Privacy Shield Notice BackOffice Associates Holdings, LLC d/b/a Syniti together with its global affiliates (“Syniti”) is committed to protecting the privacy of user of its Websites (as defined in Section XII below) and the Syniti Services (as defined in Section XII below). This Privacy Shield Notice (“Notice”), together with Syniti’s Privacy Policy, describes the standards and procedures for handling Personal Information transferred from the European Union (“EU”) and Switzerland to the U.S. in accordance with Syniti's anticipated obligations under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Syniti is undergoing the process to self-certify to the Department of Commerce its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively, the “Frameworks”) and, by publishing this Notice, Syniti hereby publicly commits to comply with each of the Framework’s requirements by adopting and implementing the Privacy Shield Principals (the “Principals”). For more information, please visit the International Trade Administration of the United States Department of Commerce Privacy Shield Framework website located here. To view Syniti's certificate, once it is issued, please visit www.privacyshield.gov/list. By committing to comply with each of the Frameworks and the Principals, it is Syniti's intent to meet and exceed the adequacy requirement for data protection under EU and Swiss law. If there is any conflict between the terms in this Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. I. Confirm Eligibility. FTC Jurisdiction. The United States Federal Trade Commission has jurisdiction over Syniti's compliance with the Principles. II. Types of Personal Data We Collect. Syniti collects personal data from individuals who visit the Websites, and individual representatives of its corporate customers who use and access the Syniti Services, as well as individual representatives of its suppliers and business partners. From the Websites and the Syniti Services, Syniti may collect the following types of personal data: • contact information, for example, name and email address; • company information; • Host Information; and • Usage Information. Syniti also collects or has access to personal data from Syniti Employees, including the following types: • contact information, for example, name and personal email address and phone number; • date of birth; • gender; • government-issued identification information, visa or passport information; • educational, employment or military service history • work eligibility and/or authorization • job performance and compensation information; • bank account or other financial account information; and • other information that an Employee may provide III. Purposes of Collection and Use. Syniti uses this information in order to operate, improve, and optimize the Websites and the Syniti Services, as well as generate leads for its sales and marketing teams. Syniti also uses Host Information and Usage Information alone or in combination with users’ Personal Information to provide its users (“Users”) of the Websites and Syniti Services with personalized information about Syniti, to provide the Syniti Services that a User requested, prevent or address technical issues, respond to support issues and to improve the Syniti Services. Syniti personnel and its authorized third-party agents may only access and use Personal Information if such individuals are authorized to do so and only for the purpose for which such individuals are authorized. User’s may access the Websites without providing Personal Information and may opt out of providing certain Usage Information when such Users access the Syniti Services (see Syniti's general Privacy Policy [linked] for more information). With regards to personal data from Syniti Employees, Syniti uses such personal data to carry out and support human resources functions and activities, which may include: (i) recruiting and hiring job applicants; (ii) managing Syniti Employee communications and relations; (iii) providing compensation and benefits; (iv) administering payroll; (v) processing corporate expenses and reimbursements; (vi) managing Syniti Employee participation in human resources plans and programs; (vii) carrying out obligations under employment agreements; (viii) managing Syniti Employee performance; (ix) conducting training and talent development; (x) facilitating Syniti Employee relocations and international assignments; (xi) managing Syniti Employee headcount and office allocation; (xii) managing the Syniti Employee termination process; (xiii) managing information technology and communications systems, such as the corporate email system and company directory; (xiv) conducting ethics and disciplinary investigations; (xv) administering Syniti Employee grievances and claims; (xvi) managing audit and compliance matters; (xvii) complying with applicable legal obligations, including government reporting and specific local law requirements; and (xviii) other general human resources purposes. Syniti also may obtain and process Personal Data about Syniti Employees’ emergency contacts and other individuals (such as spouse, family members, dependents and beneficiaries) to the extent Employees provide such information to Syniti. Syniti processes this information to comply with its legal obligations and for benefits administration and other internal administrative purposes. IV. Sensitive Personal Information The Websites and Syniti Services do not collect, store or use any Sensitive Personal Information. V. Commitment to Comply with the Principles. Syniti is committed to the Principles with respect to all European and Swiss personal data that it receives from individuals or companies in the EU or Switzerland in reliance on the Privacy Shield. Syniti also receives some data in reliance on other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses. VI. Transfer of Personal Information Syniti does not sell any of its Users’ Personal Information, or any other information it collects when a User visits its Websites or use the Syniti Services, to third parties. However, in some case, Syniti does share some of its User’s Personal Information with other groups within Syniti, for example its sales and/or marketing departments, in order to promote Syniti Services or its billing department in order to send an invoice to its customer. In addition, Syniti sometimes share its Users’ Personal Information with third-party service providers who assist it in using it Users’ Personal Information or in tracking and collecting Host Information and the Usage Information in accordance with this Privacy Shield Notice and its Privacy Policy. Syniti may also share its Users’ Personal Information with its business partners, service vendors, authorized third-party agents or contractors (each a “Third Party”) in order to provide a requested Syniti Offering or transaction, including processing orders, processing credit card transactions, hosting websites, hosting event and seminar registration and providing customer support. Syniti only provides such Third Party with the minimum amount of Personal Information necessary to complete/utilize the requested Syniti Services or transaction, and such Third Party is not permitted to use a User’s Personal Information except for limited purpose of completing/providing the requested Syniti Service or transaction. Furthermore, each Third Party receiving Personal Information must either (a) comply with the Privacy Shield Principles or (b) agree to provide adequate protections for Personal Information that are no less protective than those set out in this Notice and Syniti’s Privacy Policy. Syniti is responsible for the processing of Personal Information it receives, under the Privacy Shield Framework, and any subsequent transfers to a third party acting as an agent on its behalf. Syniti complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions. VII. Right to Access. Each User has the right to access such User’s Personal Information covered by this Notice and to correct, amend, or delete such Personal Information if such User can demonstrate that such Personal Information is inaccurate or incomplete (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to such User’s privacy, or where the rights of persons other than a User would be violated). VIII. Responding to Legal Process; Required Disclosures. As required by law, Syniti may respond to subpoenas, court orders, or similar legal process by disclosing a User’s Personal Information and other related information, if necessary. Syniti also may choose to establish or exercise its legal rights or defend against legal claims. In certain situations, Syniti may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Syniti may collect and possibly share Personal Information and any other additional information available to it in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Syniti’s terms of service, or as otherwise required by law. IX. Dispute Resolution Syniti is committed to resolving complaints about its collection or use of a User’s Personal Information. EU and Swiss individuals with concerns or complaints about the use of their Personal Information should contact Syniti’s Privacy Officer at privacy@boaweb.com. Syniti will attempt to resolve any such concerns in accordance with the principles of this Notice. In the event of an unresolved privacy or data use concern that Syniti has not addressed satisfactorily, please contact Syniti’s U.S.-based third-party dispute resolution provider (free of charge) at https://www.jamsadr.com/eu-us-privacy-shield. Under certain conditions, more fully described on the Privacy Shield website [https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint], a User may invoke binding arbitration when other dispute resolution procedures have been exhausted. X. Contact Us Please refer and questions or comments related to this Privacy Shield Notice to: BackOffice Associates, LLC d/b/a Syniti Attention: Privacy Officer 115 4th Avenue, Suite 205 Needham Heights, MA 02494 privacy@syniti.com XI. Updates to this Privacy Shield Notice Syniti may amend this Notice from time to time, and at any time to remain consistent with the Principles, each of the Frameworks and other applicable laws. Effective: May 16, 2018 Last Updated: May 16, 2018 XII. Definitions applicable to this Privacy Shield Notice “Syniti Employee” means any current, former or prospective employee, temporary worker, intern or other non-permanent employee of any subsidiary or affiliate of Syniti, who is a resident of the EU. “Syniti Services” means its products or services, including without limitation, its software, services, customer support services, software maintenance services, hosted services or cloud offerings. “Host Information” means certain information about a User’s computer, browser, and systems that Syniti collects when a User accesses the Websites or the Syniti Services, including IP address along with the network path, operating system type and version, and browser type, client version, the MAC address of a User’s internet connection, and geographical location. “Personal Information” is any information about a visitor to Syniti’s Websites or a user of the Syniti Services (on behalf of its customers) that Syniti collects or a User submits that could, alone or together with other information, personally identify such User. Information such as name, a user name and password, an email address, physical address, phone number, a company name, and a photograph are examples of “Personal Information.” Personal Information can also include information about any transactions, both free and paid, that a User enters into on the Websites, and information about a User that is available on the internet, such as from Facebook, LinkedIn, Twitter and Google, or publicly available information that Syniti acquires from third party service providers. “Sensitive Personal Information” means Personal Information that pertains to a person’s medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexuality or trade union membership. “Usage Information” means the information Syniti records about a User’s usage of, and interactions with, the Websites or the Syniti Services, including actions taken, date and time, frequency, duration, quantity, quality, network connectivity, and performance information related to logins, clicks, and other feature usage information. “Websites” means Syniti's public websites and their associated content.