Intellisist, Inc. dba Spoken Communications Safe Harbor Compliance Document Safe Harbor Privacy Policy Intellisist, Inc. dba Spoken Communications ("Spoken") complies with the U.S.- EU Safe Harbor Framework and the U.S.- Swiss Safe Harbor Framework developed by the United States Department of Commerce and the European Commission and Switzerland, and has self- certified its adherence to the U.S.- EU Safe Harbor Principles and the U.S.- Swiss Safe Harbor Principles published by the United States Department of Commerce. This Safe Harbor Privacy Policy (the "Policy") sets forth the privacy principles that Spoken follows when processing Personal Data (as defined below) received from the European Union (EU), the European Economic Area (EEA) or Switzerland. The privacy principles in this Policy are based on the Safe Harbor Principles and the frequently asked questions (FAQs) that comprise the Safe Harbor Frameworks referenced above. To learn more about the Safe Harbor program and to view our certification, please visit http://www.export.gov/safeharbor/. Spoken s Role as a Service Provider to its Enterprise Customers Spoken is an innovative technology and managed services company that provides a cloud- based hosted software and services platform ( Spoken Platform ) to its enterprise customers (each, an Enterprise Customer ). The Spoken Platform offers a scalable and flexible infrastructure solution to business enterprises to support contact center operations. Spoken provides the Spoken Platform to Enterprise Customers located in the EU, the EEA and/or Switzerland by hosting these solutions in Spoken s data centers located in the EU. Spoken also provides professional technical services and technical support services to its Enterprise Customers in the EU, the EEA and/or Switzerland through employees and/or contractors who may be located in the U.S. or in the EU, the EEA, and/or Switzerland, or who may be present at an Enterprise Customer's site in the U.S. or in the EU, the EEA, and/or Switzerland. Enterprise Customers using the Spoken Platform are responsible for managing the data that they store at Spoken s data centers and on the Spoken Platform. These responsibilities include determining the types of information that are stored, how that information will be used, to whom it will be disclosed, and for what purposes. Similarly, Spoken s Enterprise Customers who share data with Spoken in connection with any of its services are responsible for deciding which categories of data will be shared and for what purposes. When Spoken processes data received from an Enterprise Customer ("Customer Data"), whether for its hosted solutions or in connection with its provision Safe Harbor Policy Page 1
of services, Spoken does so only pursuant to the Enterprise Customer's instructions and prior authorization, as described herein. Enterprise Customers' Responsibilities with Respect to Personal Data Spoken s Enterprise Customers may elect to include Personal Data among the Customer Data stored on the Spoken Platform or shared with Spoken in connection with its provision of services. For purposes of this Policy, Personal Data means any individually identifiable information about a natural person or any information from which a natural person reasonably could be identified. Before processing any information on behalf of its Enterprise Customers located in the EU, the EEA or Switzerland, Spoken will enter into an agreement with the Enterprise Customer responsible for the Personal Data pursuant to which the Enterprise Customer agrees to comply with all applicable data protection laws. Spoken processes only the Personal Data that its Enterprise Customers have chosen to share with the Company. Spoken has no direct or contractual relationship with the subject of this Personal Data (the "Data Subject"). As a result, when Customer Data includes Personal Data, the Enterprise Customer is solely responsible for satisfying all legal obligations owed directly to the Data Subject under applicable data protection laws, including but not limited to providing notice and choice as required under data protection laws. It is the Enterprise Customer's responsibility to ensure that Personal Data it collects can be legally collected in the country of origin. The Enterprise Customer is also responsible for providing to the Data Subject any notices required by applicable law and for responding appropriately to the Data Subject's request to exercise his or her rights with respect to Personal Data. In addition, the Enterprise Customer is responsible for ensuring that its use of the Spoken Platform or Spoken s services is consistent with any privacy policy the Enterprise Customer has established and any notices it has provided to Data Subjects. Spoken is not responsible for its Enterprise Customer's privacy policies or practices or for the Enterprise Customer's compliance with them. Spoken does not review, comment upon, or monitor its Enterprise Customer's privacy policies or the Enterprise Customer's compliance with such policies. Spoken also does not review instructions or authorizations to Spoken to determine whether the instructions or authorizations are in compliance with, or conflict with, the terms of an Enterprise Customer's published privacy policy or of any notice provided to Data Subjects. Spoken s Compliance with the Safe Harbor Principles Safe Harbor Policy Page 2
While any Spoken employee(s) located in the EU, the EEA, and/or Switzerland may have responsibilities for maintaining and supporting the Spoken Platform for Enterprise Customers located in the EU, the EEA and/or Switzerland, Spoken employees located at the Company's headquarters and elsewhere in the U.S. also provide such services. In order to provide such services, under certain circumstances, Spoken may find it necessary to transfer Customer Data, including Personal Data, to the United States. Without the Enterprise Customer's prior authorization, transfers will consist exclusively of remote access by Spoken employees located in the U.S. to Personal Data located in the EU, EEA, or Switzerland (either at Spoken s data centers in the EU or at the Enterprise Customer's own data center). Spoken will not physically transfer any Personal Data stored in the EU, the EEA or Switzerland to the U.S. without the Enterprise Customer's prior authorization. Spoken will apply the following Safe Harbor Principles to Personal Data transferred to the U.S., whether physically or by remote access: Onward Transfer Spoken will not disclose Personal Data to a third party, except for subcontractors and third- party agents who assist Spoken in providing the Spoken Platform or other services to Enterprise Customers. Before transferring Personal Data to a subcontractor or third- party agent, Spoken will ascertain that the recipient subscribes to the U.S.- EU Safe Harbor Principles and/or the U.S.- Swiss Safe Harbor Principles, or is subject to the EU Data Directive or another finding of adequacy under relevant EU or Swiss law, or will obtain assurances from the recipient that it will safeguard Personal Data in a manner consistent with this Policy. If Spoken learns that a recipient is using or disclosing Personal Data in a manner contrary to this Policy, Spoken will take reasonable steps to prevent such use or disclosure. Spoken also may, notwithstanding anything to the contrary in this Policy, disclose Personal Data as required by law, for example, in response to a court order or subpoena. Before making any such disclosure, Spoken will promptly inform the Enterprise Customer, so it may take such actions as it deems necessary to protect the rights of Data Subjects. Security for Personal Data Spoken has implemented measures designed to help safeguard the Personal Data that it receives from the EU, the EEA and Switzerland. While Spoken cannot guarantee the security of Personal Data, Spoken takes reasonable precautions to protect Personal Data in its possession from loss, misappropriation and unauthorized access, disclosure and destruction. Spoken utilizes a combination of online and offline security technologies, procedures and organizational measures to help safeguard Personal Data. Safe Harbor Policy Page 3
Data Integrity Spoken s Enterprise Customers are responsible for ensuring that they collect only that Personal Data needed to accomplish the purposes disclosed to the Data Subject. They also are responsible for providing Spoken with instructions for the processing of Personal Data consistent with the purposes stated in the notice, and in accordance with any opt- outs or other choice exercised by the Data Subject. Spoken will process Personal Data only in accordance with the Enterprise Customer's instructions, which are deemed to include, without limitation, processing Personal Data in all manners contemplated by our agreement with the Enterprise Customer. Spoken s Enterprise Customers also are responsible for ensuring that (a) the Personal Data they collect is accurate, complete, current and reliable for its intended uses; and (b) Personal Data is retained only for as long as is necessary to accomplish the Enterprise Customer's legitimate business purposes or for as long as may be permitted or required by applicable law. Spoken will cooperate with Enterprise Customers' reasonable requests for assistance in meeting these obligations. Access/Correction When Spoken receives Personal Data, it does so on its Enterprise Customer's behalf. To request access to, correction, amendment or deletion of Personal Data, Data Subjects should contact the Enterprise Customer that collected their Personal Data. Spoken will cooperate with its Enterprise Customers' reasonable requests for assistance in permitting Data Subjects to exercise their rights under applicable data protection laws. Enforcement Spoken will conduct periodic self- assessments of its relevant practices to verify adherence to this Policy and the Safe Harbor Principles. Any employee who intentionally violates this Policy will be subject to disciplinary action up to and including termination of employment. Any Data Subject who has a complaint concerning Spoken s processing of Personal Data should first contact the Enterprise Customer that collected the Data Subject's Personal Data. Data Subjects may also contact Spoken s Legal Department by emailing safeharbor@spoken.com. For complaints that cannot be resolved after following the above steps, Spoken agrees to participate in the dispute resolution procedures of the panel established by the European Data Protection Authorities (DPAs) to resolve disputes pursuant to the Safe Harbor Principles. For More Information Data Subjects with questions about Spoken s processing of Personal Data should first contact the Spoken Enterprise Customer that collected the Personal Data. Spoken s Legal Department may be contacted by emailing safeharbor@spoken.com. Safe Harbor Policy Page 4
Changes to this Privacy Policy Spoken may revise this Policy at any time consistent with the requirements of the U.S.- EU and U.S.- Swiss Safe Harbor Frameworks. In the event of any revision, Spoken will post the revised Policy at this location and update the Effective Date below. Effective Date: May 15, 2013 Safe Harbor Policy Page 5