Data Privacy Framework Policy

Verita Global, LLC (together with its affiliates, KCC Class Action Services, LLC, Kurtzman Carson Consultants, LLC, and Gilardi & Co., LLC, “Verita”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Verita has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

Verita has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view Verita’s certification, please visit Data Privacy Framework website.

This Data Privacy Framework Policy (the “DPF Policy”) supplements the Verita Privacy Policy (the “Privacy Policy”) and describes the categories of personal data Verita collects; the purposes for which Verita collects and uses personal data; how Verita adheres to the DPF principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability; and how individuals can contact Verita and exercise their rights with respect to their personal data.

Personal Data Verita Collects

Verita collects personal data to enable it to provide services to its clients. Personal data is information that is about or that can help identify individuals (“Personal Data”). Individuals may be asked to provide Personal Data such as name, address, phone number, date of birth, employee identification number, geolocation data, e-mail address, and bank account details. Verita may also collect IP addresses.

Purposes of Collecting and Using Personal Data

Verita processes Personal Data pursuant to service agreements in place with its clients who have retained Verita to provide a variety of services on their behalf, including but not limited to, class action administrations, corporate restructurings, and other litigation matters. The Personal Data that individuals or Verita’s clients provide to Verita is used to perform the various services that are described in each service agreement.

Verita also processes Personal Data for the purposes of recruitment, employment, and marketing, or for other purposes, which will be disclosed at the time of data collection.

Adherence to DPF Principles

As described in more detail below, Verita adheres to the DPF Principles of Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement, and Liability.

Notice

This DPF Policy and the Privacy Policy describe the types of Personal Data Verita collects, the uses and disclosures of Personal Data and associated purposes, the third parties to which Verita discloses the Personal Data, the rights and choices individuals have with respect to their Personal Data for limiting the use and disclosure of their Personal Data, and how to contact Verita.

Verita may also provide other notices that apply to specific data processing activities.

Choice

Verita offers individuals the opportunity to choose whether their Personal Data may be (i) disclosed to third parties (other than as set out below) or (ii) used for a purpose that is materially different from the purposes for which the information was originally collected or subsequently authorized by the individual. Individuals may contact Verita as indicated below regarding the use or disclosure of their Personal Data. Unless Verita offers individuals a choice, the company uses Personal Data only for purposes that are materially the same as those indicated in this DPF Policy and the Privacy Policy.

Verita may disclose Personal Data without offering an opportunity to opt out, and may be required to disclose the Personal Data, (i) to third party processors that perform services on Verita’s behalf and pursuant to Verita’s instructions, (ii) if Verita is required to do so by law or legal process, or (iii) in response to lawful requests from governmental authorities. Verita may transfer Personal Data in the event Verita sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation).

Accountability for Onward Transfer of Personal Data

Verita may transfer Personal Data to Verita-affiliated companies and with other service providers as necessary. All such parties will be obligated to maintain the confidentiality and security of Personal Data and, except as may be required by law or governmental regulation, will be prohibited from further disclosing the information except in furtherance of the purposes for which it was disclosed, in which case such further disclosure will be subject to the same confidentiality and security obligations. Verita will not disclose Personal Data to anyone outside these parties or sell to any parties for unsolicited marketing purposes.

In the event Verita transfers Personal Data covered by this DPF Policy to a third party acting as a controller, it will do so consistent with any notice provided to individuals and any consent they have given (where applicable), and only if the third party has contractually agreed to (i) only process the Personal Data for limited and specified purposes consistent with the consent provide by the relevant individual, (ii) provide at least the same level of protection for Personal Data as is required by the DPF Principles, and (iii) notify Verita and cease processing of Personal Data (or take other reasonable and appropriate remedial steps) if the third party acting as a controller determines that it cannot meet its obligations to provide the same level of protection for Personal Data as is required by the DPF Principles.

With respect to transfers of Personal Data to third parties acting as processors, Verita (i) transfers Personal Data to each such processor only for limited and specified purposes, (ii) ascertains that the processor is obligated to provide the Personal Data with at least the same level of privacy protection as is required by the DPF Principles, (iii) takes reasonable and appropriate steps to ensure that the processor effectively processes the Personal Data in a manner consistent with Verita’s obligations under the DPF Principles, (iv) requires the processor to notify Verita if the processor determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles, (v) upon notice, takes reasonable and appropriate steps to stop and remediate unauthorized processing of the Personal Data by the processor, and (vi) provides a summary or representative copy of the relevant privacy provisions of the Processor contract to the Department of Commerce, upon request.

Verita remains liable under the DPF Principles if the company’s third-party processor onward transfer recipients process relevant Personal Data in a manner inconsistent with the DPF Principles, unless Verita proves that it is not responsible for the event giving rise to the damage.

Security

Verita takes reasonable and appropriate measures to protect Personal Data from loss, misuse, and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the Personal Data.

Data Integrity and Purpose Limitation

Verita limits the Personal Data it processes to that which is relevant for the purposes of processing. Verita does not process Personal Data in ways that are incompatible with the purposes for which the information was collected or subsequently authorized by the relevant individual.

Subject to applicable law, Verita retains Personal Data only for as long as it serves a purpose that is compatible with the purposes for which the Personal Data was collected.

Access

Individuals have the right to access their Personal Data and to correct, amend, or delete the information where it is inaccurate or has been processed in violation of the DPF Principles, as appropriate. Individuals may request access to their Personal Data by contacting Verita as indicated below.

Contact Information

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Verita is committed to resolving DPF Principles-related complaints about its collection and use of Personal Data. EU, UK, and Swiss individuals with inquiries or complaints regarding Verita’s handling of personal data received in reliance on EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF contact Verita at:

Verita Privacy Team
Email: privacy@veritaglobal.eu 

Mail:
UK
Verita Global, Ltd.
1 Paternoster Lane
London, EC4M 7BQ
Attention: Privacy Team

EU
Verita Global B.V.
Basisweg 10
1043AP Amsterdam
Attention: Privacy Team

Recourse, Enforcement, and Liability

Individuals are encouraged to raise any complaints regarding the processing of personal data to Verita.

In compliance with EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Verita commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning Verita’s handling of personal data received in reliance EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

Individuals may contact the relevant independent recourse mechanism listed below:

• EU Data Protection Authorities (DPAs)
• Swiss Federal Data Protection and Information Commissioner
• UK Information Commissioner’s Office

Verita will cooperate with the applicable data protection authority in the investigation and resolution of complaints brought under the DPF. Verita will comply with any advice given by the EU DPAs, the FDPIC, or the ICO where the applicable authority takes the view that the organization needs to take specific action to comply with the DPF Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the applicable authority with written confirmation that such action has been taken.

If a dispute or complaint cannot be resolved by Verita nor by the EU DPAs, the Swiss FDPIC, or the UK ICO, a data subject has the right to require that Verita enter into binding arbitration pursuant to the DPF’s Recourse, Enforcement, and Liability Principle and Annex I of the DPF.

Verita confirms that the attestations and assertions Verita makes about its DPF privacy practices are true and that Verita’s privacy practices have been implemented as represented and in accordance with the DPF Principles.

Verita is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Updates to the Data Privacy Framework Policy

Verita reserves the right to update or modify this DPF Policy at any time in its sole discretion, including without limitation, in order to comply with applicable law, and will post the effective date of any updates or modifications.

Effective Date: October 8, 2025