Ensono, LP International Information Privacy Policy September 2016

Ensono International Information Privacy Policy Issue Date: 09/29/2016 Last Revision Date: 09/29/2016 Revision: v 1.0

Page 2 of 13

Document Version Control Issue Date: 09/29/2016 Revision: 1.0 Last Revision Date: N/A – Initial Release Approved By: Ensono, LP Corporate Legal and Audit & Compliance

Revision History

Version Number Date Changes Made Made By

DRAFT v.0.1 9/29/2016 Initial draft A. Brooks, C. Nwasor

v1.0 Revisions

Approval History

Version Number Date Approved By Title

v1.0 9/29/2016

Review History

Version Number Date Reviewed By

v1.0 9/29/2016 Audit & Compliance, Corporate Legal

Ensono International Information Privacy Policy Issue Date: 09/29/2016 Last Revision Date: 09/29/2016 Revision: v 1.0

Page 3 of 13

Support Information

Privacy Policy Support

Please email questions to: privacy@ensono.com

Ensono International Information Privacy Policy Issue Date: 09/29/2016 Last Revision Date: 09/29/2016 Revision: v 1.0

Page 4 of 13

Legal Notices

Copyright

Copyright 2016 by Ensono, LP. All rights reserved. Reproduction of all or any portion of this text without written consent is expressly prohibited. Users may copy this document only for the express purpose(s) for which the product(s) were designed. Any and all copies of the materials must contain appropriate Ensono, LP copyright statements and acknowledgments.

Ensono International Information Privacy Policy Issue Date: 09/29/2016 Last Revision Date: 09/29/2016 Revision: v 1.0

Page 5 of 13

Table of Contents 1. Privacy Policy ............................................................................................................................................................. 6

1.0 Purpose and Scope ................................................................................................................................... 6

2.0 Privacy Laws ............................................................................................................................................. 6

3.0 Definitions ................................................................................................................................................ 7

4.0 Administration and Implementation ........................................................................................................ 7

5.0 Policies and Procedures ........................................................................................................................... 8

6.0 Data Security .......................................................................................................................................... 12

7.0 Incident Management and Breach Notification ..................................................................................... 12

8.0 Accountability ...................................................................................................................................... 132

9.0 Compliance and Enforcement …………………………………………………………………………………………………………. 13

Ensono Information Privacy Policy Issue Date: 09/29/2016 Last Revision Date: 09/29/2016 Revision: v 1.0

Page 6 of 13

1. Privacy Policy

1.0 Purpose and Scope It is the policy of Ensono, LP (“Ensono” or the “Company”) to comply with applicable laws and regulations protecting the privacy of personal information in the jurisdictions in which the Company operates. Ensono respects and protects personal information collected or maintained by or on behalf of the Company, regardless of the form, format, location or use, in support of its business operations, including, without limitation, human resources and commercial operations. Ensono complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Ensono has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov. In compliance with the Privacy Shield Principles, Ensono commits to resolve complaints about our collection or use of your personal information. European Union individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Ensono’s Privacy Office at: privacy@ensono.com. This Policy establishes a framework for privacy of nonpublic personal information (“NPI”) (as defined in Section 3.0 below), including but not limited to personal financial information and personal health information (“PHI”). Protecting NPI requires keeping it confidential wherever it is collected and stored in digital form or otherwise. The principal objectives of the Policy are to:

Ensure the confidentiality and integrity of NPI;

Protect against unauthorized access to or use of NPI;

Prevent harm to individuals due to identity theft, fraud, or any other act that would violate an individual’s right to privacy.

This Policy governs all Ensono employees, contractors, and temporary staff (“Ensono Associates”) as defined in Section 3.0 below) with respect to the protection of NPI. Every Ensono Associate has the obligation to play his or her role in protecting the NPI of fellow Ensono Associates, clients, business partners, and other individuals with whom Ensono has business interactions in compliance with all applicable laws, regulations, and other Ensono policies and procedures.

2.0 Privacy Laws US and international privacy laws require safeguards against invasion of an individuals’ personal privacy and data. These laws also protect other sensitive information such as military and financial data. US Government Agencies have enacted specific protection requirements for sensitive data for which these organizations oversee the responsibility for safeguarding. US States have enacted privacy laws for residents to protect the use and disclosure of an individuals’ personal information. The European Union as well as international governments have enacted specific laws designed to safeguard the confidential data of citizens, organizations and governments. Regulations, sanctions and penalties vary by country. Country-specific data protection laws and baseline principles may require registration of data being collected, cross-border data transfers, cross-border data flow where access of data is outside the country, notifications to individuals about collection of their personal data, obtaining individuals’ approval for use, and more. Even the definition of what is considered ‘sensitive’ data varies by country. Penalties of non-compliance can be significant. Misuse or inappropriate exposure of sensitive data has many repercussions including identity theft, medical fraud, profiling, and financial risk.

Ensono Information Privacy Policy Issue Date: 09/29/2016 Last Revision Date: 09/29/2016 Revision: v 1.0

Page 7 of 13

Ensono must comply with US and international laws applicable to its business and the data it processes. Confidential data must be used only for its specific legal and business purpose and measures must be taken to avoid its exposure to hostile or other exploitation. Ensono must also ensure client data is appropriately managed.

3.0 Definitions For purposes of this Policy, the following definitions apply: “Ensono Associate” means any employee, contractor, agent, or temporary staff member of the Company, to the extent such individual handles, processes or has access to NPI.

“Nonpublic personal information” (“NPI”) means:

Information in any media or format, that identifies or may be used to identify an individual and the protection of which is governed by applicable data privacy or security law (including statutes, regulations, orders, etc.), and does not consist solely of information that is lawfully obtained from public sources, publicly available information, or from federal, state or local government records lawfully made available to the general public. NPI may include, but is not limited to: (1) an individual’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such individual: Social Security number, driver’s license number, other government-issued identification number, biometric identifier, medical coverage number, or financial account number or credit card/debit card number that would permit access to the individual’s financial account, and (2) health information together or in association with an identifier of an individual (such as initials, an e-mail address, birth date, or any other identifying number or code). NPI also includes information that is deemed “protected health information” (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”).

NPI does not include anonymized data, such as aggregated data, so long as the aggregation is sufficient to prevent identification of an individual from that data either itself or in combination with publicly available data.

“Third Party” means any person, company or organization (e.g., a vendor or business partner), public authority/agency, or other entity outside of the Company that provides or receives or processes NPI from or on behalf of Ensono.

4.0 Administration and Implementation Corporate Legal

Ensono’s Corporate Legal division of the Legal Department has primary responsibility for the administration of this Policy. In fulfilling that responsibility, Corporate Legal shall consult regularly with the Audit and Compliance Department (“Compliance”), and as appropriate, Ensono’s Information Technology Department (“IT”), Human Resources (“HR”), and others.

Review and Revision

Corporate Legal shall review this Policy periodically and ensure that it is updated and revised as appropriate. It shall monitor updates in applicable data privacy law to ensure that this Policy reflects Ensono’s legal obligations with respect to NPI.

Training

All Ensono Associates must be educated on the principles and procedures set forth in this Policy. Such education shall include initial training and “refresher” training in the event of material revisions to the Policy.

Ensono Information Privacy Policy Issue Date: 09/29/2016 Last Revision Date: 09/29/2016 Revision: v 1.0

Page 8 of 13

5.0 Policies and Procedures 1. COLLECTION AND USE OF NPI

1.1 Permissible Uses of NPI

Ensono collects and uses NPI to effectively manage its business and to comply with its legal obligations. For example, Ensono may collect and use NPI for legitimate business purposes such as, without limitation:

• Providing compensation and benefits to employees;

• Managing payroll and tax information;

• Evaluating employee medical leave requests;

• Conducting background checks;

• Fulfilling requests and providing information to clients;

• Creating and designing new products and services;

• Operating its business in the normal course and managing its risks, including for auditing and security purposes;

• Creating aggregated, de-identified information for analytical or reporting purposes;

• Reporting adverse events;

• Handling litigation and complying with government (regulatory, judicial, legislative) requests or orders; and

• Otherwise protecting Company rights or process.

1.2 Authorized Users of NPI

Ensono Associates whose use or handling of NPI is required by the nature of their jobs may not use NPI for any purpose other than to perform their job functions.

1.3 Minimum Necessary Uses

Ensono uses only the type and minimum amount of NPI needed to accomplish the purposes for its legitimate uses of NPI. Ensono Associates must use only that minimum amount of NPI to perform their legitimate and authorized responsibilities.

1.4 Uses for Marketing Purposes

Ensono does not use NPI for marketing purposes, including to promote, advertise, or suggest the benefits or quality of any Ensono product or service, if the individual to whom the NPI pertains has not consented to such use of the NPI or has opted out of such use.

2. DISCLOSURE OF AND ACCESS TO NPI

2.1 Permissible Purposes for Disclosures

Ensono Information Privacy Policy Issue Date: 09/29/2016 Last Revision Date: 09/29/2016 Revision: v 1.0

Page 9 of 13

Ensono limits its disclosures of NPI to those necessary to accomplish the Company’s legitimate business purposes, including without limitation, those purposes described under Section 1.1 of this Policy.

2.2 Disclosures Within Ensono

Access to NPI maintained by Ensono is limited to those Ensono Associates or Third Parties with a legitimate need to know such information. For example, those with access to NPI needed to conduct payroll functions may not have access to specific client NPI.

Ensono Information Privacy Policy Issue Date: 09/29/2016 Last Revision Date: 09/29/2016 Revision: v 1.0

Page 10 of 13

2.3 Disclosures to Third Parties

2.3.1 Scope of Disclosure Generally

Ensono discloses only the minimum amount of NPI necessary to achieve the purpose of the disclosure. All disclosures of NPI must be reviewed and authorized by Corporate Legal. To the extent disclosures are made to a Third Party, Ensono Associates must ensure that the NPI is disclosed only to those individuals employed or acting behalf of such a Third Party who have a specific need to view the NPI.

2.3.2 Subcontractors/Vendors

NPI may be disclosed to an Ensono subcontractor (including any Third-Party vendor) only pursuant to a written agreement providing that the subcontractor agrees, prior to accessing any NPI, to protect the NPI as set forth in the data privacy and security provisions of Ensono’s template agreements for contracts with Third Parties. Any variance from the template data protection provisions must be approved by Corporate Legal.

NPI may not be disclosed to a Third Party subcontractor prior to receipt by Ensono of the subcontractor’s completed Security Assessment Questionnaire, determination of suitability by the Audit and Compliance Department, and duly executed legal agreements

2.3.3 Disclosures to Governmental and Regulatory Agencies or Authorities

NPI may be disclosed to a governmental or regulatory agency and/or authority for the purpose of complying with the Company’s reporting obligations or complying with a legal demand or request by such entities for such information.

2.3.4 Individuals’ Access to Their Own NPI

Ensono endeavors to ensure that all NPI it maintains is accurate. When the Company receives a request to revise or delete certain data elements of NPI, appropriate action is taken to evaluate and, if feasible and appropriate, grant the request.

Ensono will grant an individual’s requests for correction/updating of his/her NPI absent questions regarding the veracity or source of the purportedly corrected/updated information. Corporate Legal will resolve any such questions and report to the individual the reason for any denial of the individual’s request.

Direct access by an individual to his or her NPI shall be provided for purposes of confirming the accuracy, integrity, and current validity of the information. Ensono will provide an individual with access to his/her NPI in a form and manner that protects the confidentiality of other NPI and does not impose due cost upon the Company.

Individual access shall be granted in accordance with this Policy by approval of Corporate Legal of a written request from:

HR, on behalf of a Ensono employee;

A Third Party contractor, on behalf of its employees;

An Ensono Associate, on behalf of a consultant retained by such Associate or for whom such Associate manages the consultant’s business relationship with Ensono.

Ensono Information Privacy Policy Issue Date: 09/29/2016 Last Revision Date: 09/29/2016 Revision: v 1.0

Page 11 of 13

3. RETENTION AND DISPOSAL OF NPI

3.1 Retention

Ensono retains NPI for the minimal time necessary to accomplish the purposes for which it was collected or is needed to fulfill the Company’s legitimate business objectives, consistent with Ensono’s general data retention policies and any specific document holds applicable to the information or retention period required by law.

3.2 Disposal

If certain NPI is no longer permitted to be maintained by the Company pursuant to applicable law, internal retention policies, or contractual agreements with third parties, each Ensono Associate must either destroy the NPI in an approved manner (as described below) or provide the NPI to his/her manager for its disposal or safe-keeping. NPI that is subject to disposal in accordance with this policy must be disposed of using means that assure that it is no longer be accessible.

3.2.1 Hard-Copy Documents

Any hard copy or printed material that displays or contains NPI must be destroyed in a manner that prevents reconstruction. The approved method of destruction is shredding.

3.2.2 Electronic Documents

To dispose of electronic NPI, the NPI must be forensically purged or destroyed.

4. HEALTH AND FINANCIAL INFORMATION

4.1 Personal Financial Information

Ensono may have obligations to protect the confidentiality of nonpublic personal financial information under the federal Gramm-Leach-Bliley Act and its implementing regulations, if Ensono is handling such information by or on behalf of a financial institution. If Ensono handles credit or debit card information, it may also have obligations under the Payment Card Industry Data Security Standard (“PCI DSS”). Where applicable, Ensono must comply with all relevant aspects of those regulations and standards.

4.2 Protected Health Information under Federal Law

Under the federal data privacy and security regulations implementing HIPAA, individually identifiable information pertaining to an individual’s health or receipt of healthcare or healthcare benefits, is deemed PHI. Ensono may be subject to the HIPAA regulations to the extent it performs services for “covered entities” (health care providers and health plans). In such an instance, Ensono would be considered a HIPAA “business associate.” If an Ensono Associate is requested to enter into a HIPAA business associate agreement, he/she should contact Corporate Legal to discuss the request and make a determination as to whether the agreement would be appropriate. In addition, in providing certain health and wellness benefits to associates, Ensono may need to disclose NPI to third party service providers. In such instances, Ensono will secure reasonable assurance that such third parties will safeguard NPI by executing a business associate agreement, which obligates service providers as required by law.

4.3 Protected Health Information under EU Law

Ensono Information Privacy Policy Issue Date: 09/29/2016 Last Revision Date: 09/29/2016 Revision: v 1.0

Page 12 of 13

Ensono commits to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to human resources data transferred from the EU in the context of the employment relationship.

6.0 Data Security Ensono has developed standards and policies with regard to protection of NPI and other sensitive data. The Ensono Information Security Policy (ISP) is the foundation of Ensono’s data protection policy. It provides classifications of data and guidelines for protection. It includes guidelines concerning acceptable use, access controls, data destruction as well as management of security incidents. Ensono requires that its Associates understand the data security protection requirements of sensitive data. Identification of sensitive data is the responsibility of the information owner as defined in the ISP. Ensono Associates who, as part of the job role, collect, store, and/or maintain such data must comply with the security controls. Applications used in support of Ensono functions must be designed with controls to secure sensitive data processed by the application. Data classified as sensitive must be limited to only that which is necessary to be collected, processed or stored for business purposes. In addition, aanonymizing data and using ‘Privacy by Design’ is a recommended approach in the development of applications which process sensitive data. Ensono clients are the information owners of client data. As such, they must identify where sensitive data exist on their systems and ensure it is appropriately protected by access controls and encryption. It is strongly recommended that sensitive data be encrypted at all times when stored or transmitted. A strong encryption cipher such as AES-256 should be used whenever possible.

7.0 Incident Management and Breach Notification In the event of a potential breach of the privacy of NPI or other confidential information, Ensono’s incident response and management protocol shall be activated. Following such incidents, a risk of compromise assessment shall be performed to determine if a notifiable breach occurred. Upon the determination of the occurrence of a notifiable breach, formal breach notifications shall be made to appropriate parties, based on regulatory and or contractual requirements.

8.0 Accountability Ensono teams responsible for policy oversight and execution are:

Company Management and Board of Directors

Corporate Legal

Information Security

Human Resources

Finance

Marketing and Sales

Operational teams

Ensono Information Privacy Policy Issue Date: 09/29/2016 Last Revision Date: 09/29/2016 Revision: v 1.0

Page 13 of 13

9.0 Compliance and Enforcement All Ensono Associates having access to sensitive data shall fully comply with this policy and related security requirements. Policy compliance is a continuous process and will be assessed as part of Ensono’s Enterprise Risk Management (ERM) program.

Obligation to Report

Each Ensono Associate has the responsibility to report any known or suspected violation of this Policy, including upon receipt of notice of such a violation from a Third Party. Such reports shall be made to Corporate Legal as promptly as possible after discovery of a known or suspected violation. Ensono shall treat each such report with confidentiality to the extent permitted with respect to the reporting individual.

Content of Report

Reports of known or suspected violations should include all of the following to the full extent known:

• Names and locations of persons, databases, and systems involved with the incident;

• Nature and description of the incident, including the type and extent of NPI involved;

• Approximate date and time of the incident;

• Date and time that the person making the report initially learned of the incident, or otherwise Ensono’s first time of knowledge; and

• Contact information for the person making the report and any other persons who were involved in identifying the incident.

Complaints by Individuals Regarding Privacy Protection

In compliance with the Privacy Shield Principles, Ensono commits to resolve complaints about our collection or use of your personal information. European Union individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Ensono’s Privacy Office at: privacy@ensono.com.

All such complaints shall be documented by Corporate Legal and shall be investigated to the extent necessary to determine whether and what remedial action may be warranted. Confidentiality will be maintained throughout the investigatory process to the extent consistent with adequate investigation and appropriate corrective action.

Responsive/Remedial Action

Violations of this Policy by Ensono Associates could result in disciplinary action up to and including termination of employment, termination of a work assignment or contract, as applicable, and/or legal action.

* * * Questions related to this policy should be directed to privacy@ensono.com.