Global Data Privacy Notice for Employees, Contractors, Candidates and Visitors

Overview

Privacy is important to Spire. Spire is committed to handling personal data responsibly and in accordance with applicable laws and Spire’s Employee Privacy Principles (Appendix A). This Data Privacy Notice (DPN), together with its appendices/addenda and other notices that may be provided to you at the time of data collection, explain what personal data Spire processes about you, how Spire uses this personal data, and your rights to this personal data.

This DPN applies to the handling of your personal data as an employee, former employee, contractor, candidate, or visitor – including individuals who are not employed by Spire and who have access to Spire’s facilities and/or Spire’s corporate network. Such individuals could include temporary workers, outsourced staff, contractors, and business or other on-site visitors.

The Spire group entity that serves as data controller for your personal data is the specific legal entity with which you have or had a direct contractual or similar relationship (whether as an employee, contractor, candidate, or visitor). This information may be specified in your contract or engagement letter and also in the Appendices to this DPN.

This notice is not intended and may not be read to create any express or implied promise or contract for employment, for any benefit or for special treatment in specific situations. Nothing in this notice may be construed to interfere with Spire’s ability to process employee data for purposes of complying with our legal obligations or for investigating alleged misconduct or violations of company policy or law, subject to compliance with legal requirements.

Spire’s processing of personal data is in all cases subject to the requirements of applicable local law, internal policy, and where applicable or appropriate, any consultation requirements with worker representatives. To the extent this notice conflicts with local law in your jurisdictions, local law controls.

Personal Data that Spire Processes

We collect, use, and store (collectively “process”) different types of personal data about you in the operation of our business.

• If you are an employee, we process personal data about you (and your dependents, beneficiaries and other individuals associated with your employment) primarily for managing our employment relationship with you and managing your interactions with workplace facilities/information
• If you are a former employee, we process personal data about you primarily for legal
• If you are a contractor or visitor, the type of personal data we process is limited to what we need to manage your engagement with Spire and access to Spire facilities and information systems.

• If you are a candidate, the type of personal data we process is generally limited to what we need to engage with you about Spire career opportunities, consideration of your application for employment to specific roles at Spire, including candidate screening (to the extent permitted by law), interview scheduling and management, lawful background screening, and onboarding at Spire if you receive and accept an offer of employment with. Please see “Why Spire Processes Personal Data” for more information about how we use your personal data for managing the employment relationship.

The personal data we process depends on the specific Spire entity acting as data controller and the nature of our relationship with you. Personal data categories may include:

• Name and contact data. Your first and last name, employee identification number, email address, mailing address, phone number, photo, beneficiary and emergency contact details, and other similar contact data. Additionally, you may opt to provide Spire with additional contact information such as personal email address(es) and/or cell phone number(s).
• Demographic data. Your date of birth and gender as well as more sensitive personal data (also known as special category data), if you have consented to provide them, including information relating to racial and ethnic origin, or information about your health, disabilities, sexual orientation, gender identity, and transgender We may also ask about your parental status and military status.
• National identifiers. Your national ID/passport, citizenship status, residency and work permit status, social security number, or other taxpayer/government identification number.
• Employment details. Your job title/position, account credentials, office location and/or remote working location, employment contract, offer letter, hire date, termination date, performance history and disciplinary records, hours worked, access token (e.g., plastic access cards, FOBs or the Verkada app) activity information, training records, leave of absence, sick time, and vacation/holiday records.
• Spouse’s/partner’s and dependents’ information. Your spouse and dependents’ first and last names, dates of birth, and contact details.
• Background information. Your academic and professional qualifications, education, CV/resume, credit history and criminal records data.
• Video, voice and image. We may process your video, voice and image data, subject to the requirements of local law, internal policy and any consultation requirements with worker representatives (where appropriate).
• Financial information. Your bank account details, tax information, salary, retirement account information, company allowances and other information necessary to administer payroll, taxes, benefits, and equity and incentive compensation.
• Learning and Skills Data. As described in the Learning and Skills Data Addendum (Appendix E).
• Travel information, such as loyalty programs numbers; dates; hotel names and locations; and travel routes, departures, stops, and destination points.
• Personal vehicle information, such as license plate number, color, year, make, and
• Feedback and sentiment data. Your responses to employee surveys and feedback about managers, reports and co-workers via tools such as BambooHR.

• Workplace, Device, Usage, and Content data. Application and communication data (such as data from Office 365, Teams, Outlook, or internal business processes) including emails sent and received, calendar entries, to-do items, instant messages, technical data and information (containing only limited identifiers, if any personal data at all).
• Inferences. Inferences to create a profile reflecting your personal characteristics (such as work history and experience), abilities, and aptitudes.
• Sensitive Personal Data. We may process certain “sensitive” or “special categories” of Personal Data (“Sensitive Personal Data”). To support our legal and business activities, and as permitted by law, we may process Sensitive Personal Data as part of our employment relationship with you. Examples of Sensitive Personal Data that we may process include:
  • government issued identifiers, such as social security information, driver’s license, state identification card, or passport number;
  • account log-in in combination with a security or access code, password, or credentials that allow access to an account;
  • precise geolocation;
  • sensitive demographic information such as racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership;
  • biometric information (where used for the purpose of uniquely identifying you);
  • health information (such as information necessary to provide an accommodation related to your health);
  • sexual orientation (to comply with our legal obligations related to anti-discrimination requirements); and
  • in certain locations, such as California, the content of your communications where we are not the intended recipient.

Sources of Personal Data

In addition to collecting personal data from you (directly or indirectly), we obtain personal data about you from data sources other than you, including:

• Inference data that we generate or derive about you from personal data we process about
• References provided by or about you, including from former and current
• Third parties or public sources, for example information from public professional networking sources, such as your LinkedIn profile, for recruitment purposes.
• Our vendors and other providers, such as when we conduct lawful background screenings, to the extent permitted by law, through a third-party vendor who provides us information about your past education, employment, credit and/or criminal history.
• Insurance and benefit
• Travel partners such as travel agents and portals, car-hire service, and ride share
• Corporate transactions, for example as part of an acquisition, merger, divestment,

• Additionally, if there is an investigation of an incident involving employees, we may obtain information relevant to the incident from external sources including private parties, law enforcement or news sources and public social media posts.

Why Spire Processes Personal Data

Spire collects, uses, stores, and processes personal data for the exemplary purposes set out below. Failure to provide your personal data when requested may prevent us from being able to carry out these tasks and/or comply with our legal obligations. Please also review the Learning and Skills Data Addendum (Appendix E) for supplementary information about how we may process personal data in connection with those activities.

• Recruitment and Hiring. For recruitment and hiring purposes, including engaging with candidates concerning job opportunities at Spire, considering an application for employment to specific roles, candidate screening, interview scheduling and management, lawful vetting and background screening, and preparing an offer letter.
• Management of the Employment or Working Relationship. For onboarding new hires and management of our employment or working relationship with employees.
• Payroll, Compensation, and Accounting. For payroll and compensation activities, including tax reporting, administering equity and incentive compensation, administering Rewards, expense reimbursement, and other accounting tasks.
• Benefits Registration and Administration. For activities related to benefits registration and administration for employees (and dependents and beneficiaries), including holiday leave, other types of leave, insurance, health, equity, retirement, childcare, relocation, tax and travel management services, financial investment services, and other benefits.
• Career Planning and Development. For activities related to career planning and development, including assessing and providing Spire career opportunities.
• Training and Coaching. To administer training and coaching related to roles at Spire, to support learning learn new skills, or as part of overall career development for individual or teams.
• Performance Management. To conduct performance management and review activities, including reviewing, rewarding, and assessing individual employees on their performance.
• General Human Resources (HR) Administration. For our general HR administration, including the HRIS (HR Information system), general HR and workplace management, maintaining Spire’s global directory of employees and those contractors who have access to Spire’s systems, recording employee performance, and measuring employee sentiment.
• Emergency Notifications. To communicate with or provide notification to you or your designated emergency contact in the event of a natural disaster or other life/safety emergency, including communications to employees and employee-designated contacts, accounting for employees during emergencies, and other communications necessary to protect the life and safety of employees and others.
• Equal Opportunity Assessment and Accommodations. To manage and assess equal employment opportunity, inclusion and accessibility programs, including monitoring and ensuring equal treatment and opportunity, providing work-related accommodations or adjustments, and for our global equal opportunity initiatives.

• Identifying Office For security and legal reasons, to identify visitors to our offices.
• Legal and Policy Compliance Administration and Enforcement. To administer and enforce our legal and policy compliance programs and requirements, including fulfilling our obligations under our contracts, government clearances, applicable export control laws, and applicable Spire policies; maintaining required records (e.g., tax information of former and current personnel); collection or disclosure of personal data under judicial authorization (e.g., a court order, administrative or judicial process, or other lawful request by a public authority, in the U.S. or a foreign jurisdiction); performing lawful background screenings; for complying with laws and regulations (e.g., for minimum wage, working time, tax, health and safety, anti-discrimination laws, government reporting obligations, global migration, whistleblowing procedures, and data subject rights); and investigating potential violations of, exercising, or defending Spire’s legal rights (including seeking legal advice, combatting fraud, and protecting the life and safety of employees and others).
• Disciplinary Matters and Investigations. To address disciplinary matters and conduct investigations, including investigating wrongful acts or potential violations of Spire’s internal policies, obtaining information relevant to incidents involving employees, and administering and enforcing disciplinary actions.
• Corporate Transactions. To undertake and administer corporate transactions, including the sale, assignment, or other transfer of all or part of our business, or Spire’s acquisition and integration of all or part of another business (e.g., integrating or enabling access to information about individual employees between Spire and the acquired business).
• Managing, Monitoring, Protecting, and Improving Systems. For activities related to managing, monitoring, protecting, and improving information systems, services, networks, applications, devices and other assets, infrastructure, technology, and resources (“Systems”), including managing, measuring, assessing, and protecting unauthorized access and use of confidential company, employee and customer data or Systems; complying with cybersecurity requirements; and protecting Spire Systems from intrusions, including by implementing, administering, testing, updating, and improving cybersecurity and data protection We also use business data and other workplace usage, device and content data for organizational and individual analytics and data insight purposes to improve business processes and security.
• Managing, Monitoring, Protecting, and Improving our Facilities. For activities related to managing, monitoring, protecting, and improving Spire office spaces, conference rooms, parking, ground stations, and other physical spaces including monitoring and administering access to our facilities, analyzing building occupancy and utilization, parking and transportation, space planning and allocation, provision and improvement of employee services and facilities, undertaking measures for health and safety of persons using our facilities; operating and monitoring physical security systems, such as video cameras and access token systems, and guest logs; registering and logging exit and entry times; and emergency notification services.
• Personalization. For personalization activities such as to understand your preferences to enhance employee experience, including storing and honoring preferences and settings and enabling you to sign-in or otherwise access and use our Systems and assets.

• AI and Automated Decisions. Third-party products may use AI to facilitate certain features and experiences. Where permissible, AI and machine learning (ML) technologies may also be used to process data for the business purposes described in this section. Spire’s processing of data complies with its commitment to responsible AI. We may also use automated decision-making systems to identify trends and outages and monitor and secure Systems and data, to provide chatbots and other interactive services, and monitor compliance with Spire policies and
• General Business Operations. For Spire’s general business operations, including general management of the business (e.g., management of employees and business tasks), implementing and managing business applications and systems, and facilitating communications and
• Workplace Communications. To provide, support, and maintain workplace communication tools and technologies, including those supporting email, chat, and audio/video communications (which includes recording or storing such communications as further described in the Workplace Security and Monitoring section below).

We may combine data from different sources for the above purposes.

We may also process personal data for other legitimate business purposes as permitted under applicable law as necessary to manage our employment or working relationship with you.

When required by law, Spire seeks consent for the above uses. Where consent is sought, we take measures to ensure consent is informed, voluntary and that you suffer no adverse consequence from any decision to withhold or revoke your consent.

Change of Purpose

We use personal data only for the purposes for which it was collected, unless we reasonably need it for another compatible purpose, there is a legal basis for further processing, and you have been informed accordingly. For example, relying upon legitimate interest in recruiting candidates for roles at Spire, we may process the personal data provided while researching job openings. However, once you apply for and are successful in obtaining a role, we may process personal data for the purpose of entering into an employment relationship.

How and Why Spire Shares Personal Data

Spire only discloses personal data with those who have a legitimate business need for it. Whenever Spire discloses personal data, we ensure the personal data is used in a manner consistent with this DPN and any applicable internal data handling guidelines consistent with the sensitivity and classification of the personal data. Personal data may be disclosed to Spire subsidiaries and affiliates and other third parties, including service providers, for the following legitimate purposes:

• To carry out the personal data processing as described above (see Why We Process Personal Data);
• To enable third parties to provide services on behalf of Spire. Third party data recipients include, for example, providers and administrators of financial investment services, insurance, pension, and other benefits you may have access to as a result of your employment, as well as, health and safety experts, facility management, legal service providers, and security services;
• To comply with legal obligations, regulations, government clearances, or contracts, or to respond to data subject rights, a court order, administrative or judicial process, such as a subpoena, government audit or search warrant. Categories of recipients may include counterparties to contracts, judicial and governmental bodies;
• In response to lawful requests by public authorities such as regulatory bodies, law enforcement authorities, and national security organizations;
• To seek legal advice from external lawyers and advice from other external professionals such as accountants, management consultants, ;
• As necessary to establish, exercise or defend against potential, threatened or actual litigation;
• Where necessary to protect Spire, your vital interests, such as safety and security, or the vital interests of other persons;
• In connection with a corporate transaction or proceeding, including the sale, assignment or other transfer of all or part of our business (such as a potential or actual purchaser and its legal/professional advisers) and integration activities related to a corporate transaction, including where Spire is the purchaser; or
• Otherwise in accordance with your

Where legal requirements limit the disclosure of personal data, Spire respects such requirements.

Your Rights to Your Personal Data

In some regions, you may have certain rights under applicable data protection laws (such as the European Union and United Kingdom GDPR). Please see the appendices/addenda to this notice for additional information by region/country.

Use of Cookies and Web Beacons

Site pages may use cookies (small text files placed on your device) and similar technologies. These cookies and similar technologies allow us to store and honor your preferences and settings; enable you to sign-in; combat fraud; and analyze how our websites and online services are performing.

We also use “web beacons” to help deliver cookies and gather usage and performance data. Our websites may include web beacons, and cookies, or similar technologies from third-party service providers.

You have a variety of tools to control the data collected by cookies, web beacons and similar technologies. For example, you can use controls in your internet browser to limit how the websites you visit are able to use cookies and to withdraw your consent by clearing or blocking cookies.

Workplace Security and Monitoring

Spire monitors its IT and communications systems through automated tools such as network authentication and wireless connectivity hardware and software, anti-malware software, website filtering and spam filtering software, security software for cloud-based applications, access and transaction logging, mobile device management solutions, and internal and external audits.

Where permitted, we also monitor our offices, ground stations and other workplace facilities, through video monitoring and access token scans. Video cameras are primarily used at office entrance and exit points, elevator lobbies, rooms where there may be valuable equipment, such as server rooms, and in other select areas with a high risk for theft or with highly sensitive assets. Video cameras are not used in private spaces such as restrooms or new mothers’ rooms. Video cameras also are not used to monitor employee workstations for performance reasons. Spire also does not monitor laptop webcam/microphone activity.

Spire collects, retains and processes personal data of employees, contractors and visitors who use access tokens to enter Spire’s offices, controlled and restricted areas. Spire collects, stores and processes the information to: (i) protect the health and security of the Spire’s premises; (ii) monitor the days Spire employees are in person at a Spire facility to meet internal policy requirements; (iii) record access to restricted areas to comply with applicable legal, policy and/or contractual requirements; and (iv) track the time contractors of Spire spend in a Spire facility in accordance with their contract.

You should be aware that any message, files, data, document, facsimile, audio/video, social media post or instant message communications, or any other types of information transmitted to, through or from, received or printed from, or created, stored or recorded on our IT and communications systems and assets (included via the use of personal devices accessing corporate IT systems), are presumed to be business- related and may be monitored or accessed by us. Further, employees and others covered under this DPN who are potentially higher-risk based on certain factors (such as working in a sensitive role, access to sensitive data, or other personnel-related factors) may be subject to enhanced monitoring for activity conducted on corporate owned or corporate joined devices in order to detect unusual or anomalous activity. Monitoring and access are conducted in accordance with applicable law and workplace agreements (such as works council agreements), and subject to Spire’s own policies (including notice where appropriate) on access to and uses of such data, including the “Why We Process Personal Data” section.

Security of Your Personal Data

Spire is committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorized access, use, or disclosure. For example, we take reasonable steps to ensure that we only use the data needed to fulfill a particular use and restrict access to data that is not necessary to support the intended scope.

For systems that contain data that authorized users should not be able to view or that is sensitive and should not be viewable by default and is not otherwise protected via access controls, we utilize security controls such as masking techniques (e.g., encryption, hashing, etc.) to prevent unauthorized access.

Where Spire Stores and Processes Personal Data

Spire operates globally and therefore personal data may need to be transferred to countries outside of where the personal data was originally collected. For example, because we are headquartered in the United States, personal data collected in other countries is routinely transferred to the United States for processing. We transfer personal data from the European Economic Area and the United Kingdom to other countries, some of which have not yet been determined by the European Commission to have an adequate level of data protection. For example, their laws may not guarantee you the same rights, or there may not be a privacy supervisory authority there that is capable of addressing your complaints. To learn more about the European Commission’s decisions on the adequacy of the protection of personal data in the countries where Spire processes personal data, see this article on the European Commission website.

When we engage in such transfers within Spire or with third-party service providers, we use mechanisms such as contractual clauses and transfer impact assessments to help protect your rights and enable these protections to travel with your data. Following a transfer impact assessment, we also may implement supplementary technical and organizational measures to ensure protection essentially equivalent to EU standards.

We may also, in specific and limited circumstances, transfer personal data when (i) you have consented to disclosure abroad; (ii) it is necessary for the conclusion or performance of a contract; (iii) it is necessary to safeguard an overriding public interest or to establish, exercise, or enforce legal rights; (iv) it is necessary to protect the life or the physical integrity of you or another person, and it is not possible to obtain your consent within a reasonable time; (v) you have made the data generally accessible and have not explicitly prohibited processing; or (vi) the data originates from a statutory register to which we have legitimate access.

Retention of Personal Data

We store personal data in accordance with applicable laws or regulatory requirements and retain data for as long as necessary to fulfill the purposes for which the personal data was collected, as documented in our data retention policy.

Changes to this Data Privacy Notice

We may occasionally update this DPN. When we do, we will revise its “effective date.” If there are material changes to this DPN or in how Spire uses your personal data, we use reasonable efforts to notify you either by prominently posting a notice of such changes on our websites or by directly sending you a notification. We encourage you to periodically review this DPN to learn how Spire protects your personal data.

How to Contact Us

For copies of additional privacy documents mentioned in this DPN, or if you have a privacy concern or question related to this notice, please contact [email protected].

Our local addresses and phone numbers are: