O.C. Tanner

United States

Data Retention and Destruction O.C. Tanner’s computer systems maintain a large quantity of data relating to employees of corporate clients for whom we provide employee recognition solutions. O.C. Tanner’s clients include many multi-national financial, major airline, healthcare, and pharmaceutical corporations that often have federal regulations imposed upon them. This policy provides timelines for the retention of client data to abide by our clients’ security requirements. Client data that resides in production front-end application systems, including the Anniversaries, Recognition and Yearbook platforms, is deleted from the database after a predetermined period. The timelines associated with each platform are as follows: • Anniversaries: Data is retained in the production database until termination of services and for 5 years thereafter unless requested to be deleted. This data is then anonymized by client and employee ID. • Yearbook: Comment data is stored as text analytics for 5 years and retained indefinitely. • Recognition: Data is retained in the production database until termination of services and for 5 years thereafter unless requested to be deleted. This data is then anonymized by client and employee ID. • CRM: Case history data is retained in the Client Services database for 18 months after resolution date. • Print and drop-ship vendors (including merchandise and voucher vendors): Data is retained for 5 years and then deleted (unless applicable law requires longer retention). • Client employee population files: Files are retained for 120 days and then deleted; for localized clients (i.e., clients who have chosen to have their population files localized in a cloud instance outside Retention for Warranty Purposes Client data is retained for 5 years to accommodate additional warranty time provided by O.C. Tanner on awards. Following 5 years, client data is anonymized unless otherwise directed by O.C. Tanner’s General Counsel. Prior to 5 years and upon a written request from an authorized client representative, O.C. Tanner will delete and assure the destruction of client and transaction information. However, such a client request negates any remaining product warranties supported by O.C. Tanner, as O.C. Tanner will no longer have the information to validate and support any product warranties. Retention for Tax Purposes Client data residing in the backend Enterprise Resource Planning System (SAP) is retained for a minimum of 7 years to accommodate IRS reporting requirements. After 7 years, the data is deleted from the SAP system unless otherwise directed by O.C. Tanner’s General Counsel.

Data Destruction Process On at least an annual basis, O.C. Tanner conducts reviews to identify clients with no activity (no sales, credit/debit balance, and account activity) in the past 5 years. If the client is a subsidiary of a parent organization or has a sibling that is still an active client, O.C. Tanner retains the client data and follows the retention as described above. If not, deletion/anonymization is scheduled during the 12-month period following the review.

Retention of Corporate Data In order to provide improved client service, audit trails, and good corporate governance, O.C. Tanner retains corporate information. Policies regarding the gathering and management of client and client information are covered in other policies. This policy covers the retention of corporate data: • For audit reasons, O.C. Tanner retains financial information for 7 years. • Contracts and request for proposal (RFP) responses are retained for 7 years. • Security audit results, compliance certifications, and questionnaire responses are retained for 7 years. • Proposals and other sales documents are retained for 1 year unless otherwise directed by O.C. Tanner’s General Counsel. Our data is stored in secure data centers on encrypted SANs where data blocks are striped across hundreds of disks, making forensic recovery practically impossible. Specific client data is permanently removed from relational databases using industry standard SQL statements. When deletion occurs, deleted data blocks are marked as free and overwritten by new data, making recoverability impossible.

United States

no

no

Depending on where you are located, you may have certain rights concerning your personal information, including the right to access, restrict the processing of, object to the processing of, correct, update, rectify, and receive a copy of (data portability) your personal information; or request that we erase or delete your personal information. You may also have the right to lodge a complaint with a supervisory or regulatory authority. Some or all of the rights listed above may not apply to you or may be subject to limitations, depending on applicable law. To exercise these rights, please contact privacy@octanner.com You may also opt-out of receiving email communications from us about new products, features, or other services by clicking the “Unsubscribe” link at the bottom of the communication, or by following the opt-out instructions included in the communication.

no

Ping Federate

yes

yes

saurabh.mishra@octanner.com

no

no

no

no