PURPOSE You need to shut down your server and other terminals due to severe weather or an emergency. PROCESS WARNING: Contact the Mister Service Desk immediately to shut down your server and other terminals correctly. Mister Service Desk phone number: 888-422-7343 If you have any issues with the steps outlined in this document, please contact the Mister Service Desk. Shut Down Systems After confirming with the Mister Service Desk that the server and terminals have shut down, continue with the following: Locate the Tripp Lite UPS at the bottom of the computer rack. On the Tripp Lite UPS, hold the power button for five seconds until you hear a beep, then release the button. The UPS should turn off. If it does not, repeat step 2. Locate the Tripp Lite power strips. They are typically in the middle of the computer rack. Turn off the Tripp Lite power strip(s) by pressing the red button located on the front. Unplug ALL cables from the wall outlets leading to the computer rack. Shut down converted XPTs: Open the XPT. Locate the main power switch on the back wall in the center (see image below). Turn off the main switch. Locate the power cable next to the main power switch in the XPT (see image below). Unplug the power cable. Lock up the XPT. Shut down Pegasus kiosks: Open the kiosk. Locate the main power switch on the back wall in the center. Turn off the main switch. Lock up the kiosk. Restart Systems After the Emergency or Weather is clear and site can operate again the systems need to be started again, click the link below: Guide: PROCEDURE - GUIDE RESTARTING AFTER EMERGENCY SHUTDOWN

OVERVIEW This is document is designed to provide General Managers (GM) with an overview of Information Technology at Mister Car Wash, including support options, equipment, and terminology. DEFINITIONS Cyber Security – The practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. Micrologic – Point of Sale System. POS - Point of Sale system. Combination of hardware and software that make up the sales transaction system. Pegasus – Micrologic Kiosk. The payment terminal located in the lanes where customers pick their wash and self-pay. Ruckus – The brand name of the wireless access points. Switch – Network hardware that connects devices on a computer network. The switch is in the IT Cabinet. XPT – Unitec Kiosk in use at DRB stores (and some Micrologic stores). A video explaining the parts in the XPT Kiosk can be found in the Service Desk and HERE. VOIP – Voice over IP – Delivery of voice communications over Internet Protocol networks, such as the Internet. WAP - Wireless Access Point – Networking hardware device that allows wireless connections. QUICK LINKS • Mister Service Desk Portal – Find solutions to common issues and how-to articles, find the status of a previously submitted request, submit a new request. • IT Help Center – Searchable Knowledge Articles. • Mister Connect – Intranet with links to commonly used systems, project information, policies, and other information. Mister IT Support Options There are 3 methods for obtaining support from Mister IT, all processed through the ticketing system. Tickets are created via the Mister Service Desk Web Portal, Email, or Phone: Option #1 – Service Desk Portal Service Desk Portal Website Preferred method. Submit a ticket by using the Service Desk Portal. Option #2 – Email MisterIT@mistercarwash.com Email will automatically create a ticket. Option #3 – Phone call 1-888-422-7343 Urgent issues: equipment failures, store down, or other emergency situations. REQUESTS & ISSUES Requests and issues submitted via the Service Desk Portal or via email will be responded to within 24 hours. The better the detail included in the request, the more likely the technician can resolve the issue or request without first having to contact the requester. If a tech does need information, he/she will contact the GM. Technicians will make at least three attempts using the following procedure: First attempt: contact GM (Phone call to store and GM cell or email). Second attempt: GM (Phone call to GM cell). Third attempt: Email to GM and copy Regional Manager (RM). If there is no response after 48 hours from third attempt, the technician will close the ticket. Every issue will be addressed as soon as possible, however, most will need to be triaged and worked in priority order. Severity Definitions Low Issues that are not significantly affecting the site's ability to process cars. Can't print from one machines Single peripheral down Report is not correct Medium Issues that limit's the site's ability to process cars Single tablet down Send Station down but has a work around Primary internet down but on backup (if processing cars normally) High Point of sale extremely slow kiosk down multiple tablets not working Primary internet down, backup is up (not process cars normally) Manager workstation not working Urgent Entire store down Server down Send Station is non-functional Primary and backup internet down Unable to process credit cards The Resolution and Notification Table below defines how to report an issue, the expected response time, resolution time, communication method and communication frequency. For example: Requesters reporting Urgent Incidents, should expect a response within 15 minutes. Resources will be pulled from lower priority issues to try to resolve the issue within one hour. The requester should call (versus email or portal) to report this priority of issue. Both the requester and IT must notify their manager immediately and provide hourly updates. Resolution and Notification Table Priority How to Report Expected Response Within Target Resolution Time When to Notify Manager How to Respond Response Update Frequency Urgent Phone 15 Minutes 1 Hour Immediately Phone, Email Follow-Up Every hour until resolved High Phone 15 Minutes 1 Day Immediately Phone, Email Follow-Up Every day until resolved Medium Portal, Email, Phone 4 Hours 2 Days 1 day, if not resolved Email Every two days until resolved Low Portal, Email 24 Hours 5 Days 2 days, if not resolved Email Every 5 days until resolved ISSUE ESCALATION If you are not contacted by the “Expected Response Time”, Click to find Mister IT Escalation Contacts and call the current IT Escalation contact. IT SECURITY More than ever, Cyber Security is a very important aspect of any business. There are thousands of threats daily that can negatively impact normal business operations. Security Training Courses General Managers are required to take three IT Security training courses. These courses cover email, malware, password, phishing, and other IT security related topics. Three courses are: Security Awareness Training Payment Card Industry DSS Compliance PCI DSS Security Brief The training is in Mister Learn (can be accessed through Mister Connects launchpad). MISTER IT HOURS OF OPERATION Mister IT provides support for the stores 7 days a week throughout the year. The Service Desk Hours of Operation are the following: Monday through Friday: 3:30AM to 6PM MST Saturday: 3:30AM to 5PM MST Sunday: 6:00AM to 4:00PM MST After-hours (on-call) support for urgent issues: Monday through Friday: 6PM to 10PM MST Saturday: 5PM to 9PM MST Sunday: 4PM to 8PM MST For after-hours support, please leave a voice message and an IT Technician will contact you within 30 minutes (usually faster). PHONES Every Mister Car Wash store has a company issued Voice over IP (VOIP) desk phone from the vendor, Evolve IP. For stores that also have a company issued cordless phone, when a customer calls the store, both phones will ring at the same time. Calling If you already know the extension of the person you wish to call, you can call directly by entering the extension number on the keypad. Replacing Cordless Phone Batteries If your cordless phone is not holding a charge or is not charging at all, you need to replace the phone’s batteries. Make sure to only use rechargeable batteries when replacing the batteries in your cordless phone. This simple fix will bring your cordless phone back to life. INTERNET & EMAIL Internet A worldwide system of computer networks – a network of networks in which users at any one computer can, if they have permission, get information from any other computer (and sometimes talk directly to users at other computers). Email At Mister, we utilize Microsoft Outlook to access our emails. You must encrypt any email that contains proprietary or sensitive information, which keeps the information secure. POINT OF SALE (POS) Mister Car Wash has one point of sale system in use. Micrologic: All Micrologic equipment in the stores utilizes a standardize rack configuration HERE. LogicWash: Software used to run the point of sale. Software runs on a server, Tablet, Point-of-Sale terminal, Kiosk and Tunnel Controller. Wash Assist: Web tool used to configure settings, manage customers, and view reports. The following guides have been created to help answer many questions regarding Micrologic topics. Wash Assist Quick Guide: Micrologic uses WashAssist which is the wash administration software provided by Micrologic Associates. With the information in this guide, you will be able to perform key wash management functions in WashAssist such as looking up information and running reports. Micrologic Preventative Maintenance Guide: The mechanical components of the Micrologic POS system need regular preventative maintenance to keep them functioning properly. With the information in this guide, you will be able to perform key perform preventive maintenance on components such as bill accepters, dispensers, gates, and credit card readers. Micrologic Troubleshooting Guide: This guide provides solutions for the most common issues GMs report about Micrologic. With the information in this guide, you will be able to resolve these commonly reported Micrologic issues in just a few steps. IT POLICIES Mister IT policies are located in Support Portal Solutions under Policy Group. The documents cover the following policies: Acceptable Use Password Security Awareness Training Terminated Employee Email and Data If you need additional information regarding a policy or procedure not covered, please contact Mister IT. Feedback In order to provide excellent customer service, we need feedback from our customers. From time to time, we will send you a survey on how we can better improve. We encourage you to take the time to fill out the customer service survey. In addition, if you have any comments or suggestions please feel free to send an email to MisterIT@mistercarwash.com. APPENDIX A Troubleshooting Use the decision tree below to resolve the most common issues that occur on the managers computers. However, this information can be applied to most computers operating in the store. Click the link to bring up the article to help you resolve this issue. Common Computer Related Issues System Issue Related Article Windows Display shows a Blue Screen During Startup Troubleshoot Computer Blue Screen Windows Will not Allow me to Login Troubleshoot Login Issues Internet & Email Cannot Access Internet or My Internet is Slow Troubleshoot Slow or Down Internet Internet & Email Cannot Access My email How to Reset your Email Password Microsoft Office Not Opening or Working Properly Troubleshoot Office Issues General Issue Freezing or Behaving Strangely Troubleshoot Computer Programs or Freezing Issues General Issue Will Not Power On Troubleshoot Computer Startup Issues General Issue My Keyboard & Mouse are not Working Troubleshoot Keyboard or Mouse Issues General Issue Nothing is Showing on the Monitor Troubleshoot Monitor Issues Revision History Revised Date Revised By Revisions Unknown Lauren Babson Document created 10/14/2024 Andrew Poskey Moved to Fresh 4/2/2024 Andrew Poskey Updated Formatting, updated critical to urgent, updated links.

PURPOSE After the Emergency or Weather is clear and site can operate again the systems need to be started again PROCESS Plug all cabinet power cables into a wall outlet or outlets. Turn on Tripp Lite UPS by holding the Power button until you hear it beep, then release the button. Turn on the Tripp Lite power strip(s). Wait three to five minutes for the ISP modem/router and the Meraki Firewall to come online. The light status of these devices should be like those in the photo below. Turn on the server and manager computer. Both are located near the bottom of the computer rack. Verify the Micrologic tunnel controller computer and send stationboth have power lights on. If you are prompted for a username and password on your office monitor (see image below), press the Enter button twice to see your devices. This will allow you to switch between various computers at the store. Turn on ALL the other computers at your site (i.e., POS, Kiosk, etc.). Contact the Mister Service Desk if any computers will not come on or will not load Logic Wash. Turn on converted XPTs: Turn on the main breakers for the XPT. Open the XPT. Locate the main power switch again (see image). Plug in the power cable next to the main power switch (see image). Turn on the main power switch. Lock up the XPT and confirm normal operation. Turn on Pegasus kiosks: Turn on the main breakers for the kiosks. Open the kiosk. Locate the main power switch. Turn on the main power switch. Lock up the kiosk and confirm normal operation. NOTE: If your Pegasus kiosk has a black screen, disconnect and reconnect the power cord to the Pegasus computer (see images below), It is located inside the kiosk on the left side. A screwdriver is required for this step. The power cord has a green connector and is toward the back of the kiosk.

MISTER IT SUPPORT OPTIONS There are 3 methods for obtaining support from Mister IT, all processed through the ticketing system. Tickets are created via the Mister Service Desk Web Portal, Email, or Phone: Option #1 – Service Desk Portal Service Desk Portal Website Preferred Method. Submit a ticket by using the Service Desk Portal Option #2 – Email MisterIT@mistercarwash.com Email will automatically create a ticket Option #3 – Phone call 1-888-422-7343 Urgent issues: equipment failures, store down, or other emergency situations. RESPONSE & RESOLUTION TIMES The table below shows the estimated response & resolution times. Priority How to Report Expected Response Within Target Resolution Time When to Notify Manager How to Respond Response Update Frequency Urgent Phone 15 Minutes 1 Hour Immediately Phone, Email Follow-Up Every hour until resolved High Phone 15 Minutes 1 Day Immediately Phone, Email Follow-Up Every day until resolved Medium Portal, Email, Phone 4 Hours 2 Days 1 day, if not resolved Email Every two days until resolved Low Portal, Email 24 Hours 5 Days 2 days, if not resolved Email Every 5 days until resolved SERVICE DESK HOURS OF OPERATION (AZ Time) MisterIT provides support for the stores 7 days a week throughout the year. The Service Desk Hours of Operation are the following: Monday thru Friday from 4 am to 6 pm Saturday 4 am to 5 pm Sunday 4 am to 4 pm After-hours (on-call) support for urgent issues: Monday thru Friday from 6 pm to 10 pm Saturday 5 pm to 10 pm Sunday 4 pm to 10 pm For after-hours support, please leave a voice message and an IT tech will contact you within 30 minutes (usually faster). ISSUE ESCALATION If you are not contacted by the “Expected Response Time” shown above, use Mister IT Support Escalation Contacts to escalate as necessary. SEVERITY DEFINITIONS Low Issues that are not significantly affecting the site's ability to process cars. Can't print from one machines Single peripheral down Report is not correct Medium Issues that limit's the site's ability to process cars Single tablet down Send Station down but has a work around Primary internet down but on backup (if processing cars normally) High Point of sale extremely slow kiosk down multiple tablets not working Primary internet down, backup is up (not process cars normally) Manager workstation not working Urgent Entire store down Server down Send Station is non-functional Primary and backup internet down Unable to process credit cards REVISION HISTORY Revised Date Revised By Revisions 10/01/2018 Lauren Babson Document Created 7/5/2019 Lauren Babson Updates to include when to notify manager and frequency of when to expect status updates and separating High & Critical from one to two levels 1/14/2020 Lauren Babson Update on-call hours wording to match IT Essential Document 1/7/2021 Tam Rininger Update Escalation Contacts 2/19/2021 Lauren Babson Updating formatting. Removed names in escalation contacts and pointed doc to current escalation contact document in the IT Help Center. 10/14/2024 Andrew Poskey Moved to Fresh 12/4/2024 Andrew Poskey Updated Hours of Operation 3/13/20025 Andrew Poskey Updated title and content formatting 4/2/2025 Andrew Poskey Removed critical, updated to Urgent.

PURPOSE The Mister IT Service Desk will be using Microsoft Bookings to collaborate with team members to get their Service Desk tickets resolved on a day and time that works best for them. This guide walks you through how to book, cancel, and reschedule an appointment. PROCESS TO BOOK YOUR APPOINTMENT Navigate to IT Connect and follow the Steps for submitting a ticket. When the ticket is created you will receive an email with the subject line: Service Desk Ticket #XXXXXX Has Been Created. Schedule an Appointment to meet as soon as possible with an IT Support Technician At the top choose either IT Support - Non-Store or IT Support - Store Select IT Support – Non-Store for all issues relating to individual equipment, such as laptops, employee emails, etc. Select IT Support – Store for all issues relating to IT equipment at a Mister store, such as kiosks, tablets, send station, etc. Select a day and time to meet with an IT Service Desk Technician. NOTE: Available times will not be displayed until IT Support – Non-Store or IT Support – Store are selected. Fill out your details and additional information, including name, email address, cell number, ticket number, and any notes you may have. Finalize your appointment by clicking the Book button at the bottom of the page. You will then receive a confirmation email. TO CANCEL YOUR APPOINTMENT Open your appointment confirmation email. Click “Reschedule”. On the appointment details page, select “Cancel booking”. Confirm you would like to cancel by clicking “Cancel booking”. Your appointment will be cancelled. TO RESCHEDULE YOUR APPOINTMENT Open your appointment confirmation email. Click “Reschedule”. On the appointment details page, select “Reschedule”. Select a day and time to meet with an IT Service Desk Technician.

PURPOSE The primary purpose is to restore normal service operation as quickly as possible and minimize the adverse impact to customers and business operations, thus ensuring that the best possible levels of service quality and availability are maintained. SCOPE Applies to all software and information technology services in use at Mister Car Wash. PROCESS The steps below run through the process from reporting the incident through closing the incident Incident is reported or detected – anyone noticing or hearing of an incident has the responsibility of working through this process. Team members must monitor and triage tickets throughout the day. Incident identification - Failures or potential failures need to be detected early so that the incident management process can be started quickly. Incident logging - All incidents must be fully logged in the Service Desk (even those that seem like duplicates) so that anyone assisting in the resolution has immediate access to all information and to maintain a full historical record. Recording each reported issue helps to understand how widespread the issue is. Incident categorization - Both Urgency and Impact need to be assessed. If the issue has already been reported, relate the issues together. Incident prioritization - Once the impact and urgency are assessed, use “Incident Priority” matrix shown below to identify the priority. Incident management – If this a priority 0-critical or 1-high incident, declare the Incident Owner and the Communication Owner. If possible, two different people should perform these roles so that the time communicating with users does not interfere with resolving the issue itself. Priorities 0 or 1: Contact the ticket owner and confirm they’re aware of the assigned critical or high priority ticket. Incident notification – Communication Owner uses the Communication and Notification table to notify appropriate people based on priority. Initial diagnosis – IT will utilize the collected information on the symptoms to initiate a search of the Knowledge Base to find an appropriate solution. IT will resolve the incident and close the incident if the resolution is successful. Incident escalation - If the necessary information to resolve the incident is not in the Knowledge Base, the appropriate support group (including vendor support) must be consulted for further diagnostics and attempted resolution. Using timelines in the Resolution and Notification table, escalate and provide status updates. Incident resolution – Work on diagnosis and solution until requester verifies that the resolution was satisfactory. An incident resolution does not require that the underlying cause of the incident has been corrected. The resolution only needs to make it possible for the requester to be able to continue their work. Incident closure - Once the requester verifies the issue is resolved, close the ticket. Confirm and/or update incident categorization so it is correct. Update ticket with resolution details Update Knowledge Article with all troubleshooting and remediation steps Determine if this incident could recur and decide preventative action. Use the Incident Priority Matrix below, when an incident is reported or detected. Incident Priority IMPACT High Medium Low Service or major portion of a service is unavailable Issue prevents personnel from performing business critical, time sensitive functions. Issue prevents personnel from performing a portion of their duties. URGENCY HIGH Significant Damage is occurring or will occur rapidly (One or more stores, or all HQ affected) Urgent High Medium Medium Damage increases considerably over time (Part of a store, or HQ departments affected) High Medium Low Low Damage marginally increases over time. (One or two personnel affected) Medium Low Low Examples: Low Issues that are not significantly affecting the site's ability to process cars. Can't print from one machines Single peripheral down Report is not correct Medium Issues that limit's the site's ability to process cars Single tablet down Send Station down but has a work around Primary internet down but on backup (if processing cars normally) High Point of sale extremely slow kiosk down multiple tablets not working Primary internet down, backup is up (not process cars normally) Manager workstation not working Urgent Entire store down Server down Send Station is non-functional Primary and backup internet down Unable to process credit cards Categorization & Prioritization The goals of proper categorization are to: Identify the Impact and Urgency to determine the Priority Indicate what support groups need to be involved Capture meaningful metrics on system reliability All incidents are important to the user, but incidents that affect large groups or mission critical functions need to be addressed before those affecting 1 or 2 people. Resolution and Notification Every issue will be addressed as soon as possible, however, most will need to be triaged and worked in priority order. The Resolution and Notification Table below defines how to report an issue, the expected response time, resolution time, communication method and communication frequency. For example, requesters reporting Critical Incidents, should expect a response within 15 minutes. Resources will be pulled from lower priority issues to try to resolve the issue within one hour. The requester should call (versus email or portal) to report this priority of issue. Both the requester and IT must notify their manager immediately and provide hourly updates. Priority How to Report Expected Response Within Target Resolution Time When to Notify Manager How to Respond Response Update Frequency Urgent Phone 15 Minutes 1 Hour Immediately Phone, Email Follow-Up Every hour until resolved High Phone 15 Minutes 1 Day Immediately Phone, Email Follow-Up Every day until resolved Medium Portal, Email, Phone 4 Hours 2 Days 1 day, if not resolved Email Every two days until resolved Low Portal, Email 24 Hours 5 Days 2 days, if not resolved Email Every 5 days until resolved Issue Escalation Requesters, IT and management play important roles in incident management. If the requester has not been contacted within the “Expected Response Time” or if the issue is not resolved by the “Target Resolution” time, he/she must escalate the issue to his/her manager. If IT has not been able to resolve the issue by the targeted resolution time, he/she must escalate the issue to his/her manager. Escalate to Mister IT using the tiers defined below. Escalation Contact Tier 1 Support Center Supervisors Tier 2 Director of IT Support Tier 3 Director of IT Tier 4 Director of IT Operations Tier 5 Chief Technology Officer Responsibility Matrix (RACI) Obligation Role Description Responsible Responsible to perform the assigned task Accountable (only 1 person) Accountable to make certain work is assigned and performed Consulted Consulted about how to perform the task appropriately Informed Informed about key events regarding the task This RACI pertains to Priority Issues identified as CRITICAL or HIGH. Activity Requestor IT Staff Service Desk Manager Communication Owner Incident Owner Director/ IT Leadership Regional Manager Technical Expert Record Incident in Service Desk A, R Incident Assignment R A, R Incident Categorization A, R Incident Prioritization A, R Declare incident Owner & Communication Owner I R A I I Incident Notification I A R C I I Incident Diagnosis C I C I A, R C Incident Resolution C I I A, R I I I Incident Escalation R I C I A, R I R C Incident Closure C I I I A, R I I Key Performance Indicators (KPIs) Average Cost per Incident: Fixed and variable costs divided by the total number of incidents Average Initial Response Time: Total time between when an incident is reported to when IT responds divided by total number of incidents Average Resolution Time: Average time taken to resolve an incident Percentage of Incidents by Priority: Proportion of total incidents broken down by priority Total Incidents by priority: Quantity of incidents within a defined timeframe Definition and Terms Communication Owner: Person responsible for communicating status of the incident and gathering any additional information about the incident for the incident owner. Impact: Is a measure of the effect of an incident, problem or change, determined by how many personnel or functions that are affected. Incident: An unplanned interruption or reduction in quality of an IT Service. Incident Manager: Person responsible for driving and continually improving the incident management process. Incident Owner: Person responsible for ensuring the incident is resolved. Priority: A category used to identify the relative importance of an incident. Urgency: Is a measure of how long it will be until the issue has a significant impact on the business. Related Procedures IT Essentials Guide for General Managers How to Contact Mister IT Support Mister IT Support Escalation Contacts Revision History Revised Date Revised By Revisions 08/15/2019 Lauren Babson Document created 08/03/2021 Tam Rininger Added Supervisors to the escalation plan. 08/19/2021 Tam Rininger Removed Dir of IT Ops to the escalation Plan. 10/14/2024 Andrew Poskey Moved to Fresh 01/20/2025 Yolanda Terrazas-Franco Updated "VP of IT" to Chief Technology Officer in the Escalation Plan. 01/27/2025 Yolanda Terrazas-Franco Added Director of IT and Director of IT Operations to the Issue Escalation Contacts. 3/13/2025 Andrew Poskey Updated title and content formatting 4/2/2025 Andrew Poskey Updated changes from Word Doc, Added related article section.

PURPOSE Every issue will be addressed as soon as possible; however, most will need to be triaged and worked in priority order. The resolution and notification table below defines how to report an issue, the expected response time, resolution time, communication method and communication frequency. For Example: requesters reporting urgent incidents should expect a response within 15 minutes. Resources will be pulled from lower priority issues to try to resolve the issue within one hour. The request should call (versus email or portal) to report this priority of issue. Both the requester and IT must notify their manager immediately and provide hourly updates. Priority How to Report Expected Response Within Target Resolution Time When to Notify Manager How to Respond Response Update Frequency Urgent Phone 15 Minutes 1 Hour Immediately Phone, Email Follow-Up Every hour until resolved High Phone 15 Minutes 1 Day Immediately Phone, Email Follow-Up Every day until resolved Medium Portal, Email, Phone 4 Hours 2 Days 1 day, if not resolved Email Every two days until resolved Low Portal, Email 24 Hours 5 Days 2 days, if not resolved Email Every 5 days until resolved PROCESS Requester, IT and management play important roles in incident management. It the requester has not been contacted within the "Expected Response Time" or if the issue is not resolved by the "Target Resolution" time, he/she must escalate the issue to his/her manager. If Mister IT has not been able to resolve the issue by the targeted resolution time, he/she must escalate the issue his/her manager. Escalate to Mister IT using the tiers defined below. Issue Escalation Contacts Escalation Contact Cell phone Tier 1 Mikayla Chin - IT Service Desk Supervisor Dan Hunziker - IT Service Desk Supervisor Matt Jessee - IT Service Desk Manager 478-284-4824 503-899-7110 520-955-7352 Tier 2 Tam Rininger - Director of IT Support 330-323-8094 Tier 3 Eric Rodziewicz - Director of IT 520-907-0021 Tier 4 Ryan Rotherforth - Director of IT Operations 520-635-3790 Tier 5 Carlos Chavez - Chief Technology Officer 214-282-4317 Please ensure you have called Mister IT first. If you do not make contact, please escalate the issue by calling the contacts below, starting with Tier 1. If you do not make contact and do not receive a call back within 15 minutes, call Tier 2, followed by Tier 3, and finally Tier 4. As you are escalating the issue, please leave a message that includes your name, location, and a brief description of the issue. Examples of Urgent Issues Store Down Server Down Send Station is Non-Functional Primary and Secondary Internet Down Unable to Process Credit Cards Revision History Revised Date Revised By Revisions 10/01/2018 Lauren Babson Document created 01/07/2021 Tam Rininger Update Escalation Contacts 08/19/2021 Tam Rininger Update Escalation Contacts 12/05/2022 Tam Rininger Update Escalation Contacts 06/16/2023 Tam Rininger Update Escalation Contacts 10/20/2023 Yolanda Terrazas-Franco Update Escalation Contacts 02/29/2024 Yolanda Terrazas-Franco Update Escalation Contacts 07/01/2024 Andrew Poskey Updated Examples List & Added Why to Escalate 10/10/2024 Andrew Poskey Moved to Fresh 10/17/2024 Andrew Poskey Update Escalation Contacts 01/20/2025 Yolanda Terrazas-Franco Update Escalation Contacts 01/27/2025 Yolanda Terrazas-Franco Update Escalation Contacts 3/13/2025 Andrew Poskey Updated title and content formatting 4/2/2025 Andrew Poskey Updated Priority name to Fresh convention, updated grammar.

PURPOSE The purpose of this procedure is to provide Mister standards for creating and protecting passwords. SCOPE This applies to all personnel who (1) have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Mister Car Wash facility, (2) have access to the Mister Car Wash network, or (3) store any non-public Mister Car Wash information. DEFINITIONS Multi-Factor Authentication (MFA) A method of authentication requiring more than one form of validation to verify the user’s identity for a login or other transaction. Password Manager A software application or a hardware device that is used to store and manage a person’s passwords. Typically, stored passwords are encrypted. REQUIREMENTS Password Creation Passwords must meet these standards: Be a minimum of 9 characters in length (passwords of 14 characters or more are better); Not contain personal information, including birthdates, addresses, phone numbers, or names of family members, pets, friends, and fictional characters; Not contain patterns or easily guessed sequences (e.g., “aaabbb”, “qwerty”, 123321”); and Not be some version of “Welcome123”, “Password123”, “Changeme123”, and so on. Passphrases, which are passwords made up of multiple words, are highly recommended. Passphrases like “it’stimeforvacation” and “block_curious_sunny_leaves” meet the password standards listed above and are easy to remember and type. Additional Guidelines Employees must use a separate, unique password for each work-related account they use. Employees may not apply work-related passwords to their personal accounts. It is highly recommended that some form of multi-factor authentication is used for any privileged accounts. Do not use vendor-supplied defaults for system passwords and other security parameters. Password Change The maximum length of time between password changes is 120 days. To comply with PCI regulations, the maximum length of time between password changes for passwords used to access the Cardholder Data Environment (CDE) is 90 days. Passwords cannot be the same as any of at least the last 4 passwords used. Passwords must also be changed when there is reason to believe a password has been compromised. Password cracking or guessing may be performed on a periodic basis by Mister IT or their delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it. Password Protection Passwords must not be shared with anyone, including supervisors and coworkers. All passwords are to be treated as sensitive, confidential Mister information. Passwords must not be inserted into email messages or other forms of electronic communication along with any user- or system-identifying information. Passwords may be stored only in “password managers” authorized by the organization. Do not use the “Remember Password” feature of applications (e.g., web browsers). Any user suspecting that his/her password may have been compromised must report the incident and change all passwords. Rate Limiting An account will be locked out after 5 failed attempts. After an account is locked due to failed attempts, the account will remain locked for 30 minutes. Application Development Application developers must make sure their programs contain the following security precautions: Applications must support authentication of individual users, not groups. Applications must not store passwords in clear text or in any easily reversible form. Applications must not transmit passwords in clear text over the network. Applications must provide for some sort of role management such that one user can take over the functions of another without having to know the other’s password. Multi-Factor Authentication Multi-factor authentication is highly encouraged and should be used whenever possible, not only for work-related accounts but for personal accounts as well. Compliance Mister IT will verify compliance through various methods, including, but not limited to, business tool reports, internal and external audits, and feedback to the owner. Any exceptions must be approved by the IT Security Department in advance. Any employee found to have violated these requirements may be subject to disciplinary action up to and including termination of employment. Approved Exceptions Inspyrus’s use of Jira for change management Navisite’s use of ServiceNow for change management HISTORY Revised Date Revised By Revisions 02/1/2017 Jeff Parry Document created 7/1/2018 Lauren Babson Updated to reflect new NIST SP800-63.3 standards and PCI DSS 9/1/2019 Lucas Shippers Updated document formatting to match Mister policy/procedure format standards. Assigned policy number. Moved information from Appendix A: Password Construction Guidelines into the body of the policy. 1/1/2021 Lauren Babson Added rate limiting section & exceptions for applications not able to comply that fall within SOX audit scope 6/1/2021 Lauren Babson Updated password change policy per SOX audit. Set maximum length of time between password changes at 120 days. 10/14/2024 Andrew Poskey Moved to Fresh 3/13/2025 Andrew Poskey Updated title formatting

PURPOSE Review the security training program available at Mister and understand why data security it important. PEOPLE Hackers target employees because it is easier than trying to break into a network. The security training program at Mister Car Wash stresses why security is important. By understanding the WHY, we believe that even when people forget the HOW, they will ask for help instead of putting the company at risk. Security Awareness Training (Mister Learn) This training teaches employees why and how to protect sensitive data, social engineering, how to spot phishing emails as well as other strategies for staying safe on computers, mobile devices, and in the office. Payment Card Industry DSS Compliance (Mister Learn) This training teaches how to protect consumer credit card data as well as the legal requirements around credit card protection. Security Awareness 101 (Instructor-Led) This training program teaches employees how to create a secure password, why multi-factor authentication is important, what and how to protect sensitive information. Ownership IT develops and/or finds training Department heads are accountable for employee participation Reference Security Awareness Training Policy PROCESS Employees need to take careful and deliberate steps to view and share Mister Car Wash information to protect our employees, customers and the company. Multi-factor authentication The process of verifying that an employee is who they say they are before accessing data is the number one way to prevent bad actors from getting access to sensitive information. Centralize sensitive data instead of distributing through email Minimizing the number of locations where bad actors can gain access to sensitive data reduces the risk. The most secure method to share information is to centralize the data and provide secure means for access. Secure and Encrypt sensitive data The process of securing data will help to keep bad actors from gaining access. Ownership IT works with business owners to develop secure processes Department heads are accountable for employee compliance Reference Data Classification Standards Policy – Categorizes data so employees can refer to the document to determine which types of data needs to be protected as well as whether it needs to be encrypted and/or password protected. TECHNOLOGY The technology includes the third-party applications, tools and network protections we apply. Dayforce, ICIMs (HR) Limit access to employees with a documented need for access to employees’ information Mask sensitive data in the application and on exports (ie replace digits with ‘X’) Encrypt and password protect all sensitive information Oracle (Accounting, Finance) Mask, encrypt and password protect all sensitive information O365 (email and document storage) Configure tools to search for sensitive information and notify user if data is not protected Ownership Department heads are accountable for employee compliance Reference O365 Security and Compliance Center