Articulate Global LLC

United States

Retention Standards ● Each business area is responsible for the information it creates, uses, stores, processes and destroys, according to the requirements of this policy. The responsible business is considered to be the information owner. ● The organization’s legal counsel may issue a litigation hold to request that information relating to potential or actual litigation, arbitration or other claims, demands, disputes or regulatory action be retained in accordance with instructions from the legal counsel. ● Information used in the development, staging, and testing of systems shall not be retained beyond their active use period or copied into production or live environments. ● Information owners must enforce the retention, archiving and destruction of information, and communicate these periods to relevant parties. Retention ‘Active Use’ ● ‘Active use’ is defined as secured storage of information such that the information is generally accessible by authorized users in the ordinary course of business. ● By default, the retention period of customer content data, who have monthly subscriptions shall be in an ‘active use’ period for the life of customer subscription plus thirty (30) days. ● By default, the retention period of customer content data, who have annual subscriptions shall be in an ‘active use’ period for the life of customer subscription plus six months. ● The retention period for customer logs shall be 365 days. ● All corporate data shall be in an ‘active use’ period of at least seven years from its creation. ● After the active use period of information is over in accordance with this policy and/or its approved exceptions, information shall be archived for a defined period. Once the defined archive period is over, the information must be destroyed.

Retention Archiving Archiving is defined as secured storage of information such that the information is rendered inaccessible by authorized users in the ordinary course of business but can be retrieved by an administrator designated by company management. Electronic records must be archived with strict access controls set by the information owner and appropriate to secure the confidentiality, integrity and accessibility of the information. ● The default archiving period of customer content data shall be 60 days. ● The default archiving period of corporate information shall be 7 years unless an approved exception permits a longer or shorter period. Exceptions must be requested by the information owner. o As a guideline, an archiving period of more than 7 years may be granted for information with a vital historical purpose such as corporate records, contracts, and technical/trade secrets. o As a guideline, an archiving period of less than 7 years may be granted for information with a limited business purpose such as email, travel itineraries, pre-trip advisories, or to comply with specific legal, contractual and/or regulatory requirements (e.g., PCI DSS, GDPR, etc.) Information Destruction ● Information must be destroyed at the end of the elapsed archiving period. ● All archived customer content data is overwritten once it reaches the end of its archival period. ● Storage devices are decommissioned by the organization’s hosting environment provider using the guidelines in NIST 808-88. This includes any data found on each storage device.

Data Backup - Sensitive Data (which includes Restricted and Confidential Data). ● Data is stored on Amazon Web Services S3 and RDS. o S3 contains all files containing media and image. o RDS contains structured data. ● Backups shall be stored redundantly on across three physically isolated and resource independent locations to ensure high availability. ● Data Backups shall be performed daily. o Tests shall be performed nightly with full automation and monitoring to ensure backups are in a restorable state. Alerts must be system generated. Engineering monitors the system alerts and resolves any issues in a timely manner. Data Backup - Removable Media ● Confidential Data shall not be stored on removable media. ● Restricted Data may be stored on removable media with approval from Management. The owner of the removable media, where practical, must ensure that an alternate or backup copy of the information located on the device exists.

United States

We partner with industry-leading hosting providers to create redundant and reliable hosting infrastructure. All Articulate services are hosted on Amazon Web Services (AWS) in the us-east-1 region located in northern Virginia in the United States. We make frequent automated backups of customer data and have implemented up-to-the-minute recovery options where feasible. We store backups in a redundant way and test our recovery frequently to reduce the likelihood of data loss and minimize downtime in a large-scale disaster. We have built redundancy into all our services to eliminate single points of failure in our infrastructure.

AWS

yes

Contact privacy@articulate.com to request deletion or a copy of the data we collected about you. The Articulate Compliance Team manages all such requests.

no

no

yes

security-disclosure@articulate.com

yes

yes

no

yes

no