ProductPlan

United States

The Record Retention Schedule is organized as follows: ACCOUNTING AND FINANCE Record Type | Retention Period Accounts Payable ledgers and schedules | 7 years Accounts Receivable ledgers and schedules | 7 years Annual Audit Reports and Financial Statements | Permanent Annual Audit Records, including work papers and other documents that relate to the audit | 7 years after completion of audit Annual Plans and Budgets | 2 years Bank Statements and Canceled Checks | 7 years Employee Expense Reports | 7 years General Ledgers | Permanent Interim Financial Statements | 7 years Notes Receivable ledgers and schedules | 7 years Investment Records | 7 years after sale of investment Internal Audit work papers and findings | 7 years after completion CONTRACTS Record Type | Retention Period Contracts and Related Correspondence (including any proposal that resulted in the contract and all other supportive documentation) | 7 years after expiration or termination CORPORATE RECORDS Record Type | Retention Period Corporate Records (minute books, signed minutes of the Board and all committees, corporate seals, articles of incorporation, bylaws, annual corporate reports) | Permanent Licenses and Permits | Permanent Memorandums of Understanding | Permanent ProductPlan does not automatically delete electronic files beyond the dates specified in this Policy. It is the responsibility of all staff to adhere to the guidelines specified in this policy. LEGAL FILES AND PAPERS Record Type | Retention Period Legal Memoranda and Opinions (including all subject matter files) | 10 years after close of matter Litigation Files | 10 year after expiration of appeals or time for filing appeals Court Orders | Permanent Requests for Departure from Records Retention Plan | 10 years MISCELLANEOUS Record Type | Retention Period Consultant's Reports | 2 years Material of Historical Value (including pictures, publications) | Permanent Policy and Procedures Manuals – Original Current version with revision history Policy and Procedures Manuals Copies | Retain current version only Annual Reports | Permanent PERSONNEL RECORDS Record Type | Retention Period Employee Personnel Records (including individual attendance records, application forms, job or status change records, performance evaluations, termination papers, withholding information, garnishments, test results, training and qualification records) | 6 years after separation Employment Contracts – Individual | 7 years after separation PROPERTY RECORDS Record Type | Retention Period Correspondence, Property Deeds, Assessments, Licenses, Rights of Way | Permanent Original Purchase/Sale/Lease Agreement | Permanent Property Insurance Policies | Permanent TAX RECORDS General Principle: ProductPlan must keep books of account or records as are sufficient to establish amount of gross income, deductions, credits, or other matters required to be shown in any such return. These documents and records shall be kept for as long as the contents thereof may become material in the administration of federal, state, and local income, franchise, and property tax laws. Record Type | Retention Period Tax-Exemption Documents and Related Correspondence | Permanent IRS Rulings | Permanent Excise Tax Records | 7 years Tax Bills, Receipts, Statements | 7 years Tax Returns Income, Franchise, Property | Permanent Tax Workpaper Packages Originals | 7 years Sales/Use Tax Records | 7 years Annual Information Returns - Federal and State | Permanent IRS or other Government Audit Records | Permanent CONTRIBUTION RECORDS Record Type | Retention Period Records of Contributions | Permanent ProductPlan’s or other documents evidencing terms of gifts | Permanent

The purpose of this portion of the Policy is to ensure that necessary records and documents of ProductPlan are adequately protected and maintained and to ensure that records that are no longer needed by ProductPlan, or are of no value are discarded at the proper time. This Policy is also for the purpose of aiding employees of the Company in understanding their obligations in retaining electronic documents - including e-mail, Web files, text files, sound and video files, PDF documents, all Microsoft Office, Apple, or G Suite documents or other formatted files. This document represents ProductPlan’s policy regarding the retention and disposal of records and the retention and disposal of electronic documents. Administration The Record Retention Schedule that is approved as the initial maintenance, retention and disposal schedule for physical records of ProductPlan and the retention and disposal schedule of electronic documents. The Director of Finance (the “Administrator”) is the officer in charge of the administration of this Policy and the implementation of processes and procedures to ensure that the Record Retention Schedule is followed. The Administrator is also authorized to: make modifications to the Record Retention Schedule from time to time to ensure that it is in compliance with local, state and federal laws and includes the appropriate document and record categories for ProductPlan; monitor local, state and federal laws affecting record retention; annually review the record retention and disposal program; and monitor compliance with this Policy. Suspension of Record Disposal In Event of Litigation or Claims In the event the Company is served with any subpoena or request for documents or any employee becomes aware of a governmental investigation or audit concerning ProductPlan or the commencement of any litigation against or concerning the Company, such employee shall inform the Administrator and any further disposal of documents shall be suspended until shall time as the Administrator, with the advice of counsel, determines otherwise. The Administrator shall take such steps as are necessary to promptly inform all staff of any suspension in the further disposal of documents. Applicability This Policy applies to all physical records generated in the course of the Company’s operation, including both original documents and reproductions. It does not apply to independent contractor records as we rely upon the governing boards of third party vendors to set appropriate retention policies for their members. It also applies to the electronic documents described above. This Policy was approved by the Board of Directors of ProductPlan. Data Subject Rights Request Procedures Data Subjects have certain rights under Law, including the right to access, delete, edit, export, restrict, and object to Processing of their Personal Data (“Data Subject Rights”). When a Data Subject seeks to exercise their rights under Law, we will take the following actions: 1. Respond to all Data Subject Rights requests without undue delay. 2. Validate the subject’s identity (i.e. with government issued ID) 3. Determine whether it holds or controls Personal Data about that Data Subject. 4. Record the date and time of Data Subject Rights requests and the actions taken by us in response to such requests. 5. Retrieve relevant information from our internal databases 6. Scrub any other personal data that may identify another Data Subject from the retrieved information. 7. Provide the requested information to the Data Subject in an appropriate format (i.e. CSV)

Customer Data Storage The ProductPlan application runs within its own isolated environment and cannot interact with other applications or areas of the AWS or Heroku systems. This restrictive operating environment, managed by AWS and Heroku, is designed to prevent security and stability issues. These self-contained environments isolate processes, memory, and the file system using Linux Containers (‘LXC’) while host-based firewalls restrict applications from establishing local network connections. ProductPlan data is stored in an access-controlled database. The database requires a unique username and password that is only valid for that specific database and is unique to a single application. ProductPlan’s connections to the Postgres databases require Secure Sockets Layer (‘SSL’) encryption to ensure a high level of security and privacy. Encryption Much of the data processed and stored is encrypted at rest using various file or disk level encryption mechanisms. Data is encrypted using industry standard AES-256 encryption with keys managed through AWS’s Key Management Service (KMS). Where possible, Rapid7 utilizes AWS’s services to manage encryption at rest (e.g. S3, EBS, RDS, etc.). When not possible, Rapid7 utilizes block level encryption provided by LUKS.

United States

Cloud hosted via our PaaS Heroku on AWS.

AWS, Heroku

yes

Data deletion requests are executed within 72 hours with an emailed request to cs@productplan.com

yes

2020-08-01

yes

Okta

yes

no

security@productplan.com

no

no

yes

Sub-Processor: Amazon AWS Contact Address: 410 Terry Avenue North, Seattle, WA 98109-5210 Where Sub-Processor will be processing Personal Data: USA Sub-Processor: Heroku (A Division of Salesforce) Contact Address: 50 Fremont St. Suite 300 San Francisco,

no