Arrowsight cares about our customers’ privacy and are committed to protecting their personal information in accordance with fair information practices and applicable data privacy laws. As a sign of our commitment to privacy, we have adopted the following policy on data confidentiality, transfers of personal information and associated individual privacy rights, with the aim of ensuring that our customers’ personal information is protected.

1. DOCUMENT PURPOSE

1.1 This Privacy Policy and Notice explains how we collect, use and share our customers’ personal information. We collect personal information in a variety of ways through our normal business activities, both online and offline. This includes, as examples, when a customer enters into agreements, communicates with us, or register as users with access to our customer specific reporting websites.

1.2 Personal information means any information relating to an identified or identifiable natural person; one who can be identified, directly or indirectly, by reference to an identifier such as name, an identification number, location data, or an online identifier.

2. CATEGORIES OF PERSONAL INFORMATION

Personal information that Arrowsight may collect includes:

• Contact information that allows Arrowsight to communicate with a customer, such as name, job title, prefix, username, mailing address, telephone numbers, email addresses, or other addresses that allow Arrowsight to send messages related to products and services (e.g. Remote Video Auditing service) provided by Arrowsight.

• Our service may collect event information such as audio and still-image recordings from customer devices, motion detection and environmental conditions surrounding the recording devices, and date/time stamp or other event data which is automatically recorded and collected for purpose of providing the service.

In all cases, in accordance with Arrowsight’s Data Classification and Retention policy, our customer data is considered Confidential.

3. LEGAL BASIS FOR PROCESSING

The following list serves as the legal basis and purpose Arrowsight’s collection and processing of this information:

• Managing contractual obligations and the ongoing relationship with a customer.

• Legitimate interests of Arrowsight, which are our usual business activities, such as improving our products and services.

• Managing Arrowsight’s supply chain such as the management of Arrowsight’s business partner network.

• Ensuring the security of Arrowsight’s websites, networks and systems, and facilities.

• Managing Arrowsight’s everyday business needs, such as financial account management, contract management, audit, reporting and legal compliance.

• Compliance with Arrowsight’s legal obligations under applicable law.

4. RECIPIENTS OF PERSONAL INFORMATION

4.1 Third Parties – - Arrowsight may use third parties to provide or perform services and functions on Arrowsight’s behalf. Arrowsight may make personal information available to these third parties, to perform these services and functions. Any processing of that personal information will be following customer approval, in accordance with Arrowsight instruction, and compatible with the original purpose.

4.2 As Required by Law – - Arrowsight may also make personal information concerning individuals available to public or judicial authorities, law enforcement personnel and agencies as required by law, including to meeting national security or law enforcement requirements. Where permitted by law, Arrowsight may also disclose such information to third parties (including legal counsel) when necessary for the establishment, exercise or defense of legal claims or to otherwise enforce Arrowsight’s rights, protect Arrowsight property or the rights, property or safety of others, or as needed to support external audit, compliance and corporate governance functions.

4.3 Transfer in the Event of Sale or Change of Control – - Arrowsight may transfer personal information to a third party in the unlikely event of any reorganization, merger, sale, joint venture, assignment or other disposition of all or any portion of Arrowsight’s business or assets.

5. RETENTION

Arrowsight will retain personal information as long as necessary to achieve the purpose for which it was collected, usually for the duration of any contractual relationship and for any period thereafter as legally required or permitted by applicable law.

6. PROTECTION OF PERSONAL INFORMATION

6.1 Security Measures — Arrowsight applies appropriate technical, physical and organizational measures that are reasonably designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and against other unlawful forms of processing. Access to personal information is restricted to authorized recipients on a need-to- know basis. Arrowsight maintains a comprehensive information security program that is proportionate to the risks associated with the processing. The program is continuously adapted to mitigate operational risks and to protect personal information, taking into account industry-accepted practices.

6.2 Responsibility as Data Processor— Arrowsight will collect and process information, possibly including personal information, only as instructed by the customer and will not use or disclose it for Arrowsight’s own purposes. Arrowsight maintains information security controls to protect customer information and will only disclose or transfer the personal information as instructed by the customer or to provide the requested service. Unless otherwise instructed by the customer, Arrowsight treats the personal information processed on behalf of customers in line with our commitments on disclosure and transfer as set forth in this notice. Arrowsight will also use enhanced security measures in the event that we are contractually required to process any sensitive personal information.

7. CUSTOMER RIGHTS

Customers may request to access, rectify, or update inaccurate or out-of-date personal information by contacting their respective business account manager or Arrowsight’s Legal Counsel. To the extent of applicable law, customer’s may have the right to request erasure of personal information, restriction of processing as it applies to them, object to processing and the right to data portability.

8. CONSENT AND WITHDRAWAL OF CONSENT

By providing personal information to Arrowsight, customers understand and agree to the collection, processing and use of such information as set forth in this Privacy Notice. Where required by applicable law, explicit consent will be obtained. Customers may always object to the use of personal information for direct marketing purposes or withdraw any consent previously granted for a specific purpose through opting out as a result of communicated notices or by contacting Arrowsight’s General Counsel.

9. MODIFICATIONS TO ARROWSIGHT’S PRIVACY NOTICE

Arrowsight reserves the right to change, modify, and update this Privacy Policy and Notice at any time. As described previously, any material changes to this policy or the use of personal information will follow appropriate customer notification.

10. POLICY CONTACT INFORMATION

If customers would like to communicate with Arrowsight regarding privacy issues or have questions, comments or complaints, please contact Arrowsight’s General Counsel via the following mechanisms: jean.zimmerman@arrowsight.com

View PDF version of this Privacy Policy and Notice.

Updated as of January 1, 2022.