Corporate Rules

Purpose

Kentik’s goal is to apply uniform, adequate and global data protection and privacy standards for the handling of user (User) personal information (User Information) throughout Kentik Technologies Inc.

Scope

These Binding Corporate Rules (Corporate Rules) are corporate guidelines that apply to the processing of User Information by Kentik.

User Information, also referred to as Personally Identifiable Information (PII), means information relating to an identifiable User. An identifiable User is an individual who can be identified, directly or indirectly, based upon the information collected about the individual.

Kentik does not knowingly process User Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or concerning health, sexual life or criminal records (Proprietary/Confidential Information).

Application of Laws

With varying legal requirements throughout the world relating to data protection, the Corporate Rules establish a consistent set of requirements to help ensure the appropriate use of User Information. While the Corporate Rules create a baseline requirement for Kentik to comply with, Kentik will comply with applicable laws that may impose a stricter standard than those set forth in these Corporate Rules.

All Kentik employees and contractors are obligated to comply with these Corporate Rules.

The Corporate Rules are global User Information processing guidelines for Kentik. Collection and processing of User Information shall occur in accordance with the service’s term and conditions, the law applicable to the User and the guidelines established by these Corporate Rules. Where applicable law is more protective than the guidelines set forth by the Corporate Rules, Kentik will process User Information in accordance with the applicable law. If applicable law provides for a lower level of protection, the guidelines of the Corporate Rules shall apply. The Corporate Rules are binding obligations and failure to follow them may result in employee corrective action, including termination and other penalties as provided by law.

Where Kentik employees have reason to believe that applicable law may prevent compliance with the Corporate Rules resulting in a substantial effect on the protections provided by the Corporate Rules, Kentik employees will promptly inform the Kentik privacy team, which will, in turn, inform the relevant data protection authorities (except where prohibited by law enforcement or other government official).

Where there are multiple interpretations of the commitments, terms or definitions made in these Corporate Rules, Kentik employees shall interpret the Corporate Rules in a way that is most consistent with the basic concepts of the principles of EU Directive 95/46/EC.

Principles for Processing Personal Information

Processing means any operation or set of operations which is performed upon User Information, whether or not by automatic means such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking erasure or destruction.

Kentik will observe the following processing principles for User Information:

• process User Information fairly and lawfully;
• provide notice to Users about the processing of their personal information and their rights;
• collect User Information for specified, legitimate purposes and not process further in ways incompatible with those purposes;
• maintain User Information in adequate and relevant ways, in relation to the purposes for which they are collected;
• keep User Information accurate and up-to-date as reasonably possible;
• process User Information in a way that is relevant and not excessive for the purposes which they are collected and used;
• store User Information for as long as necessary for the Services; and
• protect User Information with appropriate physical, technical and organizational security measures to prevent unauthorized access, unlawful processing and unauthorized or accidental loss, destruction and damage.

Where the processing involves automatic decision-making or processing which significantly affects the User (Automated Decisions), Kentik shall provide suitable measures to safeguard the User’s legitimate interests, such as providing the User an opportunity to have a customer support representative review the decision manually and permit the User to provide their point of view.

Purposes for Processing User Information

Kentik Data Controllers must provide a privacy policy and disclose the nature and type of User Information processed and transferred. Generally, Kentik Data Controllers process User Information to facilitate the Services Users request, resolve disputes, troubleshoot problems, process transactions, collect fees owed, measure consumer interest in Kentik Services, inform Users about online and offline offers, products, Services, and updates, customize Users’ experiences, detect and protect Kentik against error, fraud and other criminal activity, enforce the Service’s terms and conditions and as otherwise described to Users at the time of collection.

Where the Data Controller transfers User Information to a Data Processor, the Service’s privacy policy must describe the processing performed by the Data Processor and the nature and type of Data Processors. Processing of User Information is limited to the purposes and conditions described above, the disclosures made in the Service’s privacy policy and the directions of the Data Controller. Further processing in a way incompatible with those purposes will not take place unless a User is notified and consent is received according to applicable law.

The Services’ privacy policy shall be accessible via a link in a prominent location and displayed during registration providing additional details according to applicable law regarding the collection, processing, protection and transfer of User Information.

Security, Confidentiality and Privacy Awareness Training

Kentik will use physical, technical and organizational security controls commensurate with the amount and sensitivity of the User Information to prevent unauthorized access, use, loss, destruction and damage. Kentik will use encryption, firewalls, access controls, standards and other procedures to protect User Information from unauthorized access. Physical and logical access to electronic and hard copy files is further restricted based upon job responsibilities and business needs.

Kentik will conduct privacy and information security awareness training to emphasize and inform employees of the need to protect and secure User Information. Access to User Information shall determine the need for additional training relating to specific policies as well as these Corporate Rules. Kentik will inform employees that failure to comply with these policies may result in disciplinary actions. A copy of these Corporate Rules and other relevant privacy and security related policies and procedures are available to employees at any time.

User Choices

Users that do not wish to receive marketing communications from Kentik should indicate their preference on their account profile page or by following the directions provided in an email or from a link on the advertisement.

Kentik will strive to provide Users with the opportunity to review, access and rectify their own User Information using the appropriate online tool or self-service process as is described on the Service’s website they visited. In all cases, Users have the right to submit a data subject access request to view User Information not accessible via the Service’s website. User should contact customer support via directions provided by the Service. Kentik will comply with reasonable requests in a commercially reasonable period so long as it does not require a disproportionate effort to retrieve and where applicable law requires access. In these instances, Users may be required to provide proof of their identity and may be subject to a servicing fee as permitted by applicable law.

Users who object to the processing of their User Information may request to have their accounts closed by following the instructions provided via the Service’s website. Kentik will remove or render anonymous a User’s information from the Service as soon as reasonably possible based upon account activity and in accordance with applicable law. In some instances, Kentik may delay the closure of an account or retain User Information to investigate. Kentik may also retain User Information from closed accounts to comply with law, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce the Service’s terms and conditions, comply with legal requirements and take other actions otherwise permitted by applicable law.

Transferring and Sharing User Information

Kentik may transfer User Information to other Kentik data centers under the authority and only on the instructions of the Data Controller (except where required by the relevant Kentik’ local law or local competent authorities) when there is a legitimate business need, sufficient technical and organizational security measures exist and the recipient has complied with the Corporate Rules or provides an adequate level of protection when processing User Information (for instance by entering into contracts based on the model clauses for the transfer of EU User Information to processors or controllers established in third countries published by the European Commission).

Kentik may share User Information with third party processors (such as service providers or vendors) worldwide who help with their business operations. The Kentik Privacy Policy further describes the types of third parties Kentik may share User Information with and under what circumstances. Contracts with third party processors require adequate technical and organizational security measures, limit the use of User Information to purposes defined by the Data Controller and retain control of User Information where applicable. Additionally, Kentik will only transfer User Information of Users located in the EU to third party processors that provide an adequate level of protection when processing User Information (for instance by entering into contracts based on the model clauses for the transfer of EU User Information to processors established in third countries published by the European Commission). Agreements with third party processors provide for legal remedies in the event of a breach of the agreement.

According to applicable law, treaties or applicable international conventions, Kentik may share User Information with law enforcement, regulatory authorities or other third parties when: required as a matter of law; it is necessary to protect Kentik’s rights; it is necessary to keep the Services free from abuse; or there is a legitimate purpose (e.g., to prevent imminent physical harm, financial loss or to report suspected illegal activity).

Kentik may disclose User Information to other third parties for the third party’s own purposes in accordance with the User’s instructions or with the unambiguous informed consent of the User (where permissible under applicable law).

Direct Marketing

Kentik do not sell or rent User Information to third parties for their marketing purposes without the User’s prior consent. With the exception to those Users who have selected not to receive certain communications, Kentik may use User Information to target communications to Users based on their interests according to applicable law.

Complaint Handling Process

If a User believes that their User Information has been processed in violation of the Corporate Rules, the User may report concerns to the Kentik data protection officer of the Data Controller (i.e., within the terms and conditions of the Services the User has requested) (Data Controller) via the Service’s website, email, or as otherwise indicated in the Service’s terms and conditions.

Users can generally find answers to the most common privacy questions and concerns by typing the word “privacy” into the relevant Service’s help section, which will usually direct the User to a privacy specific page or policy. The “help” section of the relevant Service is the unique entry point for all Users’ queries relating to their privacy or the processing of their User Information and provides User’s the opportunity to contact customer support. Customer support shall investigate and attempt to resolve concerns raised by Users. Employees responsible for addressing privacy related concerns work closely with the Kentik privacy team and issue comments consistent with the policies, procedures and guidance issued by the Kentik privacy team. If a User believes their concern has not been addressed adequately, they can request their concern be escalated to the legal department or the Kentik privacy team. Escalation paths shall be determined based upon the nature and scope of the concern and shall be forwarded to the appropriate team without delays.

A response to the complaint shall be provided to the User within a reasonable timeframe.

The Kentik privacy team is a corporate team reporting into Kentik Technologies Inc. and is responsible for privacy matters for all Kentik globally. The Kentik privacy team develops and coordinates implementation of its compliance strategy across Kentik. The Kentik privacy team is led by the Data Protection Officer (a senior position within Kentik Technologies Inc.) and interacts with other groups such as operations, engineering, and finance to ensure consistent privacy communications and policies. Additionally, the Kentik privacy team has direct and indirect representatives throughout Kentik that help to ensure compliance with the Corporate Rules and applicable data protection laws.

Liability and Third-Party Beneficiary Rights

Kentik employees and contractors will comply with these Corporate Rules. The Corporate Rules are binding obligations and failure to follow them may result in employee corrective action, including termination and other penalties as provided by law.

If an EU User suspects a breach of the Corporate Rules based upon User Information transferred from the EU to an entity located outside of the EU, the User should report his/her concern to the Data Controller’s Data Protection Officer via the Service’s website, email or as otherwise indicated in the Service’s terms and conditions. The Data Controller will investigate claims of non- compliance to determine if a violation of the Corporate Rules has occurred. If the violation is confirmed, the Data Controller and other concerned Kentik team shall work together to address and resolve the violation within a commercially reasonable time.

EU Users that suspect a breach of the Corporate Rules have the right to claim enforcement of the Corporate Rules or liability as third party beneficiaries for the following sections of the Corporate Rules: III, IV, V, VI, VII, VIII, IX, X, XI and XIV and, where appropriate compensation from the exporting Data Controller in the EU before the relevant data protection authority or courts in accordance with the terms set up in the Corporate Rules and applicable law. While it is not required, an EU User should first report his/her concern directly to the Data Controller rather than the data protection authorities or the courts. This enables an efficient and prompt response from the Data Controller and minimizes possible delays from data protection authorities or court procedures. The exporting Data Controller and its EU headquarters shall not be liable if they reasonably demonstrate that the non- EU Entity has not violated the Corporate Rules or is not responsible for the act resulting in the damage claimed by the EU User.

The enforcement rights and mechanisms described above are in addition to other remedies or rights provided by Kentik or available under applicable law.

Audit Procedures

To help ensure compliance with the Corporate Rules, the Kentik privacy team reviews, on a periodic basis, User Information processing activities and practices. The privacy team is an independent and objective advisor to management and the Board of Directors and communicates audit findings to the Board of Directors. The Kentik privacy team shall, if necessary, require an action plan to ensure compliance with the Corporate Rules. To the extent that internal groups do not resolve matters adequately, Kentik may appoint independent external auditors for further resolution.

The Kentik privacy team shall review and address matters relating to non-compliance with the Corporate Rules identified in the course of a review or upon notice by a Kentik employee, User or other individual. Audit findings are available to relevant data protection authorities upon request. Kentik will redact portions of the audit to ensure confidentiality of proprietary or otherwise company confidential information. Further, Kentik will only provide audit findings relating to privacy.

Modifications to the Corporate Rules

Kentik reserves the right to modify the Corporate Rules as necessary, for example, to comply with changes in laws, regulations, Kentik practices, procedures and organizational structure or requirements imposed by data protection authorities. The Kentik privacy team must approve all changes to the Corporate Rules and shall track all modifications to the Corporate Rules. Kentik shall report to the relevant data protection authorities changes to the Corporate Rules where approval is required or at least on an annual basis.

Changes to the Corporate Rules shall be applicable to all existing entities bound by the Corporate Rules on the effective date of implementation. Newly formed or acquired entities shall be bound by the Corporate Rules or guarantee an adequate level of protection prior to processing User Information.

Kentik will provide notice of material changes to Users in accordance with their Service preferences and/or shall post the revised Corporate Rules on select external websites accessible by Users. Revisions to the Corporate Rules are effective within a reasonable period after Kentik notifies the User and/or posts the revised Corporate Rules.

Obligations Toward Data Protection Authorities

Kentik will respond diligently and appropriately to requests from data protection authorities about the Corporate Rules and their compliance with privacy laws and regulations. If an employee receives such a request from a data protection authority, he or she should immediately inform a member of the Kentik privacy team or legal department so that the Kentik Data Protection Officer can provide the data protection authorities with names and contact details of relevant contact persons within Kentik who will reply to the data protection authority.

With regard to transfers of User Information between Kentik data centers, the importing and exporting entities will cooperate with inquiries and accept audits from the data protection authority responsible for the entity exporting the data, and respect decisions, consistent with applicable law and due process rights.