Run: Trade Secret Protection Policy

The purpose of this policy is to identify, protect, control access to, mark, and properly handle the Company’s trade secrets and confidential information. This policy also establishes employee exit procedures to reduce the risk of unauthorized disclosure, misuse, or misappropriation before, during, and after separation from employment.

This policy applies to all employees, officers, managers, contractors, interns, temporary workers, and any other person who may access Company confidential information. It applies to information in any format, including paper, electronic files, messages, recordings, prototypes, notebooks, and oral communications. This policy does not limit lawful employee rights under NLRA Section 7 to engage in protected concerted activity, and it must be applied consistently with FLSA, ADA, Title VII, FMLA, and applicable state law.

The Company classifies sensitive information into the following categories: 1. **Trade Secret** — information that the Company actively protects because it is not generally known and has economic value from being kept secret. 2. **Restricted Confidential** — highly sensitive information that could cause competitive harm, security risk, or legal exposure if disclosed. 3. **Confidential** — non-public information that should be shared only with authorized personnel for business purposes. 4. **Public** — information approved for external release. Managers and policy holders must identify information that should be classified before it is shared, stored, or transmitted. When in doubt, treat information as Restricted Confidential until Legal, HR, or the designated policy holder confirms the correct classification.

Employees must: - Use trade secrets and confidential information only for legitimate Company business. - Access sensitive information only on a need-to-know basis and only through approved systems. - Protect information from unauthorized viewing, copying, forwarding, downloading, photographing, or discussion in public settings. - Mark documents and files with the appropriate confidentiality legend when required by the policy holder or Legal. - Store paper records in locked cabinets or secure rooms and store electronic records in approved, access-controlled systems. - Never disclose trade secrets to third parties without written authorization and any required confidentiality agreement. - Immediately report suspected loss, theft, misdirection, unauthorized access, or accidental disclosure to HR, IT, Legal, or Security. - Preserve information subject to a legal hold or investigation and follow all document retention instructions.

The following controls apply to trade secrets and other confidential information: - **Marking:** Use labels such as "Company Confidential," "Restricted Confidential," or "Trade Secret" on documents, files, prototypes, and presentations when appropriate. - **Access approval:** The policy holder or designated manager must approve access before sensitive information is shared outside the immediate workgroup. - **Least privilege:** IT must configure systems so users receive only the minimum access needed for their role. - **Transmission controls:** Send sensitive information only through approved email, file-sharing, or collaboration tools with encryption or equivalent safeguards where available. - **Physical safeguards:** Keep documents out of public view, use clean-desk practices, and secure whiteboards, notebooks, badges, and removable media at the end of the workday. - **Copying and storage:** Do not copy, print, photograph, or transfer sensitive information unless the business need is documented and approved. - **Remote work:** Employees working remotely must prevent family members, visitors, and other unauthorized persons from viewing or hearing confidential information.

When an employee, contractor, or temporary worker separates from the Company, HR, the manager, and IT must complete the following steps in good faith and without delay: 1. **Access review and revocation:** IT must disable or reduce access to email, shared drives, source code repositories, customer systems, badges, VPN, and other systems based on the separation date and risk level. 2. **Return of property:** The departing worker must return laptops, phones, keys, badges, documents, notebooks, storage devices, prototypes, and any other Company property before or on the final day of work unless otherwise approved. 3. **Certification of return/deletion:** Where appropriate, the departing worker must certify in writing that Company information has been returned, deleted, or destroyed from personal devices and accounts. 4. **Reminder of continuing obligations:** HR or Legal must remind the departing worker that confidentiality, trade secret, invention assignment, and non-solicitation obligations that survive employment remain in effect to the extent permitted by law. 5. **Exit interview:** The manager or HR representative should conduct an exit interview to confirm outstanding obligations, identify any access concerns, and document any known retention of Company information. 6. **Post-separation monitoring:** Security or IT may monitor for unusual data transfers or account activity consistent with applicable law and internal investigation procedures. 7. **Final pay coordination:** Final wage payment, expense reimbursement, and PTO payout must be handled in accordance with applicable state wage-payment laws and FLSA requirements; this policy does not authorize withholding wages except as permitted by law.

**Employees and workers** must follow this policy, complete required training, and report suspected incidents promptly. **Managers and policy holders** must classify information, approve access, ensure labels are used where needed, and escalate suspected misuse. **HR** must incorporate confidentiality obligations into onboarding and offboarding, coordinate acknowledgements, and ensure exit procedures are completed. **IT** must implement technical access controls, logging, account revocation, encryption, and secure deletion procedures. **Legal/Compliance** must review confidentiality language, legal holds, investigations, and jurisdiction-specific requirements, including state trade secret, privacy, and whistleblower laws. **Security** must investigate incidents, preserve evidence, and coordinate response to suspected theft, loss, or unauthorized disclosure.

Violations of this policy may result in corrective action up to and including termination of employment, contract termination, civil action, and referral to law enforcement where appropriate. Discipline will be applied consistently and in a manner that does not discriminate on the basis of race, color, religion, sex, pregnancy, sexual orientation, gender identity, national origin, age, disability, genetic information, or any other protected characteristic under EEOC-enforced laws. Nothing in this policy prohibits employees from discussing wages, hours, or other terms and conditions of employment, or from engaging in other protected concerted activity under NLRA Section 7. Nothing in this policy is intended to interfere with rights under the FMLA, ADA reasonable accommodation process, or any applicable whistleblower law, including state protections such as New York Labor Law § 740 where applicable.

**California employees:** This policy must be applied consistently with California trade secret law, privacy requirements, and any applicable restrictions on employee agreements and offboarding practices. **New York employees:** Retaliation and whistleblower protections, including New York Labor Law § 740 where applicable, must be considered before any adverse action related to reporting suspected misconduct. **Illinois employees:** Final pay and wage deductions must comply with the Illinois Wage Payment and Collection Act and any applicable local rules. **Washington employees:** Paid sick leave and related leave rights must be preserved and cannot be interfered with by offboarding procedures. Where local law provides greater protection than this policy, the law controls.

This policy will be reviewed at least annually and whenever there is a material change in law, business operations, security controls, or incident trends. The policy holder, HR, Legal, and IT should document revisions, update training materials, and obtain re-acknowledgement when changes materially affect employee obligations.