The following Rearden Commerce entities have certified compliance with the Safe Harbor privacy framework for the handling of Customer Personal Information the entities receive in the United States from the European Union, Iceland, Liechtenstein, Norway or Switzerland (collectively, "EEAS"):

• Rearden Commerce (www.reardencommerce.com)
• Ketera Technologies (www.ketera.com)
• ExpenseWire (www.expensewire.com)
• Global Ground Automation (www.globalground.com)
• Deem (www.deem.com and blog.deem.com)

This policy describes how Rearden Commerce complies with the Safe Harbor privacy principles of notice, choice, onward transfer, access, security, data integrity and enforcement.

For purposes of this policy:

• "Customer" means any individual located in the EEAS who uses Rearden Commerce products or services.
• "Personal Information" means information that (i) is transferred to Rearden Commerce in the U.S. from EEAS, (ii) is recorded in any form, (iii) is about, or relates to, an identified or identifiable Customer, and (iv) can be linked to that individual.

Rearden Commerce's Safe Harbor certification can be found at https://safeharbor.export.gov/list.aspx. For more information about the Safe Harbor principles, please visit www.export.gov/safeharbor.

How Rearden Commerce Obtains Personal Data

As a service provider to businesses, such as employers and financial institutions, Rearden Commerce obtains Customer Personal Information from its business customers. We require business customers to comply with applicable U.S. and foreign laws, which include relevant national laws in the EEAS governing the collection, use and other processing of Personal Information. Rearden Commerce also may collect Personal Information directly from Customers. This may occur, for example, when a Customer establishes an account on a Rearden Commerce website or uses our mobile applications.

Notice

Rearden Commerce provides information in its Global Privacy Statement regarding the company's Customer Personal Information practices. The Privacy Statement describes:

• The purposes for which we collect and use the information;
• The types of third parties to which we disclose the information;
• The choices we offer Customers for limiting our use and disclosure of their Personal Information;
• How to exercise these privacy choices; and
• How to contact Rearden Commerce about the company's Customer Personal Information practices.

Rearden Commerce also has informed its business customers that they must comply with applicable foreign laws, which may include the requirement to provide appropriate notice to Customers whose Personal Information the businesses disclose to Rearden Commerce in the U.S.

Choice

In circumstances in which Rearden Commerce collects Personal Information directly from Customers, we offer Customers the opportunity to choose whether we may (i) disclose their Personal Information to certain third parties or (ii) use their Personal Information for a purpose that is incompatible with the purpose for which the information was originally collected or subsequently authorized by the individual. Customers may contact Rearden Commerce as indicated below regarding our use or disclosure of their Personal Information.

Where Rearden Commerce receives Customer Personal Information from business customers, we have informed Customers that they may exercise certain of their privacy rights and choices by contacting the business customer that obtained Rearden Commerce products or services for the Customer's use.

Onward Transfer

Rearden Commerce shares Customer Personal Information with service providers that perform services on the company's behalf. Except as described below, Rearden Commerce requires such services providers to either (i) certify compliance with the Safe Harbor framework to the U.S. Department of Commerce, or (ii) contractually agree to provide at least the same level of privacy and security protection for the Personal Information as is required by the Safe Harbor privacy principles relevant to the business functions the service provider performs. These requirements do not apply to service providers that are (i) subject to the European Union Data Protection Directive 95/46 or the Swiss Federal Data Protection Law, (ii) located in a country deemed by the European Commission to adequately safeguard personal information, or (iii) subject to another data protection adequacy basis.

Access

As described in the "Access and Correction" section of our Global Privacy Statement, Rearden Commerce provides Customers with reasonable access to the Personal Information the company maintains about them, including a reasonable opportunity to correct, amend or delete the information where it is inaccurate. We may limit or deny access to Personal Information where providing such access is unreasonably burdensome or expensive or as otherwise permitted by relevant Safe Harbor requirements. Customers may access and correct their personal information using accounts they maintain on Rearden Commerce websites or ask us to correct or amend their Personal Information by contacting the company as indicated below.

In addition, we have informed Customers who use Rearden Commerce products or services that a Rearden Commerce business customer (such an employer or financial institution) obtained on their behalf to request access to their information from the relevant business customer.

Security

As described in Rearden Commerce's Global Privacy Statement, the company takes reasonable precautions to protect Customer Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction.

Data Integrity

Rearden Commerce takes reasonable steps to ensure that Customer Personal Information it obtains is relevant for the purposes for which the company uses the information, and that the information is reliable, accurate, complete and current. We have implemented technology, management processes and policies to help maintain data accuracy and integrity. We depend on our Customers and business customers to update and correct Personal Information to the extent necessary. Customers may update their information using the accounts they maintain on Rearden Commerce websites or by contacting us as indicated below.

Enforcement

Rearden Commerce conducts an annual self-assessment to verify that this Safe Harbor Privacy Policy is accurate, comprehensive, prominently displayed, implemented, accessible and conforms to the Safe Harbor framework, and that we have put in place appropriate employee training and Safe Harbor compliance review procedures.

Customers may file a complaint with Rearden Commerce regarding the company's handling of their Personal Information by contacting us as indicated below. If the complaint cannot be resolved through our internal complaint resolution processes, Rearden Commerce will cooperate with JAMS pursuant to the JAMS International Mediation Rules. Rearden Commerce will take steps to remedy any issues arising out of the company's failure to abide by the Safe Harbor framework.

How to Contact Us

If you have any questions or comments about this Privacy Statement, or if you would like us to update the information we have about you or your preferences, please contact us by email at privacy@reardencommerce.com. You also may write to us at:

Rearden Commerce
Attn: Chief Legal Officer – Privacy
Privacy Rights
1051 E. Hillsdale Blvd., Sixth Floor
Foster City, CA 94404