Confidentiality & Non-Disclosure Policy

Standard policy protecting trade secrets, customer data, and other confidential information. Defines what constitutes confidential information, employee obligations during and after employment, and exceptions for whistleblowing and protected speech.

Purpose

• This policy establishes requirements for safeguarding confidential information, trade secrets, and personal data. It also explains employee responsibilities during employment and after separation, and identifies exceptions required by law. This policy is intended to support compliance with applicable trade secret, privacy, labor, and anti-retaliation laws, including the Defend Trade Secrets Act, the National Labor Relations Act (NLRA) Section 7, Title VII of the Civil Rights Act of 1964, and applicable privacy laws such as the CCPA/CPRA and GDPR where relevant.

Scope

• This policy applies to all employees, interns, temporary workers, contractors, consultants, and any other person who receives access to company confidential information. **Applicable jurisdictions:** This policy applies in the United States and, where the company operates internationally, is intended to be applied consistently with local law. If a local law provides greater employee rights or stricter privacy requirements, the local law controls. **Applicable roles:** All roles with access to company systems, records, customer information, financial data, source code, product plans, or personnel records.

Definitions

• For purposes of this policy: - **Confidential Information** includes, without limitation, business plans, pricing, source code, product roadmaps, security procedures, customer lists, vendor terms, financial reports, non-public HR records, and any information marked confidential or reasonably understood to be confidential. - **Trade Secrets** are a subset of confidential information that the company actively protects because disclosure could cause competitive harm. - **Personal Data** includes employee, applicant, customer, and vendor information that can identify a person directly or indirectly. - **Need to know** means access is limited to individuals who require the information to perform an assigned job duty. - **Good-faith report** means a report made honestly and without intent to knowingly make false statements.

Policy Statement

• Employees must protect confidential information and use it only for legitimate business purposes authorized by the company. Employees may not access, copy, store, transmit, discuss, publish, or disclose confidential information except as required to perform their job duties or as otherwise authorized in writing. Employees must follow reasonable safeguards, including: - using company-approved systems and storage locations; - limiting access on a need-to-know basis; - locking screens and securing physical documents; - not sharing passwords, access tokens, or credentials; - not forwarding confidential information to personal email or unapproved cloud services; and - promptly reporting suspected loss, theft, unauthorized access, or accidental disclosure. The company may require additional controls for sensitive data, including encryption, access logging, retention limits, and data minimization.

Employee Obligations During Employment

• While employed, employees must: 1. Protect confidential information from unauthorized access or disclosure. 2. Use confidential information only for approved business purposes. 3. Follow all data handling, cybersecurity, and records retention procedures. 4. Immediately report suspected breaches, misdirected emails, lost devices, or unauthorized requests for information. 5. Return or delete confidential information when directed by the company and confirm completion when requested. 6. Cooperate in any investigation, audit, or incident response related to confidential information. Employees may not remove confidential information from company premises or systems unless necessary for approved work and permitted by policy or written authorization.

Obligations After Employment Ends

• Upon separation from employment, employees must immediately stop using confidential information except as legally permitted or required to transition work. Employees must return all company property and confidential materials, including documents, devices, storage media, badges, keys, notebooks, and copies in any format. Former employees must not retain, use, disclose, publish, or exploit confidential information after separation. This obligation continues indefinitely for trade secrets and for other confidential information for so long as the information remains confidential and the company maintains a legitimate interest in its protection. The company may request written certification that all confidential information has been returned or deleted.

Permitted Disclosures and Exceptions

• Nothing in this policy prohibits or restricts any disclosure that is protected by law, including: - reporting possible violations of law to a government agency or law enforcement; - participating in an investigation or proceeding conducted by a government agency; - making a good-faith complaint about wages, hours, working conditions, discrimination, harassment, retaliation, or other workplace concerns; - engaging in concerted activity protected by NLRA Section 7; - discussing wages, hours, or working conditions with coworkers or others where protected by law; or - making disclosures required by law, subpoena, court order, or other lawful process. Employees are not required to notify the company before making a protected disclosure, although they may do so if they choose. Where legally permitted, employees should limit disclosures to the minimum necessary and may mark materials as confidential when submitting them to a government agency or attorney.

Customer Data, Employee Data, and Privacy Requirements

• Employees who handle customer data, applicant data, or employee personal data must follow applicable privacy and security requirements, including data minimization, access limitation, and secure transmission practices. The company will handle personal data in accordance with applicable privacy laws, including the CCPA/CPRA in California and the GDPR where applicable. Access to employee records is limited to authorized personnel with a business need, and disclosures must be made only for legitimate business, legal, or compliance purposes. EEOC-related records and sensitive personnel information must be handled in a manner consistent with EEOC privacy guidance and applicable anti-discrimination laws.

Roles & Responsibilities

• **Employees:** Protect confidential information, complete required training, and report incidents promptly. **Managers:** Limit access on a need-to-know basis, reinforce compliance, and escalate suspected violations to HR, Legal, or Information Security. **HR:** Maintain personnel records securely, coordinate acknowledgements, and support investigations involving employee data. **Legal / Compliance:** Interpret legal exceptions, manage subpoenas and government requests, and advise on trade secret and privacy obligations. **Information Security / IT:** Implement technical safeguards, monitor access, and respond to security incidents. **Policy holder:** The HR or Compliance function designated by the company is responsible for maintaining this policy and coordinating updates.

Compliance, Violations, and Discipline

• Violations of this policy may result in corrective action, up to and including termination of employment, contract termination, civil liability, and referral to law enforcement where appropriate. The company will investigate suspected violations in a good-faith, non-retaliatory manner. Discipline will be based on the nature and severity of the conduct, prior warnings, the sensitivity of the information involved, and any applicable legal protections. Nothing in this policy limits an employee’s right to report concerns to a government agency, participate in protected activity, or request a reasonable accommodation through the interactive process if a disability affects the employee’s ability to comply with a specific procedure.

Review & Revision

• This policy will be reviewed at least annually and updated as needed to reflect changes in law, business practices, and security requirements. **California employees:** Any confidentiality terms must not be interpreted to prohibit lawful whistleblowing or other protected disclosures under California law, including the California Whistleblower Protection Act and related statutes. **State-specific overlays:** Where applicable, the company will align this policy with state law requirements such as New York Labor Law § 740 (whistleblower protections), Illinois One Day Rest in Seven Act, Washington paid sick leave rules, and other jurisdiction-specific employee protections.