Data Security Policy

This Data Security Policy (the "Policy") describes the organizational and technical measures that Premium Logistics SHPK, a limited liability company (shoqëri me përgjegjësi të kufizuar) incorporated in the Republic of Albania and trading under the brand "Premium Auto Bid", applies to safeguard the confidentiality, integrity and availability of personal data and supporting documents processed through its websites, platforms and related services (collectively, the "Platform" or the "Services").

The operator and data controller is Premium Logistics SHPK, NUIS / NIPT M53004202C, registered with the National Business Center (Qendra Kombëtare e Biznesit, QKB) of the Republic of Albania, with registered office at Rruga "Dubai", Lagjia nr. 2, cadastral zone 2066, property no. 89/38, 4-storey building, 2nd floor, Entrance 1, Kamëz, Tirana, Albania (the "Company", "we", "us" or "our").

Effective date: 4 June 2026. Last updated: 4 June 2026. This Policy applies from its effective date and supersedes any prior data-security statement for the same Services.

This Policy applies to customers and prospective customers in the markets the Company serves, namely Albania, Kosovo, North Macedonia and Montenegro, and to all personnel, contractors, processors and other parties who handle personal data on the Company's behalf. It should be read together with the Company's Privacy Policy and Member Terms, which govern, respectively, what personal data we process and the contractual basis for placing customer bids on Copart and providing import support.

The Company is an independent vehicle sourcing, bidding and import-support platform. It helps customers discover Copart auction vehicles and, once they complete identity verification, accept the Member Terms and have an approved deposit, places their bids on Copart in real time through the Copart API, and coordinates purchase, transport, customs and import support. This Policy concerns the security of the data involved in those activities; it does not by itself create rights or obligations regarding any specific vehicle, lot or transaction.

Premium Auto Bid is a trading brand of Premium Logistics SHPK. The Company is independent and is not owned by, operated by, endorsed by, or officially affiliated with Copart, Inc. Copart and the Copart logo are trademarks of Copart, Inc. The Company places customer bids on Copart in real time through the Copart API, after the customer completes identity verification and deposit approval. Any vehicle inventory shown as a demonstration / sample is clearly labelled as such for illustration only; those specific sample cars do not represent real Copart lots and are not biddable.

The Company approaches information security as an ongoing discipline rather than a one-time exercise. Our security program is built on a small number of durable principles that guide how we design systems, write procedures and make day-to-day decisions:

• Confidentiality, integrity and availability: we seek to keep personal data secret from those who should not see it, accurate and unaltered, and available to authorised users when legitimately needed.
• Data minimisation and purpose limitation: we collect and retain only the personal data we genuinely need for identity verification, deposit confirmation, placing customer bids on Copart, import coordination and legal compliance, and we do not repurpose it for incompatible aims.
• Least privilege: access to systems and documents is granted on a need-to-know basis and limited to what each role requires.
• Security by design and by default: security and privacy considerations are taken into account when we select tools, configure services and design workflows, not bolted on afterwards.
• Accountability: we keep records of our processing and security measures so that we can demonstrate compliance to the Information and Data Protection Commissioner of Albania (the "Commissioner") and to data subjects.
• Proportionality: the measures we apply are proportionate to the nature, scope, context and risks of the processing, with heightened care for identity documents and payment-proof files.

These principles reflect the requirements of Albanian Law no. 9887 dated 10.03.2008 "On the Protection of Personal Data" (as amended) and, where applicable, the EU General Data Protection Regulation ("GDPR").

Technical controls are only as effective as the people and procedures around them. The Company therefore maintains organizational measures designed to embed security into everyday operations:

Governance and responsibility

Overall responsibility for data protection and security rests with the Company's administration. Day-to-day data-protection matters, including this Policy, security incidents and data-subject requests, are coordinated through the contact address privacy@premlogistics.com, with compliance oversight via compliance@premlogistics.com.

Policies, training and awareness

• We maintain internal policies and procedures covering acceptable use, access management, document handling, incident response and retention.
• Personnel who handle personal data receive instruction on their confidentiality and security obligations before being granted access, and periodic reminders thereafter.
• Staff are instructed to recognise and report phishing, social-engineering attempts and suspected security incidents promptly.

Risk management and records

• We assess security risks when introducing new tools or materially changing how we process personal data, and we conduct a data protection impact assessment where the law requires one.
• We keep records of processing activities and of the security measures applied to them, so that controls can be reviewed and improved over time.
• We periodically review user access rights and remove access that is no longer required, including promptly upon a change of role or departure.

The Company applies technical safeguards appropriate to the sensitivity of the data it processes and the risks of the Platform. These measures are kept under review and may be adjusted as technology, threats and the Company's infrastructure evolve.

Access control and authentication

• Access to administrative systems, databases and stored documents is restricted to authorised personnel using individual credentials, on a least-privilege basis.
• We require strong, unique passwords for administrative accounts and enable multi-factor authentication on key systems where the relevant service supports it.
• Administrative privileges are limited to the smallest number of people consistent with safe operation, and are reviewed periodically.

Encryption

• Data transmitted between users' browsers and the Platform is protected in transit using industry-standard transport encryption (HTTPS / TLS).
• Personal data and uploaded documents stored with our hosting and database providers are protected by encryption at rest where the relevant provider makes such encryption available, in addition to the providers' own platform-level safeguards.
• We rely on reputable providers' encryption capabilities and configure available security features rather than implementing bespoke cryptography.

Secrets and configuration

• Credentials, API keys and other secrets are held server-side in protected configuration and are not embedded in client-side code or exposed in public repositories.
• Access to production configuration and secrets is restricted to authorised personnel.

Hosting, backups and resilience

• The Platform is hosted with reputable cloud infrastructure and managed-database providers that maintain their own physical and network security controls in professionally operated data centres.
• We take backups of essential data to support recovery from accidental loss, corruption or system failure, and seek to protect those backups with controls comparable to the primary data.
• We apply available security updates to the components within our control and rely on our providers to maintain the underlying platform.

Logging and audit trails

• We maintain logs and audit trails of relevant administrative and system activity to support security monitoring, troubleshooting and investigation of suspected incidents.
• Logs are retained for a period proportionate to their purpose and protected against unauthorised access and tampering so far as reasonably practicable.

Everyone who acts for the Company and has access to personal data is bound by confidentiality. This obligation is a condition of access and continues after a person's engagement with the Company ends.

• Personnel, contractors and operators are subject to confidentiality undertakings, whether through their employment or engagement terms or separate confidentiality commitments.
• Access to personal data and documents is limited to what each person needs to perform their role (least privilege and need-to-know).
• Operators who review identity verification (KYC), deposit confirmation and Member Terms acceptance before a customer can bid are instructed to handle the underlying documents only for those purposes.
• Personnel must not copy, transfer, store or disclose personal data outside approved systems and procedures.
• On change of role or departure, access rights are revoked promptly and Company devices, credentials and data are recovered or disabled as appropriate.

To deliver the Services, the Company relies on a limited number of third-party providers acting as processors or sub-processors, such as cloud hosting, managed databases, communications and email delivery. We choose such providers with care and require appropriate safeguards.

• We select reputable providers and seek to use those that maintain recognised security practices and operate professionally managed infrastructure.
• Where a provider processes personal data on our behalf, we put in place a written data processing arrangement requiring the provider to process data only on our instructions, to keep it confidential, and to apply appropriate security measures.
• We seek to limit the personal data shared with each provider to what is necessary for the relevant function.
• Where personal data is transferred to or stored in a country outside Albania or the European Economic Area, we seek to ensure that an appropriate legal transfer mechanism and adequate safeguards are in place, consistent with Albanian Law no. 9887 and, where applicable, the GDPR.

A current overview of the categories of processors we use, and how to request further information, is available via the Privacy Policy and on request to privacy@premlogistics.com.

Identity verification (KYC) and acceptance of the Member Terms are required before any bid is placed, and an approved deposit is required. As a result, the Company handles particularly sensitive material, including identity documents and proof-of-payment files. We apply heightened care to this material.

Deposits and balances are denominated in USD (a standard deposit of $750, or 10% for vehicles over $7,500). Inbound payments are operator-confirmed: customers may pay by bank transfer in USD or EUR, or in cash in ALL at the Company's Tirana office, and upload proof which an operator verifies independently. No third-party card processors operate in Albania for this payment flow, so we do not transmit cardholder data through such processors as part of this process.

• Identity and payment-proof documents are accessible only to authorised personnel who need them to verify a customer, confirm a deposit, comply with anti-money-laundering obligations, or enable the customer's bidding and import support.
• Such documents are stored within access-controlled systems and protected in transit and, where the relevant provider makes it available, at rest.
• We instruct customers to submit documents only through the channels we designate and not to send sensitive documents through insecure or public channels.
• We retain identity and payment-proof documents only for as long as necessary for the purposes for which they were collected and to meet legal and regulatory retention obligations, including those arising under Albanian Law no. 9917 dated 19.05.2008 "On the Prevention of Money Laundering and Financing of Terrorism" (as amended), after which they are securely deleted or anonymised.
• Identity and payment verification is performed manually by an operator as a prerequisite before bidding; once these checks are satisfied, customer bids are placed on Copart in real time through the Copart API.

Vehicles are sold AS-IS by third-party auction sources. Premium Auto Bid does not guarantee the condition, title, mileage, damage, history, availability, auction outcome, or shipping/customs timelines of any vehicle. This Policy concerns data security only and does not alter the AS-IS nature of the underlying transactions or create any warranty as to any vehicle.

Despite reasonable measures, no system can be guaranteed to be completely secure. The Company maintains procedures to detect, contain and respond to security incidents and personal-data breaches, and to notify the authorities and affected individuals where the law requires.

Detection and reporting

• We use logging and monitoring to help detect anomalous or unauthorised activity, and personnel are instructed to report suspected incidents without delay.
• Users and third parties can report a suspected vulnerability or security concern to compliance@premlogistics.com or privacy@premlogistics.com.

Response

1. Triage and assessment: we assess the nature, scope and likely impact of the incident, including the categories of data and individuals potentially affected.
2. Containment and remediation: we take reasonable steps to contain the incident, mitigate harm, restore affected services from backups where appropriate, and prevent recurrence.
3. Investigation and record-keeping: we investigate the cause and document the incident, the measures taken and the outcome.
4. Notification: we evaluate notification obligations and, where required, notify the Commissioner and affected individuals as set out below.
5. Review: we review lessons learned and update controls and procedures as appropriate.

Breach notification

Where a personal-data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information and Data Protection Commissioner of Albania within the time limits and in the manner required by applicable law. Where the breach is likely to result in a high risk to affected individuals, we will also inform those individuals without undue delay, describing the nature of the breach, the likely consequences and the measures taken or proposed, and providing a contact point for further information.

Where the GDPR applies to a particular processing activity, we will additionally comply with its breach-notification requirements, including notification to the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach.

If a processor we use suffers a breach affecting personal data processed on our behalf, we require the processor to notify us without undue delay so that we can meet our own obligations.

Security is a shared responsibility. While the Company protects the data within its systems, customers play an essential part in keeping their own information safe.

• Keep your account credentials confidential, use a strong and unique password, and do not share access with others.
• Submit identity and payment-proof documents only through the official channels the Company designates, and verify that you are communicating with the Company before sending sensitive information.
• Be alert to phishing and impersonation: the Company will not ask you to disclose your password, and you should treat unexpected requests for sensitive data or payments with caution.
• Notify us promptly at support@premlogistics.com or privacy@premlogistics.com if you suspect unauthorised access to your account or any misuse of your data.

The Company cannot be responsible for security failures arising from a user's own acts or omissions, such as disclosing credentials, falling for an impersonation scam, or sending documents through channels outside the Company's control.

We believe in describing our security measures honestly and without overstatement.

The Company does not currently hold or claim any SOC 2, ISO/IEC 27001, PCI-DSS or other formal security certification or attestation. References in this Policy to industry-standard or reputable providers, encryption, and security practices describe the measures we apply; they are not, and must not be read as, a claim of any certification, accreditation or audited assurance that the Company has not obtained.

Some of the third-party infrastructure providers we rely on maintain their own certifications and audited controls at the platform level. Any such certification belongs to the relevant provider in respect of its own services and does not constitute certification of the Company or of the Platform as a whole.

Security threats and technology change over time, and so do our measures. The Company treats data security as a continuous improvement process and reviews its controls periodically and when circumstances warrant.

• We review this Policy and our underlying measures periodically and in response to material changes in our systems, processors, services or the legal framework.
• We seek to remediate identified weaknesses, apply available security updates, and refine our procedures in light of incidents, audits and lessons learned.
• As the Company matures, including in connection with its real-time integration with the Copart API, it expects to strengthen its security measures further, while making no representation about certifications it does not hold.

We may update this Policy from time to time to reflect changes in our practices, technology, services or legal obligations. When we make changes, we will revise the "Last updated" date above and, where appropriate, publish the updated Policy on the Platform.

Where a change is material, we will take reasonable steps to bring it to users' attention, for example through a notice on the Platform or other appropriate communication. Your continued use of the Services after an updated Policy takes effect indicates that you have read and understood the current version. We encourage you to review this Policy periodically.

This Policy and any matter arising from it are governed by the laws of the Republic of Albania, including Albanian Law no. 9887 dated 10.03.2008 "On the Protection of Personal Data" (as amended) and, where applicable, the GDPR. The competent courts of Tirana, Albania shall have jurisdiction over any dispute relating to this Policy, without prejudice to any mandatory rights you may have under applicable law, including your right to lodge a complaint with the Information and Data Protection Commissioner of Albania.

If you have questions about this Policy, our security measures, or how we protect your personal data, or if you wish to report a security concern, please contact us:

• Data protection and privacy (including the Company's data-protection contact / DPO function): privacy@premlogistics.com
• Compliance and security concerns: compliance@premlogistics.com
• Customer support: support@premlogistics.com
• Legal: legal@premlogistics.com
• General enquiries: info@premlogistics.com

Postal address: Premium Logistics SHPK, Rruga "Dubai", Lagjia nr. 2, cadastral zone 2066, property no. 89/38, 4-storey building, 2nd floor, Entrance 1, Kamëz, Tirana, Albania. NUIS / NIPT: M53004202C. Website: premlogistics.com.

You also have the right to lodge a complaint with the Information and Data Protection Commissioner of Albania (the supervisory authority) if you believe your personal data has not been handled in accordance with applicable law.