Employee Privacy Policy and Notice

Effective Date: August 2025

NKSFB, LLC (“NKSFB” or the “Company”) is committed to protecting and respecting the privacy of its employees, job applicants, contractors, directors, officers, and owners. Please read this Employee Privacy Policy and Notice (referred to herein as this “Employee Privacy Policy” and this “Policy”) carefully to understand the Company’s views and practices regarding your Personal Information and how the Company will treat it.

All Employees at NKSFB must comply with this Policy. Any Employee who fails to comply with this Policy may be subject to disciplinary action, up to and including dismissal. You should immediately contact Legal if you become aware of a breach or potential breach of this Policy.

The Company is also committed to respecting the data it receives from customers, vendors, website users and other external sources. Company employees should therefore also familiarize themselves with and be aware of the commitments we make in relation to such data. Please see http://www.nksfb.com/privacy-policy/ to see a copy of the current Public Privacy Policy.

1. Definitions

The following definitions apply to this Employee Privacy Policy:

“CONSUMER” means a living individual about whom the Company holds Personal Information.

“EMPLOYEE” OR “COVERED EMPLOYEE” refers to:

current and former employees (including permanent, temporary and part time employees);
job applicants and other Prospective Employees;
owners, directors, officers, or contractors of the Company about whom the Company collects and processes Personal Information;
dependents and beneficiaries of current and former employees, owners, directors, and officers about whom the Company collects and processes Personal Information.

“PERSONAL INFORMATION” means information (whether stored electronically or in paper based filing systems) relating to a living individual who can be identified from that data (or from that data and other information in our possession). Personal Information can be factual (such as a name, address, date of birth, Social Security number or driver’s license number), Sensitive Personal Information as described below, or it can be an opinion (such as a performance appraisal). It can even include a simple e-mail address. The categories of Personal Information as defined by the California Consumer Privacy Act of 2018 (“CCPA”) that pertain to this Policy include:

IDENTIFIERS	Name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers
OTHER DATA¹	Financial information, medical information, health insurance information, signature, physical characteristics or description, telephone number, geolocation
PROTECTED CLASSES	Race, color, sex, age (40 and older), religion, national origin, citizenship status, genetic information, sexual orientation, gender identity or gender expression, ancestry, AIDS/HIV, disability, marital status, familial status, military or veteran status, political affiliations or activities, status as a victim of domestic violence, assault, stalking, or any other classification protected under California or federal law
BIOMETRIC INFORMATION	Fingerprints, retina scans, face prints, DNA
INTERNET ACTIVITY	Browsing history, search history, IP address, website interactions
GEOLOCATION DATA	Data which allows for determining, with reasonable precision, the location of any person or object
SENSORY DATA	Audio, electronic, visual, thermal, olfactory, or similar data
PROFESSIONAL DATA	CV, resume, employment history
EDUCATION DATA	Educational background, grades, scores
INFERENCES	Profiles about a consumer reflecting the individual’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities drawn from other Personal Information

“PROCESSING” or “PROCESSED” is any activity that involves use of the Personal Information. It includes obtaining, recording or holding the Personal Information, or organizing, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Personal Information to third parties.

“PROSPECTIVE EMPLOYEE” is an individual who has been offered a position with the Company, contingent upon the satisfactory completion of certain actions, which can include (where legally permissible) pre-employment drug screens, driving records and criminal background checks.

¹ Personal Information under the CCPA also includes any other category of personal information not included within the CCPA’s definition that are defined in California Civil Code § 1798.80(e). We refer to this category as “Other Data,” and it includes information such as financial information (bank account number, credit card number, debit card number), medical information, health insurance information, and insurance policy number.

“SENSITIVE PERSONAL INFORMATION ” is Personal Information that one or more of the following types of information, including: Social Security, driver’s license, state identification card or passport number; account log-in, financial account, debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious or philosophical beliefs, or union membership; contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication; genetic data; biometric information; health information; information about sex life or sexual orientation. This Sensitive Personal Information will be handled with extra care as further described in this Policy. Sensitive Personal Information includes financial account information, protected health or medical details, physical or mental health or condition information.

2. Purpose and Scope of this Policy

This Employee Privacy Policy sets out the basis on which any Personal Information the Company collects from you, or you provide to the Company, will be Processed by the Company. This Policy aims to safeguard Personal Information in any format, in particular to:

ensure the security and confidentiality of Personal Information in a manner consistent with industry and legal standards;
protect against threats or hazards to the security or integrity of Personal Information; and
protect against unauthorized access to or use of Personal Information that creates a substantial risk of identity theft or fraud.

This Policy applies to all Personal Information that exists in any of the Company’s Processing environments, on any media, at all times, relating to the Company’s Employees.

As an employer, the Company needs to collect, store and Process Personal Information about its Employees. Personal Information may be provided to the Company by a variety of means, including through the Internet, the Company’s intranet, by email, by telephone, by fax or in person. Personal Information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards that impose restrictions on how the Company may Process Personal Information. The Company strives to uphold these key principles when Processing Personal Information:

2.1 OPENNESS: Provide information to Employees about how we Process their Personal Information, including not doing anything with their Personal Information that they would not expect or that we would be embarrassed for them to know about.
2.2 PURPOSE LIMITATION: Only collect Personal Information for a specific business need of the Company, and only use the Personal Information for that specific purpose.

2.3 ACCURACY: Keep Personal Information accurate, complete and up-to-date. Anyone whose Personal Information we Process has the right to obtain a copy of that Personal Information and to correct any inaccuracies.

2.4 SECURITY: Protect Personal Information with appropriate security measures from being lost or stolen, and to prevent to the extent possible accidental or unauthorized access, damage, loss or disclosure.

3. What Personal Information Does the Company Collect and How Is It Used?

HUMAN RESOURCES, PAYROLL PROCESSING, EMPLOYMENT ELIGIBILITY VERIFICATION: For the purpose of performing human resource functions, payroll processing, and employment eligibility verification, the Company may request the following: Employee’s name, address, date of birth, Social Security Number(s), Employee driver’s license number(s), Visa status (where lawful and required), employment eligibility verification, and, where necessary, motor vehicle records, state identification card numbers, bank account information, where an Employee elects auto-depositing of paychecks, and garnishments.
ESSENTIAL JOB DUTIES: For the purpose of determining whether an applicant or Employee can carry out the essential job duties of his or her position and/or determining whether to hire an applicant or promote an Employee, the Company may collect information from the Employees’ former employer(s) relating to an Employee’s job performance; background details relating to Employees’ and Prospective Employees’ record checks or credit checks (when permitted by law and related to the Employee’s position); confirmation of degrees and/or certification; information about criminal convictions and Sensitive Personal Information, in accordance with applicable local or national laws and regulations; insurance confirmation (where such information is required for the performance of the position’s essential job duties).
BENEFITS: For purpose of providing Employees and their spouses, domestic partners, or dependents health plans, pension benefits, and/or any other type of Company-sponsored benefits, the Company may collect Employees’ current medical insurance information, Employees’ spouses’ medical insurance information, medical records and information relating to Employees’ primary physicians or medical providers.
DRUG AND ALCOHOL POLICY: For purpose of administering the Company’s Drug and Alcohol Policy, the Company may collect Employees’ drug test results (where permitted by law), including: pre-employment but post-conditional offer drug test results; post-accident drug test results; results for random drug tests for regulated positions; and/or as required by customer contract and permitted under the law.

PENSION AND RETIREMENT PLAN: For purpose of enrolling, maintaining, or assisting with the administration of a 401k plan, or any other type of company-sponsored savings, spending, deferred compensation, or retirement plan or account, the Company may collect Employees’ banking information, beneficiary information, retirement information, family details (including but not limited to dependents’ Personal Information, marriage status, and marriage history).

ACCESS TO COMPANY IT RESOURCES: For the purpose of ensuring compliance with all of the Company’s employment-related policies and applicable law and regulations, as well as other security and confidentiality requirements, and as consistent with applicable federal and state law, the Company may collect information about each Covered Employee’s use of the Company’s computer systems and network, including without limitation browser history (regarding both internal network and external network [i.e., Internet] information access), search history, file access and transfer records, and website interactions.

EMPLOYMENT CONTRACTS: To carry out its obligations arising from contracts of employment entered into between Covered Employees and the Company, including but not limited to payroll functions, reporting to the Internal Revenue Service or state or local or other applicable equivalent, enrolling Covered Employees in benefit programs, or dealing with disciplinary complaints about or actions against Covered Employees.

LEGAL REQUIREMENTS: The Company may collect Personal Information as needed to comply with applicable laws and regulations.

Although the Company is permitted under relevant laws to undertake a range of human resources-related Processing, by submitting Personal Information to the Company you confirm your consent to your Personal Information being Processed as set forth in this Employee Privacy Policy.

Prospective Employees will be told in advance how and which aspects of their Personal Information will be verified and if any vetting will take place, and will be informed which, if any, external agencies are used.

Prospective Employees will be given the opportunity to explain any discrepancies that emerge as a result of any verification or any information uncovered by vetting that might negatively affect their application. Moreover, any vetting will also: (i) be restricted to roles where it is genuinely necessary; (ii) not involve approaches to colleagues or the family of individuals, except in exceptional circumstances; and (iii) be targeted at the collection of specific and not general information. All information collected will be in compliance with all applicable laws.

Except for the notice set forth in this Policy, Personal Information collected about Covered Employees is exempt from the provisions of the CCPA. All such information is collected and used by the Company solely within the context of the individual’s employment or the context of processing an individual’s employment application.

4. The Company’s Responsibility For Your Personal Information

4.1 SECURITY PROCEDURES

The Company will strive to protect your Personal Information through the following methods:

The Company will strive to protect your Personal Information through the following methods:
The Company has security procedures in place so that any Personal Information the Company holds is kept secure and in accordance with this Employee Privacy Policy. This includes conducting periodic testing and monitoring of the Company’s systems and security, maintaining an audit plan policy, training and testing Employees on the Company’s data security protocols, and monitoring compliance with this Employee Privacy Policy.
The Company maintains security measures and technology to prevent Personal Information from being inadvertently disclosed to any unauthorized third party either orally, in writing, via the Internet, or by any other means, accidentally or otherwise. This includes, without limitation: monitoring the Company’s systems for unauthorized access; employing firewall protection and system security patches; and employing virus and malware protection.
The Company ensures laptops, backup tapes, and other portable devices containing Personal Information are password protected and all Personal Information is encrypted as appropriate.
The Company uses physical, administrative, and technical procedures to limit access to Personal Information as described in this Employee Privacy Policy.
The Company has the ability to remotely destroy Personal Information on company laptops and/or certain mobile devices that are lost or stolen.

4.2 SECURITY BREACHES

Any Employee who becomes aware of circumstances that may indicate an intrusion or compromise in the Company’s security is obliged to immediately report the incident to the Chief Information Officer. This includes evidence of unauthorized access to Personal Information in any format, loss or theft of equipment or records containing Personal Information, evidence of an intrusion into our system, or Personal Information transmitted or disclosed in error. The Company maintains logs of all monitoring and security activity. The Company has established a response plan to address breaches in its security that it reviews and updates periodically. If there is a breach of security, all the affected individuals will be notified as required by law. The Company reviews all security events and all responsive actions in order to improve its protection of Personal Information.

5. Disclosure and Transfer of Personal Information

5.1 SECURITY OF PERSONAL INFORMATION DURING TRANSFER

Where Personal Information is transferred within the Company’s organization in the course of performing its duties, the level of security appropriate to the type of Personal Information and anticipated risks will be applied. For example, if transferred by e-mail, Personal Information may be encrypted with the password supplied separately where it is appropriate and necessary. The Company also employs recognized technology or private networks to protect Personal Information transferred over the Internet where it is appropriate and necessary.

5.2 DISCLOSURES TO THIRD PARTIES

By providing Personal Information to the Company you agree that the Company may share certain information with third parties and by submitting Personal Information you agree to this transfer and Processing.

Personal Information will only be transferred to a third party if that third party agrees to comply with procedures and policies which are compliant with this Employee Privacy Policy and the Company’s procedures regarding data protection, or if that third party puts in place adequate measures which are compliant with all applicable laws and regulations.

Personal Information should only be shared with third parties in limited circumstances, including:

As necessary to any subsidiary, our ultimate holding company, and/or its subsidiaries with such group companies following procedures and policies that comply with this Employee Privacy Policy.
If the Company sells or buys any business or assets, in which case the Company may disclose your Personal Information to the prospective seller or buyer of such business or assets.
If the Company is under a duty to disclose or share your Personal Information in order to comply with any legal obligation.
To service providers that need the Personal Information to provide you or the Company with certain services.
If the Company is required by customer contract to share drug test results, you will be provided with that information prior to undergoing the drug test and required to sign a waiver.

6. Restrictions on Access to Personal Information

The Company employs physical, administrative and technological means to restrict access to Personal Information including:

Only those who have appropriate authority or are reasonably required to know or use Personal Information will have access to Personal Information, and only to the extent necessary for legitimate business purposes. This authority may be revoked at any time and for any or no reason.
Physical records containing Personal Information (e.g., paper records and storage media) are required to be kept in restricted and secure areas. Access to these records is limited to authorized personnel only to the extent necessary for legitimate business purposes.
Physical or Electronic access is terminated for Employees whose employment is terminated or whose authorization is revoked. Terminated Employees are required to return all equipment and are not permitted to maintain any copies or reproductions of Personal Information.
The Company endeavors to disclose Personal Information only to the extent reasonably necessary. The Company masks Sensitive Personal Information and other details such as Social Security Numbers and financial account numbers, as applicable.
The Company does not permit direct public access between external networks and any system component that stores Personal Information. The Company uses a DMZ to filter and screen inbound and outbound Internet traffic.
Personal Information will also be anonymized where possible (e.g., where only statistical information is needed).

7. Retention and Disposal of Personal Information

7.1 RETENTION OF PERSONAL INFORMATION

The Company will only retain your Personal Information for as long as is necessary to perform its obligations to you or as is required by law. The Company has a legal duty to retain employment records that may include Employee Personal Information after the termination of employment. There are varying requirements as to how long an employer must maintain employment records depending on the type of record being maintained. Accordingly, different categories of Personal Information may be kept for different periods of time in compliance with the law. The Company will provide a copy of its standard records retention periods on request.

All Personal Information you provide will be stored on secure servers or in secure files which may be based in the United States. By submitting your Personal Information, you fully consent to this transfer, storing and Processing. The Company will take reasonable steps to treat your data securely and in accordance with this Employee Privacy Policy.

7.2 DESTRUCTION OF PERSONAL INFORMATION

The Company shall destroy your Personal Information once the Company is no longer required to maintain or utilize the Personal Information, as described in this Policy. Such destruction shall be carried out in a secure and permanent way, regardless of the format in which the Personal Information is stored (e.g., paper, Electronic, etc.).

When a record containing Personal Information is to be disposed of, the following procedures will be followed by the Company:

All paper documentation containing Personal Information will be permanently destroyed by shredding.
All computer equipment or media that are to be sold or scrapped will have had all Personal Information completely destroyed, for example, by reformatting, over-writing, deleting, degaussing, or physical destruction of the storage media.

8. Enforcement of This Employee Privacy Policy

The Company’s Chief Human Resources Officer is responsible for ensuring compliance with the law and with this Employee Privacy Policy. You should direct any questions or concerns about the interpretation or operation of this Employee Privacy Policy or about what may or may not be done with regard to Personal Information to the Chief Human Resources Officer.

Any employee found to have violated this Policy is subject to disciplinary action, up to and including termination of employment. Any Consumer having questions or concerns about this Policy or their Personal Information should contact the Chief Human Resources Officer.

9. California Privacy Rights

The following disclosures and the rights described below are applicable to residents of California.

Information the Company Collects

Descriptions of the categories of information the Company collects, the sources of the information, and the uses of that information are contained in Sections 2 and 3 above.

Your Rights Under the CCPA

Under the CCPA, California residents have certain rights regarding their Personal Information, including the following:

RIGHT TO ACCESS. You have the right to access Personal Information which we may collect or retain about you. If requested, we will provide you with a copy of your Personal Information which we collect as permitted by the CCPA. You also have the right to receive your Personal Information in a structured and commonly used format so that it can be transferred to another entity (“data portability”).

RIGHT TO KNOW. You have the right to request that we disclose the following about your Personal Information, as defined by the CCPA:
The specific Personal Information we may collect;
The categories of Personal Information we may collect;
The categories of sources from which we may collect your Personal Information;
The business purpose(s) for collecting or sharing your Personal Information;
The categories of Personal Information we may disclose for business purposes; and
The categories of third parties to whom we may share your Personal Information.
RIGHT TO OPT-OUT FROM THE SELLING OR SHARING OF MY PERSONAL INFORMATION. The Company does not “sell” or “share” Personal Information within the meaning of the CCPA. The CCPA defines “sharing” to mean the “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
RIGHT TO LIMIT USE AND DISCLOSURE OF SENSITIVE PERSONAL INFORMATION. In certain contexts you may have the right to limit how your Sensitive Personal Information is used and disclosed.
RIGHT TO DELETION. In certain circumstances, you have the right to request the deletion of your Personal Information. Upon verifying the validity of a deletion request and when required by law, we will delete your Personal Information from our records, and instruct any service providers or third parties to delete your Personal Information.
RIGHT TO CORRECT/RIGHT TO RECTIFICATION. In certain circumstances, you have the right to request correction of any inaccurate Personal Information. Upon verifying the validity of a verifiable correction request, we will use commercially reasonable efforts to correct your Personal Information as directed, taking into account the nature of the Personal Information and the purposes of maintaining your Personal Information.

Please note that the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under applicable law apply.

Discrimination and retaliation against any Covered Person for exercising their CCPA data rights under this policy and applicable law is strictly prohibited.

Exercising Your Rights

You may submit an individual rights request by calling us at 310-277-4657, completing our online form located at https://www.nksfb.com/contact-us/ or emailing the Company at consumerrequest@nksfb.com. The Company shall maintain records of requests for at least 24 months.

Before the Company can process a request to delete, a request to correct, or a request to provide a copy of an individual’s Personal Information, the Company will verify the identity of the individual making such request. To verify your identity, the Company will rely upon information we have previously collected about you, such as known phone number or email address.

You may designate an authorized agent to exercise these rights on your behalf. If a you utilize `an authorized agent to exercise these rights, the following proof that the agent has been authorized to act on the individual’s behalf must be provided:

Proof of written permission for the authorized agent to act on his or her behalf and separate verification of the Covered Person; or
Proof that the authorized agent holds a power of attorney to act on the Covered Person’s behalf pursuant to Cal. Probate Code §§ 4000-4465.

We will acknowledge a request within 10 days of receipt of a request. A verified request will generally be fulfilled within 45 days of receipt of any such request. If necessary, we may take an additional 45 days to respond to the request, for a maximum total of 90 days, provided that we provide the requester with notice and an explanation of the reason we will take more than 45 days to respond. We will inform the requestor whether we have complied, in whole or part, with the request or the basis for denial. Prior to deleting or releasing any information, we will need to verify the requestor is authorized to have the information deleted or to receive the information through the authentication method described above.

10. Changes in This Employee Privacy Policy

This Employee Privacy Policy is effective as of the date shown on the title page. The Company shall review this Employee Privacy Policy and the particular security measures discussed herein whenever there is a material change in business practices that may reasonably impact the security or integrity of records containing Personal Information. Any changes the Company may make to this Employee Privacy Policy in the future will be posted on the intranet.