CISO Attestation Letter - Cybersecurity Program Compliance

To Whom It May Concern

I, Jeffrey Mendonca, in my capacity as Chief Information Security Officer of JIL Sovereign Technologies, Inc. (the “Company”), attest to the following as of the date of this letter.

1. NIST SP 800-53 Rev. 5 Moderate Baseline

The Company has implemented and operationalizes the controls of the NIST Special Publication 800-53 Revision 5 Moderate baseline across all production information systems. The mapping and implementation evidence is documented in:

JIL_NIST_800-53_Control_Mapping.md - Internal control mapping and implementation statement

The 20 control families are addressed; the status of each is documented in Section 3 of that document. Residual risks are tracked in the Company’s internal Risk Register and reviewed at least annually.

This attestation represents the Company’s internal determination of control coverage. It is not a FedRAMP Authorization and does not constitute a third-party assessment. Where third-party validation is required for external reliance (e.g., SOC 2 Type II, ISO 27001/27017), the Company pursues those engagements separately; their timelines are disclosed on the Company’s public compliance page.

2. NYDFS 23 NYCRR Part 500 - Voluntary Compliance

The Company is not currently a “Covered Entity” under 23 NYCRR Part 500 because it does not hold a license, registration, charter, or similar authorization from the New York State Department of Financial Services. Despite not being subject to mandatory compliance, the Company has voluntarily adopted the Part 500 framework as the operating governance standard for its Cybersecurity Program.

As of the date of this letter, the Company’s Cybersecurity Program materially meets the requirements of 23 NYCRR Part 500. The program is documented in:

JIL_NYDFS_Part_500_Compliance_Program.md - Voluntary compliance statement

The CISO designation, program policies, access controls, multi-factor authentication, encryption, audit trail retention, incident-response plan, third-party risk management, and annual risk-assessment practice are all in place.

If the Company later becomes a Covered Entity under Part 500 (for example, through obtaining a BitLicense, money transmitter license, or similar authorization), this voluntary program will convert to the formal annual certification required under 23 NYCRR 500.17(b), and the certification will be filed with the Superintendent by April 15 following the close of each calendar year.

3. Cybersecurity Program Governance

The Cybersecurity Program is approved by the Board of Directors. It is overseen by the CISO, who reports to the Chief Executive Officer and the Board at least annually on material cybersecurity risks, the effectiveness of the program, and material cybersecurity events. Material changes to the program are documented and, where required, subject to Board review.

4. Limitations on This Attestation

• This attestation is based on the Company’s own records and controls. It is not a third-party opinion.
• This attestation covers the Company’s production infrastructure and the services operated thereon. It does not extend to customer-side systems or customer obligations.
• Third parties relying on this attestation for their own compliance obligations should review the full evidence pack (available under non-disclosure agreement) and conduct appropriate due diligence.

5. Contact

For questions about this attestation or to request the evidence pack under NDA:

Email: compliance@jilsovereign.com Corporate Address: JIL Sovereign Technologies, Inc., Delaware, USA

Executed this 19th day of April, 2026.

Jeffrey Mendonca Chief Information Security Officer JIL Sovereign Technologies, Inc. (Delaware)

This attestation will be re-executed annually. The Company reserves the right to update or supplement this attestation as the Cybersecurity Program evolves.