. Where Customer is subject to additional US state privacy laws, Jombone acts as a "processor" under those laws and will comply with applicable processor obligations, including assisting Customer in responding to data-subject requests, maintaining records of processing activities, and providing reasonable assistance with data-protection impact assessments.

A2.4 Compliance and Notification. Customer shall ensure that its documented instructions and use of the Platform comply with applicable Data Protection Laws. Jombone will notify Customer if Jombone believes an instruction violates such laws.

A2.5 Sensitive Personal Information and Biometric Carve-Out. Customer shall not submit Sensitive Personal Information not necessary for the purposes in Section A2.1. Without limiting Section 4.4 of the Main MSA, Customer acknowledges that the Platform does not collect biometric identifiers (as defined under BIPA, CUBI, the Washington biometric identifier law, or analogous law), and Customer shall not configure the Platform or any third-party integration in a manner that would cause the Platform to collect, derive, or process biometric identifiers absent a separate written amendment.

A3. Rights of Data Subjects

Jombone shall reasonably assist Customer in responding to verified data-subject requests (access, correction, deletion, portability, opt-out of sale/share) within thirty (30) days of receiving Customer's written request, or within any shorter period required by Applicable Law. Where a data subject submits a request directly to Jombone in respect of Customer Data, Jombone will direct the data subject to Customer and notify Customer. Where Customer requests Jombone's assistance with data-subject requests requiring extensive manual effort, Jombone may charge Customer at Jombone's then-current professional-services rates, with prior notice and Customer's approval before incurring such charges.

A4. Subprocessors

A4.1 Authorization. Customer authorizes Jombone to engage Subprocessors to support the Platform, including third-party AI service providers used to power AI features.

A4.2 Notification and Objection. Jombone maintains a current Subprocessor list at www.jombone.com/subprocessors. Jombone will notify Customer of new Subprocessor engagements at least fourteen (14) days in advance via email or update to the Subprocessor page. Customer may object within fourteen (14) days on reasonable data-protection grounds; if the parties cannot resolve the objection within thirty (30) days, Customer's sole remedy is to terminate the affected services with thirty (30) days' written notice. Such termination is not a Triggering Event.

A4.3 Subprocessor Obligations. Jombone shall ensure each Subprocessor is subject to written obligations providing a level of data protection comparable to this DPA, including restrictions on training third-party AI models using Customer Data where such configuration is offered by the provider.

A5. Data Security and Breach Notification

A5.1 Security Measures. Jombone shall implement and maintain administrative, technical, and physical safeguards appropriate to the nature of Customer Data, as further described in Exhibit C. Such safeguards include AES-256 encryption at rest and TLS 1.2+ in transit, role-based access controls, multi-factor authentication for administrative access, logging and monitoring, vulnerability management, secure software-development practices, and incident-response procedures.

A5.2 SOC 2. Jombone maintains technical and organizational controls aligned with the SOC 2 Type II framework and is undergoing a third-party SOC 2 Type II audit, with the report anticipated to be available in Q2 2026. Upon completion, the report will be made available to Customer under a customary mutual non-disclosure agreement upon written request.

A5.3 Breach Notification. Jombone will notify Customer without undue delay, and in any event within seventy-two (72) hours, after Jombone becomes aware of a confirmed Security Incident affecting Customer Data. The notification will describe, to the extent then known: the nature of the incident; the categories and approximate number of data subjects affected; the categories and approximate volume of Personal Data records affected; the likely consequences; and the measures taken or proposed to address it. For US Customers, Jombone will support Customer's compliance with applicable US state breach-notification laws. For Canadian Customers (excluding Quebec), Jombone will support Customer's compliance with PIPEDA breach-of-security-safeguards obligations.

A5.4 Transfers of Customer Data. For US Customers, Jombone will process US Customer Data in the United States and Canada. For Canadian Customers (excluding Quebec), Jombone will use commercially reasonable efforts to process Canadian Customer Data within Canada or the United States. For transfers to other jurisdictions, Jombone will execute Standard Contractual Clauses or other approved transfer mechanisms where required.

A6. Region-Specific Data Processing Obligations

A6.1 PIPEDA. Jombone will process Canadian Customer Data in compliance with PIPEDA's ten fair-information principles. Jombone's Privacy Officer is reachable at [email protected].

A6.2 Quebec Exclusion. Quebec Law 25 obligations are not addressed as Jombone does not offer the Platform to Quebec Customers.

A6.3 Alberta PIPA / BC PIPA. Jombone will comply with the applicable provincial PIPA for Customers in Alberta and British Columbia in lieu of PIPEDA where required.

A6.4 CCPA/CPRA. Jombone acts as a "Service Provider" with respect to California Personal Information and complies with the certifications in Section A2.2.

A6.5 US State Privacy Laws. Jombone acts as a "Processor" under VCDPA, CPA, CTDPA, TDPSA, UCPA, OCPA, MTCDPA, and similar US state privacy laws.

A7. Data Retention and Deletion

Upon termination or expiration of the Agreement, or upon Customer's written request, Jombone shall delete or anonymize Customer Data within thirty (30) days, subject to: (a) legal-retention obligations; (b) Aggregated Statistics (which Jombone may retain and use indefinitely under Section 5.3 of the Main MSA); and (c) routine backup overwrite cycles.

A8. Audits

Customer may, upon thirty (30) days' prior written notice and not more than once per calendar year (unless triggered by a confirmed Security Incident or required by Applicable Law), verify Jombone's compliance with this DPA by means of: (i) Jombone providing a copy of its then-current SOC 2 Type II report (under mutual NDA), once available; (ii) Jombone responding to a reasonable industry-standard security questionnaire (such as SIG or CAIQ); and (iii) reasonable written follow-up questions. Customer bears its own audit costs. The audit rights in this Section do not include on-site inspections, third-party penetration testing of Jombone's production environment, or access to other customers' data.

A9. Governing Law and Order of Precedence

This DPA is governed by the same governing law applicable to the Main MSA as determined by Customer Jurisdiction under Section 13.1 of the Main MSA. In the event of a conflict between this DPA and the body of the Main MSA, this DPA prevails with respect to data-protection obligations.

Annex 1 to Exhibit A — Processing Details

Subject Matter: Jombone Staffing Operations Platform (applicant tracking, candidate sourcing, AI matching and screening, onboarding, credentialing, scheduling and dispatch, time capture, learning management, workforce communication, payroll-data export, billing and invoicing, analytics).

Duration: The Subscription Term plus the retention period described in Section A7 of this DPA and Section 5.4 of the Main MSA.

Nature and Purpose of Processing: Hosting and operation of the Platform; candidate sourcing, screening, ranking, and placement; Worker scheduling, dispatch, and shift management; time and attendance capture; onboarding and credentialing; compliance tracking and reporting; payroll-data export to Customer's payroll provider; invoicing and financial reporting; analytics; communications; AI-feature operation and improvement; security, audit, and incident response.

Categories of Personal Data:

• Identification: name, profile picture, date of birth, gender (where required), Worker ID;

• Government identifiers: SSN (US), SIN (Canada), driver's license, passport, work-permit identifiers, immigration documents — collected as passthrough only;

• Contact: email, telephone, mailing address;

• Emergency contact: name and phone number;

• Employment: resume, CV, work history, education history, certifications, licenses, references, job preferences, availability, shift preferences;

• Financial passthrough: bank account number, routing/transit number, void cheque, tax-withholding-form data (W-4, TD1) — captured for transmission to Customer's payroll provider only;

• Time and attendance: clock-in/clock-out timestamps, hours worked, breaks, supervisor approvals, geolocation (where geo-fencing is enabled by Customer), photographs (standard image files, non-biometric);

• Verification results: background-check results, drug-screening results, credit-check results (where Customer has requested) — supplied by third-party providers;

• Communications: messages exchanged through Platform messaging; SMS and email content sent or received through the Platform;

• AI/ML outputs: JScore, AI matching scores, AI screening responses;

• Device and usage: IP address, browser type, OS, device identifiers, app installation IDs, log data, time zone;

• Customer business contact information: business name, business email, mailing address, billing contact, role/title.

Categories of Data Subjects: (a) Customer employees, contractors, and authorized users; (b) Workers and job candidates of Customer; (c) End-Clients and their authorized representatives; (d) Customer billing and administrative contacts; (e) website visitors and prospects (limited).

Sensitive / Special Categories: Government identifiers (SSN, SIN, driver's license) — passthrough only; precise geolocation (when Customer enables geo-fencing); financial account numbers — passthrough only. Jombone does NOT process biometric identifiers, biometric information, or PHI by default (see Sections 4.4 and 4.5 of the Main MSA).

Recipients: Jombone personnel with role-based need to know; Subprocessors listed at www.jombone.com/subprocessors; Customer and Customer's authorized End-Clients (within the Customer's Tenant scope); third parties to whom disclosure is required by Applicable Law, court order, or lawful regulatory process.

Processing Locations: Primary: United States (AWS US regions). Secondary/backup: as set out in the Subprocessor list. Canadian Customer Data: processed in Canada and/or the United States.

— End of Exhibit A —

EXHIBIT B — SERVICE LEVEL AGREEMENT (SLA)

B1. Uptime Commitment

Jombone will use commercially reasonable efforts to ensure the Platform achieves 99.5% monthly uptime, calculated as: Uptime % = (Total Minutes in Calendar Month − Unplanned Downtime) ÷ Total Minutes in Calendar Month × 100.

B2. Exclusions from Uptime Calculation

• (a) Scheduled Maintenance: notified at least 24 hours in advance; not to exceed 4 hours per month in aggregate; targeted to off-peak hours (default Sunday 02:00-06:00 in the Customer's local time zone);

• (b) Emergency Maintenance: critical security patches; as much advance notice as practicable (minimum 2 hours except zero-day vulnerabilities); not to exceed 4 hours per occurrence;

• (c) Force Majeure: events covered by Section 13.2 of the Main MSA;

• (d) Customer-Caused: downtime caused by Customer misuse, AUP breach, Customer connectivity or infrastructure issues, failure to apply required updates, or unauthorized modifications;

• (e) Non-Payment Suspension: per Section 3.11 of the Main MSA;

• (f) Limited Third-Party Disruptions: outages caused by infrastructure or platform providers (e.g., AWS) where (i) the provider's published SLA is comparable to or better than this SLA, (ii) Jombone has promptly notified Customer and provided updates, (iii) Jombone has used reasonable mitigation efforts, and (iv) Jombone has passed through any provider service credits to Customer. Outages within Jombone's application layer, API, database, authentication, or configuration are NOT excluded.

B3. Support Channels and Hours

Channels: email ([email protected]); in-product ticketing; in-app chat (subscription tier permitting); phone (number provided at onboarding).

Standard Hours: Monday through Friday, 8:00 AM to 8:00 PM Eastern Time, excluding US federal holidays (or, for Canadian Customers, equivalent hours in the Customer's local time zone, excluding statutory holidays of the applicable province).

Severity 1 Emergency: All Customers have access to the Severity 1 hotline and [email protected] 24/7. Off-hours initial response within 2 hours.

Premium Support: Available for an additional fee per Section 18.2 of the Main MSA, providing extended hours, faster response, and dedicated customer-success support. Premium Support deliverables are agreed in the Order Form.

B4. Severity Levels and Response Times

• Severity 1 (Critical) — complete platform outage, major functionality unavailable, multiple users affected. Examples: platform fully down, database failure, login completely blocked. Initial response: within 2 hours of receipt, 24/7.

• Severity 2 (High) — major feature down, significant business impact, workaround may exist. Examples: integration failure, key report broken, critical workflow blocked. Initial response: within 4 business hours.

• Severity 3 (Medium) — partial loss of non-critical function, limited users affected. Examples: UI bug, minor sync delay, isolated access issue. Initial response: within 1 business day.

• Severity 4 (Low) — minor cosmetic issue, question, or enhancement request. Initial response: within 2 business days.

Initial response means acknowledgment of the ticket and assignment to a support engineer; it does not guarantee resolution within the response window.

B5. Service Credits

If the Platform's measured uptime in a calendar month falls below 99.5%, Customer may request the following service credits, calculated as a percentage of the monthly subscription fee for the affected month:

• Uptime ≥99.0% and <99.5%: 10% credit;

• Uptime ≥95.0% and <99.0%: 25% credit;

• Uptime <95.0%: 50% credit.

Request Procedure. Customer must request credits in writing to [email protected] within thirty (30) days of the end of the affected calendar month, providing dates and times of incidents, affected users and functions, and ticket numbers. Credits will be applied to the next regular invoice. Service credits are Customer's SOLE and EXCLUSIVE financial remedy for any failure to meet the uptime commitment in this SLA. Service credits in any twelve (12)-month period are capped at one hundred percent (100%) of the subscription fees for that twelve-month period.

B6. Customer Responsibilities

Customer agrees to: (a) provide prompt notice of incidents via the channels in Section B3; (b) designate a primary support contact in the Order Form; (c) cooperate with Jombone in resolving issues; (d) maintain adequate internet connectivity and supported system environments for Authorized Users; and (e) follow Jombone's recommendations regarding browser versions, mobile-device operating-system versions, and similar environmental matters.

B7. SLA Modifications

Jombone may modify this SLA with thirty (30) days' written notice. Material reductions in service levels during an active Subscription Term will not take effect without Customer's consent.

— End of Exhibit B —

EXHIBIT C — SECURITY AND ARCHITECTURE

This Exhibit C describes the security and architecture framework Jombone uses to operate the Platform. Specific implementation details, control evidence, and time-bound metrics are addressed in Jombone's SOC 2 Type II report (available under NDA upon completion in Q2 2026) and in responses to Customer security questionnaires.

C1. Information Security Program

C1.1 Organizational Controls

• Written security policies covering access control, data classification, incident response, change management, encryption, password management, and acceptable use, reviewed at least annually;

• Designated information security leadership reporting to senior management;

• Pre-hire screening (including criminal background checks where permitted by law) for personnel with access to Customer Data;

• Confidentiality and acceptable-use agreements with all personnel;

• Annual security awareness training for all personnel covering phishing, password hygiene, social engineering, data handling, incident reporting, and privacy laws (GDPR, CCPA/CPRA, PIPEDA).

C1.2 Physical and Environmental Security

Jombone's production infrastructure is hosted with Amazon Web Services (AWS) in U.S. regions. AWS provides physical security controls including 24/7 security staff, video surveillance, biometric and key-card access, fire suppression, climate and power controls, and visitor logging, and maintains SOC 2 Type II, ISO 27001, and PCI DSS Level 1 certifications. The AWS Shared Responsibility Model applies: AWS is responsible for security "of" the cloud (physical and infrastructure); Jombone is responsible for security "in" the cloud (application, data, and configuration).

C1.3 Network and System Security

• Firewalls, network segmentation, intrusion detection and prevention systems (IDS/IPS), and web application firewall (WAF);

• DDoS protection;

• Continuous automated vulnerability scanning of production infrastructure;

• Role-based access control (RBAC) with least-privilege principle;

• Multi-factor authentication (MFA) for all administrative and privileged access;

• Unique user identifiers (no shared credentials);

• Annual access reviews and access removal on role change or termination;

• Secure bastion hosts or equivalent for administrative access to production systems.

C1.4 Cryptography

Customer Data in transit is protected with TLS 1.2 or higher using strong cipher suites. Customer Data at rest is encrypted using AES-256 (AWS-managed) with automated key rotation through AWS Key Management Service. Passwords are stored using a salted cryptographic hash function (bcrypt or equivalent); plaintext passwords are never stored.

C1.5 Change Management

Changes to production are subject to documented change-management procedures, including peer code review, automated and manual testing (development / staging / production environments), senior approval for production deployment, and documented rollback procedures.

C1.6 Logging and Monitoring

Production application, database, and access events are logged with timestamps, user identifiers, and action details. Logs are monitored 24/7 with automated alerting for security-relevant events. Logs are retained consistent with industry practice for the purposes of investigation, audit, and compliance.

C1.7 Vulnerability and Patch Management

Jombone employs a severity-based, CVSS-prioritized vulnerability and patch management program covering operating systems, infrastructure components, application code, and third-party libraries. Critical vulnerabilities are remediated with the highest priority; remediation timelines are calibrated to the severity of the vulnerability and consistent with industry standards. Independent third-party penetration testing of external-facing applications, APIs, authentication and authorization mechanisms, network and cloud infrastructure, and mobile applications is conducted on a regular cadence consistent with industry practice.

C1.8 Endpoint Security

Personnel endpoints used to access Customer Data are protected by enterprise anti-malware, full-disk encryption, automatic screen-lock, and endpoint detection and response (EDR) tooling, with central monitoring.

C1.9 Incident Response

Jombone maintains a formal incident-response plan covering identification, containment, eradication, recovery, and post-incident review. The plan is exercised periodically. Customer notifications for confirmed Security Incidents follow the timelines in DPA Section A5.3.

C2. Compliance and Attestations

Jombone is undergoing a third-party SOC 2 Type II audit (Security, Availability, Confidentiality), with the report anticipated to be available in Q2 2026. Upon completion, the report will be available to Customer under a customary mutual non-disclosure agreement upon written request. Jombone's controls are aligned with ISO/IEC 27001 control categories. Jombone's data-protection compliance posture is supported by ongoing controls monitoring.

C3. Business Continuity and Disaster Recovery

Jombone maintains a business-continuity and disaster-recovery framework appropriate to a cloud-native SaaS platform. The framework relies on AWS's multi-availability-zone architecture for primary resilience, with automated failover for in-region disruptions, and cross-region backup snapshots for catastrophic regional events. Recovery objectives are calibrated to the scenario (application failure, single-AZ failure, regional disaster) and reviewed periodically. Backups are encrypted and tested. The plan is exercised through tabletop and technical restoration exercises consistent with industry practice.

C4. Data Architecture

C4.1 Multi-Tenant Architecture. The Platform is a cloud-native, multi-tenant SaaS application. Customer data is logically segregated using unique tenant identifiers and strict access controls; cross-tenant data access is prevented at the application and database layers.

C4.2 Worker Multi-Tenancy. Workers operating in multiple Customer networks see only the data of the network in which they are currently operating; cross-Customer data access by Workers is prevented.

C4.3 Data Residency. Production data is hosted in AWS U.S. regions. Specific data-residency configurations may be available for regulated Customers under separately negotiated arrangements.

C5. Subprocessor and Vendor Management

Jombone performs security and privacy due diligence on Subprocessors prior to engagement, including review of the Subprocessor's security practices, certifications, data-handling commitments, and contractual obligations. Subprocessor contracts impose data-protection obligations comparable to those in this Agreement and the DPA. The current list of Subprocessors is maintained at www.jombone.com/subprocessors.

C6. Customer Responsibilities

• Customer is responsible for managing Authorized User accounts, roles, and permissions within Customer's Tenant, and for deactivating users who no longer require access;

• Customer is responsible for classifying its own data and applying appropriate Platform configurations;

• Customer is responsible for promptly reporting suspected security incidents to [email protected];

• Customer's Authorized Users are responsible for maintaining the confidentiality of their account credentials;

• Customer is responsible for using up-to-date browsers, mobile operating systems, and other client-side environments supported by Jombone.

C7. Customer Audit and Assessment Rights

Customer's right to assess Jombone's security posture is set out in DPA Section A8: provision of the SOC 2 Type II report under NDA (once available), responses to industry-standard security questionnaires, and reasonable written follow-up. On-site inspections and third-party penetration testing of Jombone's production environment are not permitted under this Agreement.

— End of Exhibit C —

EXHIBIT D — ACCEPTABLE USE POLICY (AUP)

This AUP applies to Customer, Customer's Authorized Users, and any individuals (including Workers, candidates, End-Clients, and their personnel) accessing the Platform through Customer's Tenant. AUP violations constitute material breach of the Agreement and entitle Jombone to suspend access under Section 12.5 and seek all available remedies.

D1. Prohibited Uses — Law Violations

• Employment and Labor: wage and hour violations; worker misclassification; anti-discrimination violations under Title VII, ADA, ADEA, GINA, or analogous law; OSHA violations; I-9 / employment-eligibility violations; provincial human-rights or labor-standards violations;

• Data Protection: violations of GDPR (where it applies to Customer), CCPA/CPRA, CDPA, CPA, CTDPA, TDPSA, UCPA, OCPA, MTCDPA, PIPEDA, PIPA Alberta, PIPA BC, BIPA, CUBI, or analogous law;

• Intellectual Property: copyright, trademark, patent, or trade-secret infringement or misappropriation;

• Anti-Spam: violations of CASL, CAN-SPAM, TCPA, or analogous law;

• Anti-Corruption: violations of the U.S. Foreign Corrupt Practices Act, the Canadian Corruption of Foreign Public Officials Act, or analogous law;

• Export and Sanctions: violations of U.S. or applicable international export-control or sanctions law.

D2. Prohibited Uses — Harmful or Fraudulent Activity

• Fraudulent, false, misleading, or deceptive material;

• Phishing, identity theft, money laundering, or financial crime;

• Harassment, abuse, threats, stalking, or harm to any individual;

• Impersonation or misrepresentation of affiliation;

• Time theft, buddy-punching, or other fraudulent time-and-attendance activity;

• Misrepresentation of Worker qualifications, credentials, or work-eligibility status.

D3. Prohibited Uses — System Integrity

• Unauthorized access attempts (hacking, credential cracking, port scanning);

• Interference or disruption (denial of service, excessive traffic intended to degrade Platform availability);

• Competitive use — using the Platform to develop, test, or deploy a competing product, or to benchmark the Platform for purposes of competition, without Jombone's prior written consent;

• Reverse engineering — decompiling, disassembling, or attempting to derive source code, algorithms, models, training data, weights, or architectures from the Platform, except as Applicable Law expressly permits notwithstanding contractual prohibition;

• Circumvention of security features, access controls, usage limits, Seat licensing, or other protective measures.

D4. Prohibited Content

• Viruses, worms, Trojans, ransomware, spyware, or other malicious code;

• Unlawful, libelous, defamatory, obscene, pornographic, indecent, harassing, threatening, invasive, abusive, inflammatory, or otherwise objectionable content;

• Unsolicited advertising, spam, junk mail, or chain letters (except as Platform features authorize and Applicable Law permits).

D5. AI and Machine Learning Restrictions

D5.1 Prohibition on Training Competing Models. Customer shall not use the Platform, AI features, Platform outputs, or Customer Data to train, fine-tune, evaluate, or improve any artificial intelligence or machine-learning model that (i) competes with the Platform or its features, (ii) replicates Platform functionality, or (iii) is commercialized or provided to third parties as a competing product. Internal analytics and decision-support uses of Customer Data are permitted provided they do not fall within (i) through (iii).

D5.2 No Automated Scraping. Customer shall not use bots, scrapers, robotic process automation, or other automated tools to extract data from the Platform beyond normal user-interface or documented-API use.

D5.3 No Reverse Engineering of AI Features. Customer shall not attempt to extract, infer, or reconstruct Jombone's or its third-party AI service providers' models, algorithms, training data, architectures, or weights through the Platform, the AI features, or otherwise.

D5.4 Automated Employment Decisions and AEDT Compliance. Customer shall not use AI features to make fully automated hiring, firing, promotion, evaluation, or compensation decisions without meaningful human review where doing so would (i) violate employment, anti-discrimination, or AEDT laws (including NYC Local Law 144, Colorado AI Act, Illinois Artificial Intelligence Video Interview Act, EU AI Act where applicable, and analogous law); (ii) produce discriminatory outcomes on the basis of race, color, religion, sex, national origin, age, disability, genetic information, sexual orientation, gender identity, or other protected characteristic; or (iii) lack required transparency, explainability, candidate notice, or accommodation. Customer is solely responsible for: (a) determining whether Customer's use of AI features constitutes deployment of an AEDT; (b) conducting any required bias audits or impact assessments (including DPIAs and NYC LL 144 audits); (c) providing required candidate and Worker notices; (d) implementing required human-in-the-loop review; and (e) maintaining all required records.

D5.5 Bias Testing — Safe Harbor and Pre-Disclosure Window. Customer may test the AI features internally for bias, fairness, or compliance, and may share results internally and with Customer's lawyers and auditors under confidentiality. If Customer identifies a material bias or compliance issue with an AI feature, Customer shall promptly notify Jombone at [email protected] and provide Jombone with the supporting analysis. Customer shall not publicly disclose, publish, or distribute bias or fairness findings about the AI features for ninety (90) days following Customer's notice to Jombone, except where shorter disclosure is required by Applicable Law, court order, or regulatory request. Within such 90-day period, Jombone shall use commercially reasonable efforts to investigate and, where appropriate, remediate. This Section D5.5 does not restrict Customer's right or obligation to make disclosures required by Applicable Law.

D6. Customer Responsibilities

• Customer is solely responsible for Customer's, its Authorized Users', Workers', and End-Clients' compliance with this AUP and Applicable Law;

• Customer shall monitor use of its Tenant and shall promptly report known or suspected violations to [email protected] or [email protected] (as appropriate);

• Customer shall reasonably cooperate with Jombone in investigating and resolving suspected violations, including by providing relevant information, logs, and access to personnel.

D7. Enforcement

D7.1 Breach. Violation of this AUP constitutes a material breach of the Agreement.

D7.2 Suspension. Jombone may investigate suspected violations. If Jombone determines, in its reasonable judgment, that a violation has occurred or is occurring, Jombone may immediately suspend (in whole or in part) access to the Platform upon notice, without liability, until the violation is cured to Jombone's satisfaction.

D7.3 Termination. Repeated, severe, or uncured violations entitle Jombone to terminate the Agreement under Section 12.2.

D7.4 Remedies. Jombone's remedies under this AUP are in addition to all other legal and equitable remedies available to Jombone, including injunctive relief and damages.

D8. Revisions

Jombone may modify this AUP from time to time. Modifications take effect thirty (30) days after notice by email or by posting at jombone.com/terms-of-use. Continued use of the Platform after the effective date constitutes acceptance.

— End of Exhibit D —

EXHIBIT E — REGIONAL PROVISIONS

This Exhibit E sets out provisions that apply specifically to Customers in certain jurisdictions. Where this Exhibit conflicts with the body of the Agreement, this Exhibit prevails for Customers in the applicable jurisdiction.

E1. United States Customers

E1.1 Governing Law. As specified in Section 13.1(a) of the Main MSA, this Agreement is governed by Texas law for US Customers. The parties consent to personal jurisdiction in Dallas County, Texas.

E1.2 Federal and State Privacy Laws. The parties' obligations under the CCPA/CPRA, Texas TDPSA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Oregon OCPA, Montana MTCDPA, and other US state privacy laws are set out in the DPA. Customer shall notify Jombone in writing if it is a covered business under any such law that imposes processor-specific or service-provider–specific contractual requirements; Jombone will work in good faith to execute any required data-processing addenda.

E1.3 Electronic Signatures. Electronic signatures are governed by the ESIGN Act and applicable state UETA as specified in Section 13.9.

E1.4 State-Specific Auto-Renewal Notice. This subscription will automatically renew at the end of each term unless Customer provides written notice of non-renewal at least thirty (30) days before expiration. This is a B2B commercial agreement; consumer auto-renewal statutes do not apply.

E1.5 OFAC and Sanctions Compliance. Customer represents that it is not on any U.S. government restricted-party list (including OFAC's Specially Designated Nationals List) and will not use the Platform in violation of U.S. export-control or sanctions law.

E1.6 BIPA, CUBI, and State Biometric Laws. Without limiting Section 4.4 of the Main MSA, Customer is solely responsible for (a) determining whether Customer's use of any third-party time-and-attendance, identity-verification, or biometric service in connection with the Platform constitutes the collection of biometric identifiers under BIPA, CUBI, the Washington biometric identifier law, or analogous law; (b) obtaining all required consents from Workers and candidates; and (c) providing all required notices and policies.

E1.7 AEDT Notice Obligations. Without limiting Section 4.6 of the Main MSA and Exhibit D Section D5, Customer is solely responsible for AEDT bias audits, candidate notices, and accommodations required by Applicable Law in the jurisdictions in which Customer operates, including the cities and states in which Customer's candidates reside or apply.

E2. Canadian Customers (excluding Quebec)

E2.1 Governing Law. As specified in Section 13.1(b) of the Main MSA, this Agreement is governed by Ontario law and federal Canadian law for Canadian Customers. Disputes are resolved by binding ADRIC arbitration in Toronto, Ontario.

E2.2 PIPEDA and Federal Privacy Law. Jombone will comply with PIPEDA with respect to Customer Data processed on behalf of Canadian Customers. Jombone designates a Privacy Officer ([email protected]). Canadian Customers may direct privacy inquiries and access/correction requests to the Privacy Officer. Jombone will respond to verified privacy requests within thirty (30) days.

E2.3 Quebec Exclusion. Jombone does not offer the Platform to Customers in the Province of Quebec. Quebec Law 25 obligations therefore do not apply. Any Customer that represents itself as outside Quebec and is later found to be organized or primarily operating in Quebec is in material breach of Section 2.5 of the Main MSA, and Jombone may terminate the Agreement with immediate effect and accelerate fees under Section 3.15.

E2.4 CASL Compliance. Jombone complies with CASL for any Commercial Electronic Message Jombone sends to Canadian Customers' personnel, including obtaining required consent, identifying Jombone as the sender, providing a functioning unsubscribe mechanism active for at least sixty (60) days, and honoring unsubscribes within ten (10) business days. Customer is responsible for CASL compliance for CEMs Customer sends using the Platform's communication features.

E2.5 Alberta and BC Privacy. Customers in Alberta and British Columbia are subject to PIPA Alberta and PIPA BC, respectively. Jombone will comply with the applicable provincial PIPA in lieu of PIPEDA where required.

E2.6 Currency and Taxation. Where the Order Form specifies pricing in Canadian Dollars (CAD), all payment obligations are in CAD. Jombone is registered for GST/HST purposes in Canada. Applicable GST or HST will be included on Customer invoices as required by the Excise Tax Act.

E2.7 Accessibility. Jombone uses commercially reasonable efforts to comply with the Accessibility for Ontarians with Disabilities Act (AODA) for Platform features available to Ontario Customers.

E2.8 Software Installation Consent (CASL). Customer acknowledges that installation or use of the Platform's desktop or mobile software components constitutes express consent under Section 8 of CASL. Customer shall obtain appropriate consent from its users prior to deploying the Platform to their devices.

— End of Exhibit E —

EXHIBIT F — WORKER AND CANDIDATE PLATFORM TERMS

This Exhibit F governs the relationship between Jombone and individual Workers and candidates (collectively, "Workers") who access the Platform through the candidate mobile application, the candidate web portal, the time-clock application, or any other Worker-facing interface (the "Worker Interfaces"). By creating an account, completing a job application, or otherwise accessing any Worker Interface, each Worker accepts these Worker Platform Terms.

F1. Relationship Among Worker, Staffing Agency, and Jombone

The Platform is provided by Jombone to staffing agencies (each, a "Staffing Agency" or "Customer"). Workers use the Worker Interfaces by invitation of one or more Staffing Agencies. The relationship between a Worker and any Staffing Agency — including employment, contractor engagement, scheduling, pay, and dispute resolution — is governed solely by the agreements between the Worker and the Staffing Agency, and is NOT governed by these Worker Platform Terms or by Jombone.

Jombone is NOT the Worker's employer, co-employer, joint employer, employer-of-record, or paymaster. Jombone does not pay Workers, does not withhold taxes from Worker wages, and does not handle Worker funds. All wages, taxes, and other payments are made by the Staffing Agency (or its third-party payroll provider) to the Worker.

F2. Multi-Network Use

The Platform is multi-tenant. A Worker may be invited into and operate within the networks of multiple Staffing Agencies through the same mobile application or portal. The Worker's data, shifts, timesheets, communications, and related information are segregated by Staffing Agency network: the Worker sees only the data associated with the Staffing Agency network in which the Worker is currently operating. One Staffing Agency cannot access the data of another Staffing Agency through the Platform, even where the Staffing Agencies share a common Worker. Worker actions are attributed to the Staffing Agency network in which the action was taken.

F3. Worker Accounts and Acceptable Use

F3.1 Account Integrity. Worker shall: (a) provide accurate information when creating an account; (b) maintain the confidentiality of login credentials; (c) promptly update account information; and (d) not share credentials with any other person.

F3.2 Acceptable Use. Worker shall not: (a) use the Worker Interfaces for any unlawful purpose; (b) transmit infringing, harassing, defamatory, or unlawful content or malicious code; (c) attempt to access another Worker's, another Staffing Agency's, or any unauthorized portion of the Platform; (d) misrepresent identity, qualifications, credentials, or work eligibility; or (e) engage in time theft, buddy-punching, or other fraudulent activity in connection with shifts.

F3.3 Suspension. Jombone may suspend or terminate a Worker's account, with or without notice, for breach of these Worker Platform Terms, breach of Applicable Law, or where the Worker's continued access poses a risk to the Platform, to Jombone, to a Staffing Agency, to other Workers, or to any End-Client.

F4. Time-Clock Photo Capture — Important Notice

Where a Staffing Agency has enabled the time-clock module, the Platform captures a photograph of the Worker at clock-in and clock-out. By using the time-clock application, the Worker acknowledges and consents to the following:

• Purpose. The photograph is captured solely for supervisor visual verification — to enable a human supervisor at the Staffing Agency to verify visually that the Worker clocking in or out is the assigned Worker.

• NOT Biometric. The Platform does NOT collect, derive, compute, store, compare, or otherwise process any biometric identifier or biometric information from the photograph. The Platform does NOT derive any scan of facial geometry, facial template, facial vector, facial embedding, or other mathematical representation of facial features, and does NOT perform algorithmic facial identification of the Worker.

• Storage. The photograph is stored as a standard image file and is available to authorized supervisors at the Staffing Agency for visual review during the period in which the Worker is providing services to the Staffing Agency through the Platform.

• No Algorithmic Decisions. The photograph is NOT used to make any automated decision about the Worker — including no decision about pay, scheduling, hiring, discipline, or termination.

• Withdrawal. The Worker may withdraw consent to time-clock photo capture by notifying the Staffing Agency. Withdrawal may, at the Staffing Agency's discretion, affect the Worker's ability to be paid for shifts where time capture cannot otherwise be verified.

F5. Location Data and Geo-Fencing

Where a Staffing Agency has enabled mobile time-clock or geo-fenced shift management, the Worker's mobile device may share location data with the Platform at clock-in, clock-out, and during shifts (where so configured). The Worker controls location-sharing through the device operating system. Disabling location may prevent the Worker from clocking in or out using the mobile application; in such case, the Worker should use an alternative time-capture method made available by the Staffing Agency.

F6. Communications

The Worker may receive operational communications through the Platform (push notifications, SMS, email) regarding shift offers, schedule changes, timesheet approvals, payroll-related notices issued by the Staffing Agency, document-signing requests, and similar matters. The Worker may control notification preferences within the Platform settings, subject to limitations where notifications are necessary to the Worker's engagement.

F7. Worker Data and Privacy

Personal information collected through the Worker Interfaces is processed in accordance with Jombone's Privacy Policy at jombone.com/privacy-policy and the DPA. The Staffing Agency is the controller; Jombone processes data on the Staffing Agency's behalf. Banking and tax-identification data collected through the Worker Interfaces is captured solely as a passthrough to the Staffing Agency or to the Staffing Agency's third-party payroll provider. Jombone does not initiate, settle, or otherwise effect payments to Workers.

F8. No Worker Payment to Jombone

Workers do not pay Jombone for the Worker Interfaces; the Worker Interfaces are made available to Workers as part of the Staffing Agency's subscription.

F9. Disputes with Staffing Agency

Any dispute between the Worker and a Staffing Agency — including disputes about wages, hours, working conditions, shift assignments, timesheets, scheduling, discipline, termination, classification, or other employment-related matters — is between the Worker and the Staffing Agency and is not the responsibility of Jombone. The Worker shall direct all such disputes to the relevant Staffing Agency.

F10. Limitation of Liability

Jombone's total cumulative liability to any Worker in connection with the Worker Interfaces shall not exceed one hundred U.S. dollars (US $100) (or its CAD equivalent), in the aggregate, except where such limitation is prohibited by Applicable Law. Jombone is not liable for any indirect, incidental, special, consequential, exemplary, or punitive damages.

F11. Age Restriction

The Platform is not intended for individuals under the age of eighteen (18). Workers must be at least 18 years old. By accepting these Worker Platform Terms, the Worker represents that the Worker is at least 18.

F12. Dispute Resolution — Arbitration with Opt-Out

F12.1 Informal Resolution. The Worker should first contact [email protected] to attempt informal resolution of any dispute with Jombone.

F12.2 BINDING ARBITRATION. DISPUTES BETWEEN THE WORKER AND JOMBONE SHALL BE RESOLVED THROUGH BINDING INDIVIDUAL ARBITRATION ADMINISTERED BY THE AMERICAN ARBITRATION ASSOCIATION UNDER ITS CONSUMER ARBITRATION RULES. ARBITRATION SHALL BE CONDUCTED IN DALLAS COUNTY, TEXAS, OR, IF APPLICABLE LAW REQUIRES, IN THE COUNTY OF THE WORKER'S RESIDENCE. THE WORKER WAIVES THE RIGHT TO A JURY TRIAL AND WAIVES THE RIGHT TO PARTICIPATE IN ANY CLASS ACTION, COLLECTIVE ACTION, OR CLASS ARBITRATION.

F12.3 Exceptions. Either party may seek injunctive or equitable relief in court for intellectual-property violations or unauthorized access to the Platform.

F12.4 Arbitration Opt-Out. The Worker may opt out of Section F12.2 (binding arbitration and class-action waiver) by sending written notice to [email protected] within thirty (30) days of the Worker's first acceptance of these Worker Platform Terms. The notice must include the Worker's full name, mailing address, the email address associated with the Worker's account, and a clear statement that the Worker is opting out of arbitration. Opting out does not affect any other provision of these Worker Platform Terms. The Worker's failure to send a timely opt-out notice constitutes the Worker's agreement to be bound by Section F12.2.

This arbitration clause is intended to apply to claims arising between the Worker and Jombone only. Claims arising between the Worker and a Staffing Agency remain governed by the Worker's agreements with the Staffing Agency and by Applicable Law, and are not subject to this arbitration clause.

F13. Modification and Termination

Jombone may modify these Worker Platform Terms from time to time. Continued use after notice of modification (in-app, by email, or by posting at jombone.com/terms-of-use) constitutes acceptance. The Worker may terminate use at any time by deactivating the Worker's account.

F14. Governing Law

These Worker Platform Terms are governed by the same law as the Agreement under Section 13.1.

— End of Exhibit F —

EXHIBIT G — END-CLIENT ACCESS TERMS

This Exhibit G governs the access to and use of the Platform by End-Clients. End-Clients are NOT parties to the Agreement and have no direct contractual relationship with Jombone; End-Client access is provided as part of Customer's commercial service to its End-Clients.

G1. Definitions

"End-Client" means a customer or client of Customer (typically a worksite employer) that has been invited by Customer to access the Platform through an end-client login created and managed by Customer.

"End-Client Account" means a user account on the Platform created by Customer for an End-Client, used by the End-Client to view and approve timesheets, view shift schedules, view invoices, view reports, and similar collaborative functions.

G2. Customer Responsibility for End-Client Access

End-Client access is provided as part of Customer's commercial service to its End-Clients. Customer is solely responsible for:

• Creating, configuring, suspending, and deactivating End-Client Accounts;

• Determining what data and Platform features are accessible to each End-Client;

• Resetting End-Client passwords and managing End-Client credentials;

• Notifying End-Clients that their access is provided through Customer's subscription and is governed by these End-Client Access Terms (available at jombone.com/terms-of-use);

• Ensuring End-Client compliance with the Acceptable Use restrictions in Section G5; and

• Any claim by an End-Client arising from access to or use of the Platform.

G3. End-Client Acceptance

By accessing the Platform through an End-Client Account, each End-Client is deemed to accept these End-Client Access Terms. Customer shall ensure that End-Clients are made aware of these Terms (available at jombone.com/terms-of-use) prior to or at the time of first login.

G4. Data Ownership

All data accessible to an End-Client through the Platform is the Customer Data of Customer (the Staffing Agency that invited the End-Client). The End-Client does not own and has no rights in any data accessible through its End-Client Account beyond the rights granted by Customer. Customer is the data controller and determines what End-Clients may view, edit, or export. Where the End-Client submits data into the Platform (timesheet approvals, comments, shift requests, End-Client contact information), such data becomes Customer Data subject to the Agreement.

G5. Acceptable Use by End-Clients

End-Clients shall comply with the AUP at Exhibit D. Without limiting the AUP, End-Clients shall not: (a) use the Platform for any unlawful purpose; (b) attempt to access any portion of the Platform not authorized by Customer; (c) share End-Client Account credentials with unauthorized persons; (d) compete with Jombone or benchmark the Platform without consent; (e) upload malicious code, infringing content, or unlawful material; or (f) use the Platform to harass, discriminate against, or unlawfully retaliate against any Worker.

G6. No Direct Relationship with Jombone

Jombone does not contract directly with End-Clients in connection with End-Client access. End-Clients are not Customers of Jombone, do not pay Jombone, and have no right to demand any service, support, or remedy from Jombone. All disputes, service requests, and operational matters relating to the End-Client's use of the Platform are between the End-Client and Customer.

G7. Limitation of Liability

Jombone's total cumulative liability to any End-Client, arising out of or relating to the End-Client's access to or use of the Platform, shall not exceed seventy-five U.S. dollars (US $75) (or its CAD equivalent), in the aggregate, except where prohibited by Applicable Law. Jombone is not liable for any indirect, incidental, special, consequential, exemplary, or punitive damages.

G8. Suspension

Jombone may suspend an End-Client's access to the Platform, with notice to Customer where reasonably practicable, where Jombone reasonably believes the End-Client is in breach of these End-Client Access Terms or where the End-Client's continued access poses a risk.

G9. Modification and Termination

Jombone may modify these End-Client Access Terms from time to time by posting at jombone.com/terms-of-use. End-Client access terminates automatically upon termination or expiration of Customer's Subscription Term, or upon Customer's deactivation of the End-Client Account.

G10. Governing Law

These End-Client Access Terms are governed by the same law as the Agreement under Section 13.1.

— End of Exhibit G —

© 2026 Jombone Inc. All rights reserved.

↑ Back to top