Introduction

NC4 Inc. (“NC4”) is a provider of various situational readiness solutions offered to its Clients via a Software-as-a-Solution (“SaaS”) model, as set forth below. As such, NC4 enters into contracts with its Clients that specify the terms and conditions under which NC4 will provide its Services to Clients and their authorized Users. Because privacy is critical to its Clients, NC4 collects only necessary Personal Information in the course of its business. NC4 takes these activities seriously and strives to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it does business. This Privacy Policy (“Policy”) sets forth the privacy principles that NC4 follows with respect to Personal Information obtained by NC4 for use in providing its Services.

Privacy Laws

Several countries have data protection/privacy laws, the overall purpose of which are to protect the rights of individuals by establishing minimum standards concerning the collection, processing, use and securing of their Personal Information. These laws limit the use of Personal Information to the purpose for which it was given and require individuals be provided access to their Personal Information.

The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions (collectively the “Safe Harbor Principles”) to enable U.S. companies to satisfy the requirements under European Union law to adequately protect Personal Information transferred from the EU to the United States. NC4 acknowledges the EU standard for personal data protection.

It is NC4’s goal to have a single policy that considers the privacy principles of the countries in which NC4 offers its Services. NC4 therefore has based this Policy on the Safe Harbor Principles.

Scope

This Policy applies to all Personal Information collected by NC4 in order to provide the following Software-as-a-Service (Saas) offerings: NC4 Risk Center™, NC4 Mission Center™, and NC4 Security Center™ (including travel tracking services).

This Policy does not apply to: (i) NC4’s E Team® or E-Sponder® applications, (ii) unsolicited information delivered to NC4 in any form, (iii) links that may be included on NC4’s website which lead to other parties’ websites, (iv) information delivered to NC4 by fax, email, manually or through off-line requests, or (v) other information received by NC4 apart from its standard SaaS offerings

Definitions

The following definitions shall apply throughout this Policy:

“Agent” means any third party that collects or uses Personal Information under the instructions of, and solely for, NC4 or Client or to which NC4 discloses Personal Information for use on NC4’s behalf.

“Client” means an agency, corporation, or other entity which contracts with NC4 to perform services, as the principal subscriber to the NC4 Services.

“NC4” means NC4 Inc., and its affiliates.

“Personal Information” means any information that identifies or could be used by or on behalf of NC4 to identify an individual, including such sensitive personal information as race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership, or information concerning an individual’s health. Personal Information does not include information that is encoded or anonymized, stripped of all personally identifiable information, or that is publicly available.

“Service(s)” means the particular NC4 SaaS service or services subscribed to by Client.

“Subcontractor” means any individual, corporation, or other entity under written contract with NC4 to assist NC4 in providing its Services.

“User” means any employee or contracted agent, representative or consultant of Client authorized by Client to use the NC4 SaaS services subscribed to by Client.

Information Collection

NC4’s Client registration process is designed to collect certain Personal Information regarding Users of the Services necessary for NC4 to grant access to the NC4 SaaS system (System) and to properly and securely administer the System on behalf of the Client. System configuration is not possible without this basic information. Certain Personal Information regarding a Client’s travelers is required in order for NC4 to provide its travel tracking services.

NC4 obtains Personal Information concerning a Client’s Users and/or travelers from its Clients or their Agents. Personal Information that may be obtained includes: name, gender, address and phone numbers, email address, travel itineraries, passenger name record (PNR) information and reservation information. Personal Information will be maintained in the System in accordance with the data retention provisions of this Policy.

Use of Personal Information

Use of Personal Information will be used as required by NC4 to provide the Services subscribed to at the direction of the Client. Such uses may include, but are not necessarily limited to, providing personalization services, verifying and validating User identity, sending notifications from within the System when important transactions have occurred, contacting Users and/or Clients as needed to provide the Services, providing reports to Clients, and in other ways necessary to support the Client. Personal Information may also be used by NC4 to provide Client and/or Users with limited NC4 marketing information (e.g., invitations to, or information concerning, NC4’s User conferences, Webinars, news flashes, training opportunities, etc.).
Personal Information will not be sold, published, provided to any other organization for processing, or allowed to leave NC4 Systems for any reason without the prior consent of the Client and/or User.

Access to Personal Information
Personal Information collected by NC4 is only accessed by authorized NC4 personnel or Subcontractors and/or Agents. NC4 does not release or otherwise disclose Personal Information collected from or on behalf of Client without the prior written permission from the Client or individual, or as required by law. All requests for access to Personal Information from third parties will be forwarded to the Client, and NC4 will act in accordance with the Client’s instructions.

Privacy Principles

The privacy principles in this Policy are based on the Safe Harbor Principles, and are as follows:

Notice and Consent
NC4’s standard procedures require the Client or the Client’s Agent (e.g., Client’s travel management company) to provide Personal Information to NC4 concerning the Client’s Users or travelers in order for NC4 to perform the Services. NC4 acts solely as a data processor in accordance with the Client instructions, and therefore NC4 may have no direct relationship with the individuals whose Personal Information it obtains. NC4 works with its Clients or their approved Agents, as the case may be, to help them provide notice of data processing to individuals, including information concerning this Policy. It is the responsibility of the Client and/or Agent to ensure such notice and any consent required is obtained.

Choice (“Opt-out”)
As an agent processing Personal Information under the instruction of its Clients, NC4 may have no direct relationship with the individuals whose Personal Information it obtains. NC4 works with its Clients to help them inform individuals if their Personal Information is (a) to be disclosed to a non-agent third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. NC4 will provide individuals the choice of opting-out of such disclosures.

Data Integrity
NC4 will use Personal Information provided to it only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the Client. As an agent processing Personal Information under the instruction of its Clients, NC4 works with its Clients to provide reasonable steps to ensure that Personal Information is relevant to its intended use, accurate, complete, and current.

Transfer to Third Parties
NC4 may transfer Personal Information back to the Client and to Subcontractors or certain Agents as necessary to successfully provide the Services or otherwise fulfill NC4’s obligations under its contract with a Client. To the extent NC4 uses any Subcontractors or Agents for this purpose, NC4 will obtain assurances from such Subcontractors or Agents that they will safeguard Personal Information in a manner consistent with this Policy. Examples of appropriate assurances that may be provided by Subcontractors or Agents include (i)) a contract or data transfer agreement obligating the Subcontractor or Agent to follow applicable data protection laws (for example, providing at least the same level of protection as is required by this Policy), (ii) being Safe Harbor certified, (iii) or being subject to another European Commission adequacy
finding (e.g., companies located in Canada).

If NC4 has knowledge that a Subcontractor or Agent is using or disclosing Personal Information in a manner contrary to this Policy, it will take reasonable steps to prevent or stop such use or disclosure.

As set forth in the Safe Harbor Principles, adherence to the Principles may be limited to the extent necessary to meet national security, public interest, or law enforcement requirements. Please be aware that in certain circumstances, it is possible that Personal Information may be subject to disclosure to third parties pursuant to judicial or other government subpoenas, warrants, or orders.

Data Security
NC4 has implemented appropriate technical and organizational measures and will take other reasonable precautions to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. Any specific requirements of a Client with respect to the processing and security of Personal Information are specified in the contract between NC4 and Client.

Client Access and Correction
As an agent processing Personal Information under the instruction of its Clients, NC4 works with its Clients to grant individuals reasonable access to Personal Information that NC4 holds about them, and NC4 will take reasonable steps to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.

If a Client or User no longer has access to the System, he or she can contact the NC4 Support Center and request that Personal Information be verified, modified, or deleted. Depending on the System in question, NC4 may not be able to delete all Personal Information due to auditing requirements of the System. This is an important feature of the NC4 System. NC4’s Support Center can be contacted at 877-624-3771. Clients/Users will be required to prove identity to the satisfaction of NC4 in order to have Personal Information modified or potentially removed.

Enforcement
NC4 uses a self-assessment approach to assure compliance with this Policy and will conduct periodic compliance audits of its relevant privacy practices to verify such adherence. Any NC4 employee found to have intentionally acted in violation of this Policy will be subject to disciplinary action up to and including termination of employment.

Dispute Resolution
Any questions, concerns, or complaints regarding NC4’s use or disclosure of Personal Information shall be directed to the NC4 address below. Any NC4 employee who receives a question, concern, or complaint regarding the use or disclosure of Personal Information will direct that information to NC4’s legal department. NC4 will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Information in accordance with the principles contained in this Policy.

For complaints that cannot be resolved between NC4 and the complainant, NC4 has agreed to participate in the dispute resolution procedures of the American Arbitration Association, and where applicable, pursuant to the Safe Harbor Principles.

Limitation on Application of Principles
Adherence by NC4 to the Principles set forth in this Policy may be limited (a) to the extent required for NC4 to respond to a legal or ethical obligation, and/or (b) to the extent a disclosure or other action is permitted or required by an applicable law, rule, regulation, or legal process.

Additional Information Pertinent to NC4’s SaaS Offerings

Data Retention
The NC4 System collects and maintains Personal Information for the duration of the Client service subscription period. After the expiration of the Client subscription period, data may remain present on NC4 secure storage assets until such time that media becomes obsolete and identified for disposal. Prior to disposal, NC4 follows a data cleansing process compliant with the US DOD 5220.22-M Cleaning and Sanitizing Standard.

Use of Cookies or Other Persistent Information
NC4 uses cookies, hidden from fields, and information in URL strings in its applications to maintain a User session. When the work session is completed, no Personal Information (other than possibly a login ID) is maintained about the User in cookies or other persistent form on the User’s computer.

Third Party Links
NC4 Systems may provide links to third parties for Client/User convenience, but no Personal Information is transmitted to outside systems without Client’s or the individual’s consent. Third party links posted within NC4 Systems do not constitute NC4’s endorsement of those third parties or the products/services they offer.

Contact Information

Questions, comments, or complaints pertaining to this Policy or NC4’s collection or retention of Personal Information should be submitted to NC4 at the following address or email:

NC4 Inc.
Attn: Legal Department
100 N. Sepulveda Blvd., Suite 200
El Segundo, CA 90245
Email: privacy@NC4.us
Phone: 310.606.4444
Fax: 310.606.4309

Amendments to Policy
NC4 may update this Policy from time to time to reflect changes in NC4’s products and services, or to remain consistent with the requirements of various privacy principles. When a User logs into a NC4 SaaS System, the User will be notified if there has been an amendment that materially changes this Policy and will be directed to review and acknowledge review of such amended Policy.

Effective Date: October 27, 2011