I. Purpose

Prople BPO Inc. Privacy and data protection Policy (“the “Policy”) expresses the strong commitment to respect and protect the privacy of every individual, its employees and clients. All employees must abide by this Policy.

II. Scope

The privacy protection standards and requirements contained in this Policy shall apply to all that deal with the processing, collection, storing, or transfer of personal data, acting as a Data Controller or as a Data Processor.

III. Definitions

“Data Controller” shall mean the company or person that determines the purposes, content, use and means of the processing of Personal Data.

“Data Subject” the natural person who owns the data undergoing the processing referred to the Processing.

“Data Processor” shall mean the company or person that processes Personal Data on behalf of the Data Controller.

“Personal Data” means any information relating to an identified or identifiable natural person (each a ”Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.

“Processing”, in relation to information or data, means collection, recording or holding the information or data or carrying out any operation or set of operations on the information or data, whether or not by automatic means, which includes the organization, storage, adaptation or alteration of the information or data; the retrieval, consultation or use of the information or data; the disclosure of the information or data by transmission, dissemination or otherwise making it available; or the alignment, combination, blocking, erasure or destruction of the information or data.

IV. Processing of Personal Data

1. Purpose of processing Personal Data

Prople may process Personal information and Data that is reasonably adequate for and relevant to the following applicable purposes:

1.1 For human resources and personnel management processes which may include recruitment, workforce planning, training and performance management, compensation and benefits, leave and benefits management, pay slip distribution, employee information and skill management, employee survey, exit interviews and processed, and health and safety. In such a case, Prople BPO Inc. acts as a Data Controller.

1.2 For Personal Data from personnel of suppliers and vendors, contributors, clients and prospects and visits. In such a case, Prople BPO Inc. also acts as a Data Controller.

1.3 For business process execution and management processes which may include any activities or services done by Prople BPO Inc. on behalf of or for the client. In such a case, Prople BPO Inc. acts as a Data Processor.

2. Rules to follow while processing Personal Data

Prople BPO Inc. and its employees, including its suppliers, in processing personal data must observe the following principles:

• Personal Data must be processed fairly and lawfully.

• Personal Data must be collected for one or more specified and lawful purpose(s) and may not be processed incompatibly with those purposes. Further processing of the data for historical, statistical or scientific purposes shall not be considered incompatible.

• Collection of Personal Data must be adequate, relevant and not excessive in relation to the purposes for which the data is processed.

• Personal Data must be accurate and kept up to date in such a way as to give a true picture of the current situation of the data subject.

• Personal Data must not be kept for longer than is necessary. Data shall be erased when they have ceased to be necessary or relevant for the purpose for which they were obtained or recorded.

• Appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of Personal Data as well as against accidental loss, destruction of or damage to that data.

• Personal Data must not be transferred outside the country from which it originated unless such transfer complies with Section 4 of this Policy.

• The collection of data by fraudulent, unfair or illicit means is prohibited.

3. Additional rules to follow when Prople BPO Inc. act as Data Controller

Prople BPO Inc. when acting as a Data Controller, must comply with the following additional requirements:

• The notification or registration requirement with appropriate Data Protection Authority when required by respective local privacy laws.

• Consent to process Personal Data must first be given by the Data Subject before collection, processing, or storage of any Personal Data, unless laid down otherwise by law. Every Data Subject must be informed of the purpose for which Personal Data is collected, stored, or processed.

• Prople BPO Inc. shall provide the Data Subject with the identity and address of the Data Controller or his representative, if any; the purposes of the processing, the recipients or categories of recipients of the data, the existence of the right of access to and the right to rectify, erasure and objection the data concerning him/her.

V. Retention of Data

Storage of Personal Data by Prople BPO Inc. must be made in accordance with the following rules:

a. The reasonable length of time a Personal Data is kept must be reviewed periodically.

b. Such retention must conform to the purpose/s for which it was taken, and must not be kept after the purpose/s has/have been accomplished.

c. All Personal Data must be deleted or anonymized in a secured manner ensuring protection from unlawful or wrongful access.

d. Retained Personal Data must be accurate, archived and updated and it must be securely deleted once it goes out of date. It is the responsibility of the Data Subject to inform Prople BPO Inc. of any inaccuracy or update to his/her personal data. However, Prople BPO Inc. will exert commercially reasonable effort to maintain its database as accurate and updated as possible.

Where Prople BPO Inc. shares Personal Data among its subsidiaries, those subsidiaries must agree what to do with such Personal Data once they no longer need to share the information.

VI. Information Security

a. Prople BPO Inc. must ensure that only authorized people can access, alter, disclose or destroy Personal Data and that those people only act within the scope of their authority in relation to Personal Data. A system must be created to (i) protect Personal Data from accidental loss, alteration, or destruction and (ii) also make such Personal Data recoverable to prevent any damage or distress to the Data Subjects concerned.

b. Safeguards must be placed to protect Personal Data which safeguards may include physical and environment security such as facilities, workstation and integrity access control; computer security such as security devices and encryption; employee security awareness such as new hire and annual training. Prople BPO Inc. must implement a risk assessment and must be accountable for the organizational, policies and procedures and documentation requirements.

c. Security requirements of local privacy laws may vary from country to country, and so, IT standards must conform to local and contractual requirements. Therefore, Information Security officers must always refer and keep up-to-date in regard to applicable specific or local security standards when addressing security of Personal Data.

d. In case of any Personal Data breach, Prople BPO Inc. must engage a breach-management plan which includes at least the following:

• Breach Containment and Recovery – Prople BPO Inc. must resolve the incident by applying a recovery plan and, where necessary, procedures for damage limitation.

• Risk Assessment – Prople BPO Inc. must assess associated risks, such as the adverse consequences for individuals; seriousness of the breach; and risk of repetition.

• Breach Notification – Prople BPO Inc. must inform the people concerned about an information security breach, the appropriate data protection authority, and other appropriate parties such as the police and the banks, as the case maybe.

• Process Evaluation – An investigation must be conducted to determine the cause of the breach and evaluate the effectiveness of the response made. Policies and procedures must be addressed accordingly.

VII. Cooperation with Data Protection Authorities

It is a duty for Prople BPO Inc. and their employees to co-operate with and to respond diligently and appropriately to any inquiry or request made by appropriate local Data Protection Authorities. Such request may include an audit inquiry or a request for Prople BPO Inc. to be audited, if deemed necessary, and to comply with the advice of Data Protection Authorities on any issue regarding these standards or compliance with privacy laws.

VIII. Sanctions

Any employee who has attempted to breach, or allegedly or has in fact breached this Policy, whether by negligence or willful misconduct, will be subject to disciplinary sanctions in Prople BPO Inc. ’s sole discretion up to and including termination of employment, in accordance with applicable laws.