Data privacy notice

Attosol Data Privacy Notice for Employees, External Staff, Candidates and Guests

Overview

Your privacy is important to Attosol (“we”, “us”, “our” or “Attosol”). We respect the privacy rights of all individuals and we are committed to handling personal data responsibly and in accordance with applicable laws and Employee Privacy Principles. This privacy notice, together with the Addenda and other notices provided at the time of data collection, explain what personal data Attosol collects about you, how we use this personal data, and your rights to this personal data.

Please note that this privacy notice applies to the handling of your personal data as an employee, former employee, candidate, guest, or as external staff. (“External staff” are workers who are not employed by Attosol and who have access to Attosol’s facilities and/or Attosol’s corporate network. This could include temporary workers, contractors, and business guests.) Attosol has additional governance and privacy requirements concerning the collection and uses of personal data.

This notice is not intended and shall not be read to create any express or implied promise or contract for employment, for any benefit, or for specific treatment in specific situations. Nothing in this notice should be construed to interfere with Attosol’s ability to process employee data for purposes of complying with our legal obligations, or for investigating alleged misconduct or violations of company policy or law, subject to compliance with local legal requirements.

Attosol's processing of personal data is in all cases subject to the requirements of applicable local law, internal policy, and where applicable or appropriate, any consultation requirements with worker representatives. To the extent this notice conflicts with local law in your jurisdictions, local law controls.

Personal Data that We Process (this may include data that you provide to us, that we collect about you, or that we assign to you.)

We collect, use, and store (collectively “process”) different types of personal data about you in the operation of our business. If you are an employee, we process personal data about you (and your dependents, beneficiaries and other individuals associated with your employment) primarily for managing our employment relationship with you and managing your interactions with workplace facilities/information systems. If you are a former employee, we process personal data about you primarily for legal compliance. If you are external staff or guest, the type of personal data we process is limited to what we need to manage your engagement with Attosol and access to Attosol facilities and information systems. If you are a candidate, the type of personal data we process is generally limited to what we need to engage with you about Attosol career opportunities, consideration of your application for employment to specific roles at Attosol, including candidate screening, interview scheduling and management, lawful background screening, and to on-board you at Attosol if you receive and accept an offer of employment with us. The personal data we process can include, but is not limited to, the following:

Name and contact data: Your first and last name, employee identification number, email address, mailing address, phone number, photo, beneficiary and emergency contact details, and other similar contact data. Additionally, you may opt to provide Attosol with additional contact information such as personal email address(es) and/or cell phone number(s).

Demographic data: Your date of birth and gender as well as more sensitive personal data (also known as special category data) including information relating to racial and ethnic origin, religious, political or philosophical beliefs, information about your health, disabilities, gender identity, and transgender status. We may also ask about your parental status. We process this personal data for a variety of reasons, and this will vary in our different jurisdictions. Our reasons for processing this data include:

  1. Where it is necessary to comply with local requirements and applicable law. For example, we may use this information to comply with anti-discrimination laws and government reporting obligations;

  2. To monitor and ensure diversity and equal treatment and opportunity;

  3. To provide work related accommodations or adjustments, to provide health and insurance benefits to you and to your dependents, and to manage absences from work.

Where the processing of this personal data is not required by law, we will seek your consent to process your data and, in the consent mechanism, we will explain the purposes for which we will use your data. This will be voluntary, and you may decide whether or not to give consent.

National identifiers: Your national ID/passport, citizenship status, residency status, or other taxpayer/government identification number.

Employment details: Your job title/position, office location and/or remote working location, employment contract, offer letter, hire date, termination date, performance history and disciplinary records, training records, leave of absence, sick time, and vacation/holiday records.

Spouse’s/partner’s and dependents’ information: Your spouse and dependents’ first and last names, dates of birth, and contact details.

Background information: Your academic and professional qualifications, education, CV/Resume, credit history and criminal records data (utilized for background screening and vetting purposes where permissible and in accordance with applicable law and consultation requirements).

Video, voice and image: We may collect and use your video, voice and image data, subject to the requirements of local law, internal policy, and any consultation requirements with worker representatives (where appropriate).

Financial information: Your bank account details, tax information, salary, retirement account information, company allowances and other information necessary to administer payroll, taxes, benefits, and equity and incentive compensation.

Learning and Skills Data: As described in the Learning and Skills Data Addendum.

Feedback and sentiment data: Your responses to employee surveys, feedback collected about managers and co-workers.

Workplace, Device, Usage, and Content data: Application data (such as data from Office 365, Teams, Outlook, or internal business processes) including emails sent and received, calendar entries, to-do items, instant messages, technical data and information (containing only limited identifiers, if any personal data at all) in the context of using (online) applications, building and information system access, Attosol devices, system and application usage (including telemetry) when accessing and using Attosol offices and assets. Please note, more information about the specific types of data Attosol may use for product improvement purposes can be found in several resources, including the Attosol Data Program (ADP) addendum to this DPN. We may also collect personal data about you from third parties or public sources as needed to support the employment relationship or to engage with you concerning job opportunities at Attosol. For example, before and during your employment or assignment with Attosol, we may collect information from public professional networking sources, such as your LinkedIn profile, for recruitment purposes. We also may conduct lawful background screenings, to the extent permitted by law, through a third-party vendor for information about your past education, employment, credit and/or criminal history. In the event of a natural disaster or other life/safety emergency, we may rely on public social media posts or other public sources to account for employees if otherwise unable to contact them. Additionally, if there is an investigation of an incident involving employees, we may obtain information relevant to the incident from external sources including private parties, law enforcement or news sources and public social media posts.

Why We Process Personal Data

We collect your personal data for the purposes set out below. Failure to provide your personal data when requested may prevent us from being able to carry out these tasks and/or comply with our legal obligations.

  1. To administer your employment contract, offer letter or other commitments we have made to you. We collect and use your personal data primarily for the purposes of managing our employment or working relationship with you, and to fulfil our obligations under your employment contract, or applicable Attosol policies, including on-boarding, payroll, benefits and equity compensation administration, pension and retirement administration, managing vacation and other types of leave, tax reporting, and the like. A few examples include: your employment contract, your offer letter, promotion history and performance reviews, and your bank account and salary details.

  2. Other overriding and legitimate business purposes We also may collect and use your personal data when it is necessary for other legitimate purposes, such as general HR administration, maintaining our directory of employees and external staff, general business management and operations, disclosures for auditing and reporting purposes, measuring employee sentiment, internal investigations, management of network and information systems security, administration of business applications and systems, business operations, workplace analytics, corporate workplace policy compliance, security, life safety, building management, space planning and allocation, provision and improvement of employee services and facilities, physical security and cybersecurity, data protection, for diversity and inclusion initiatives, to protect the life and safety of employees and others and in connection with the sale, assignment or other transfer of all or part of our business. We also use business data and other workplace usage, device and content data for organizational and individual analytics and data insight purposes to improve Attosol business operations, manager capability, and the employee experience. We may also use special applications and systems that record employee performance metrics, such as sales related or code databases for business operations purposes as well as for the purposes of reviewing, rewarding and coaching employees on their performance and for administration and assessment of training. We may also process your personal data to investigate potential violations of law or violations of our internal policies. Additionally, we may process your personal data to conduct scientific research, without your additional consent, when viewed as in the public interest and/or where there is a clear attempt for contributions to generalizable knowledge. In these cases, we will ensure appropriate technical and organizational controls are in place to protect your personal data, such as anonymizing and aggregating data to help protect your identity, ensuring use of your personal data is subject to our privacy standards and conducting ethics and compliance reviews prior to using your personal data.

  3. Legally required purposes We may also use your personal data when necessary to comply with laws and regulations, including collecting and disclosing personal data as required by law (e.g., for minimum wage, working time, tax, health and safety, anti-discrimination laws), under judicial authorization, or to exercise or defend Attosol’s legal rights.

  4. Other uses of your data (where permissible and in accordance with applicable laws and consultation requirements)

We also may collect your internal usage data of Attosol products, services and internal applications and tools, including business data created by employees and external staff, to measure and improve these products. Additionally, your internal usage data may be combined with other business data, including workplace, device, usage, and content data, for product improvement purposes or to conduct aggregate analyses to improve internal tools and processes, business operations, manager capability, and employee experience. Where required by law, we will seek your consent for such usage; and where your consent is sought, we will ensure your consent is informed, voluntary, and that you suffer no adverse consequence from any decision to withhold or revoke your consent.

Change of Purpose

We will use your personal data only for the purposes for which it was collected, unless we reasonably need it for another compatible purpose and there is a legal basis for further processing. For example, relying upon our legitimate interest in recruiting candidates for roles at Attosol, we may process the personal data you provided while researching job openings. However, once you apply for and are successful in obtaining a role, we may process your personal data for the purpose of entering into an employment relationship with you.

How and Why We Share Personal Data

Attosol will only share your personal data with those who have a legitimate business need for it. Whenever we permit a third party to access your personal data, we will ensure the personal data is used in a manner consistent with this privacy notice (and any applicable internal data handling guidelines consistent with the sensitivity and classification of the personal data). Your personal data may be shared with our subsidiaries and affiliates and other third parties, including service providers, for the following legitimate purposes:

  1. To carry out the purposes of our personal data processing as described above (see section titled: “Why We Process Personal Data”);

  2. To enable third parties to provide services on behalf of Attosol. Third party data recipients include financial investment service providers, insurance providers, pension administrators and other benefits providers, childcare providers, payroll support services, relocation, tax and travel management services, health and safety experts, facility management, legal service providers, and security services;

  3. To comply with our legal obligations, regulations, government clearances, or contracts, or to respond to a court order, administrative or judicial process, such as a subpoena, government audit or search warrant. Categories of recipients would include counterparties to contracts, judicial and governmental bodies;

  4. In response to lawful requests by public authorities (such as regulatory bodies, law enforcement authorities, and national security organizations);

  5. To seek legal advice from external lawyers and advice from other external professionals such as accountants, management consultants, etc.;

  6. As necessary to establish, exercise or defend against potential, threatened or actual litigation;

  7. Where necessary to protect Attosol, your vital interests, such as safety and security, or the vital interests of other persons;

  8. In connection with the sale, assignment or other transfer of all or part of our business (such as a potential purchaser and its legal/professional advisers); or

  9. Otherwise in accordance with your consent.

Please note that where legal requirements limit the sharing of your personal data, Attosol will respect such requirements.

Use of Cookies and Web Beacons

Site pages may use cookies (small text files placed on your device). Cookies and similar technologies allow us to store and honour your preferences and settings; enable you to sign-in; combat fraud; and analyse how our websites and online services are performing. We also use “web beacons” to help deliver cookies and gather usage and performance data. Our websites may include web beacons, and cookies, or similar technologies from third-party service providers. You have a variety of tools to control the data collected by cookies, web beacons and similar technologies. For example, you can use controls in your internet browser to limit how the websites you visit are able to use cookies and to withdraw your consent by clearing or blocking cookies.

Workplace Security and Monitoring

Attosol monitors its IT and communications systems through automated tools such as network authentication and wireless connectivity hardware and software, anti-malware software, website filtering and spam filtering software, security software for cloud-based applications, access and transaction logging, mobile device management solutions, and internal and external audits. The primary purpose of this monitoring is Attosol’s legitimate interests in protecting its employees, customers, and business partners. For example:

  1. For systems, applications, and network security, including in particular the security of Attosol’s IT systems and assets, and the safety and security of its employees, external staff and other third parties;

  2. For network and device management and support;

  3. For proof of business transactions and recordkeeping;

  4. For the protection of confidential information and company assets;

  5. For investigating wrongful acts or potential violations of company policy; and

  6. For other legitimate business purposes as permitted under applicable law.

We also monitor our offices, and other workplace facilities, through video monitoring such as closed-circuit television (“CCTV”) and badge scans for security, life safety, workplace analytics, corporate workplace policy compliance, and building management purposes. CCTV is primarily used at office entrance and exit points, elevator lobbies, rooms where there may be valuable equipment, such as server rooms, and in other select areas with a high risk for theft or with highly sensitive assets. CCTV is not used in private spaces such as restrooms, new mothers’ rooms or locker rooms. Nor is it used to monitor employee workstations for performance reasons.

You should be aware that any message, files, data, document, audio/video, social media post or instant message communications, or any other types of information transmitted to, through or from, received or printed from, or created, stored or recorded on our IT and communications systems and assets (included via the use of personal devices accessing corporate IT systems), are presumed to be business-related and may be monitored or accessed by us in accordance with applicable law and workplace agreements, and subject to Attosol’s own policies on access to and uses of such data.

Security of Your Personal Data

Attosol is committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect your personal data from unauthorized access, use, or disclosure. For example, we store the personal data you provide on limited access computer systems that are located in controlled facilities, and we protect certain highly confidential or sensitive personal data through encryption in transfer and at rest.

Our Retention of Personal Data

We will store personal data in accordance with applicable laws or regulatory requirements and retain data for as long as necessary to fulfil the purposes for which the personal data was collected, as documented in our corporate data retention schedule.

Changes to this Privacy Notice

We may occasionally update this privacy notice. When we do, we will revise the “effective date” and “version” at the top of the privacy notice. If there are material changes to this privacy notice or in how Attosol will use your personal data, we will use reasonable efforts to notify you either by prominently posting a notice of such changes before they take effect on our websites or by directly sending you a notification. We encourage you to periodically review this privacy notice to learn how Attosol protects your personal data.

How to Contact Us

If you have a privacy concern or question related to this privacy notice, please contact people@attosol.com.

Our address is: Attosol Private Limited ANO-305 Astra Towers, Action Area II/C, Plot No - 2C/1, New Town Rajarhat, North 24 Parganas, Kolkata - 700161 West Bengal, India Tel: +91-33-46034360

Attosol’s Employee Privacy Principles

Attosol believes that privacy is a fundamental human right. It is core to our business that customers and enterprises alike trust us with their data. Similarly, respecting these principles in the workplace empowers our employees to do their best work. Our employees power our mission each and every day. Their trust is essential if we are to achieve that mission. We firmly believe that employees do not fundamentally give up their privacy rights by virtue of their employment at Attosol. We respect the privacy laws and requirements of India. In many cases, Attosol goes beyond what is required to ensure that our employees can truly trust that Attosol will act responsibly with the data we gather about them and remain our Company’s greatest champions and advocates.

In short, Attosol takes a thoughtful, considered, and deliberate approach to employee privacy that both acknowledges the uniqueness of the employment relationship while also balancing the Company’s interests in running a secure, inclusive, efficient, and innovative operation.

The employment relationship is different from a customer relationship, and will at times mean that Attosol has contractual, legal or other requirements to use employee data, including to provide required government reporting, or take appropriate action to defend or prosecute legal claims made against or by the Company. Informed by both our desire to maintain trust and balance the different nature of the employment relationship, Attosol has adopted six core employee privacy principles:

I. Attosol provides notice about how employee data is used. Attosol first and foremost believes employees should have clear and appropriate notice about how employee data may be used. That notice starts with Attosol’ Data Privacy Notice for Employees, External Staff, Candidates and Guests (DPN). The DPN and its addenda set out the framework for all of Attosol’s processing of employee data. If you have not yet taken the opportunity to review the DPN, we encourage you to do so. The DPN and its addenda are updated annually, and employees are reminded of the DPN on an annual basis through required privacy training.

II. When appropriate, Attosol offers choice on how employee data is used. While Attosol does not rely on consent for processing most employee data (unless legally required), we do believe in offering employees choice as to how that data is processed, where appropriate. That choice can take many forms. In some cases, it’s offering employees the ability to opt-out of certain kinds of product features, or certain truly optional data uses. The Attosol Data Program (ADP) is a good example of this kind of choice. You can read more about that program in the ADP Addendum to the DPN. That program leverages approved Attosol business data for product development and improvement, subject to a number of controls and limitations. The unique nature of the employment relationship means that choice may be more limited or not available for certain kinds of data processing (payroll processing for example or, where permissible, aggregated data analytics). Similarly, where Attosol has legal or contractual rights or obligations to process or disclose data, we cannot allow for choice in how that data is used.

III. Attosol thoughtfully balances employee and company interests when using data. Where processing of employee data is not wholly supported by legal, contractual or other specific requirements, Attosol carefully considers its interests in using the data, and balances that interest against an individual employee’s privacy interests in the data. In particular, when it comes to using business data for certain kinds of optional or “secondary” uses, like product development, workplace analytics, or business insights, Attosol deeply considers the impact such use may have on employee privacy, and what controls it can and should establish to protect employee privacy before proceeding. Attosol might, for instance, provide opportunities to opt-out of particular data uses, ensure data is de-identified, pseudonymized or anonymized before use, use data aggregation in reporting and analysis, or implement other kinds of security measures and controls to ensure appropriate use of the data.

IV. Use of employee data is appropriately limited and controlled. When Attosol does make use of data it takes reasonable steps to ensure that we only use the data needed to fulfil a particular use. Access to data that is not necessary to support the intended scope is generally prohibited.

V. Attosol provides access to employee data. Attosol routinely provides its employees access to their own data, like their pay, benefits, vacation time, through self-service portals. Attosol also provides employees additional access to their individual data at the employee’s request, to the extent required by local law. Giving employees self-service access to, and the ability to make corrections and updates to that data as appropriate, ensures employees always have access to the data they care about most.

VI. Employee data is protected by industry leading security safeguards In addition to privacy, the security of our employee data is paramount. Data related to our employees is carefully controlled. We minimize access to more sensitive data, like that used by our HR teams, to those who truly have a business need to work with it.

Learning and Skills Data Addendum

This addendum applies to Learning and Skills Data that Attosol processes about employees and external staff for various purposes, subject to compliance with local laws, our own internal policies, third-party terms of use (e.g., where skills data or training is provided by third parties), and applicable third-party contractual requirements.

Learning and Skills Data are information about your professional development activities, such as training and achievements, skills, and related interests. Sources of Learning and Skills Data include information about your: • Interactions with Learning websites, such as Udemy, Microsoft Learn, Viva Learning, when you authenticate with your Attosol employee account. • Internal trainings, courses or other trainings, that you may attend to develop job, work, role or career-related skills. These offerings may be optional, encouraged, expected or even required; may be provided live, online or via audio and video recordings; and may be targeted broadly or scoped to your business, role or function. • Certifications and achievements, such as Microsoft and third-party certifications you earn and choose to share. Some jobs, roles or functions may require specific certifications. If so, you will receive prior notice of such requirements. If certifications are mandatory, you may be required to share information about your successful completion of these certifications. • Skills you identify or that can otherwise be inferred from your learning or professional activities. • Participation in events, such as knowledge delivery sessions, and hackathons. • Growth interests, such as the experiences or skills you indicate that you would like to build for your growth and development in 1:1 manager connects or other contexts, or the content or material you explore related to professional development, career planning, skill building, and other learning opportunities. • Role-based development, such as hands-on or experiential activities you do to gain competence in your role. Attosol may process various kinds of data from the above sources including (but not limited to): • Contact Information and Demographic Data, for example, your name, contact information, job title, job level, profession, etc.; • Attendance, performance, and completion data; • Feedback about a particular event, course, training or offering; • Analytics about your interactions with a training or learning website or service; • Data about the skills you provide or are observed; • Photos, videos or recordings (video and audio) of the training activity or event. Attosol also collects Learning and Skills Data in various contexts. For example, Attosol collects Learning and Skills Data when you: • Provide it, for example by sharing your professional development goals with your manager, joining an Attosol internal group affiliated with a certification or professional skill, or updating your profile by adding badges designating professional achievements; • Register and participate in learning activities, such as knowledge delivery sessions, or a hackathon. • Use learning services available only to Attosol employees and/or external staff, such as when you view professional development content or interact with learning modules; and • Use learning services authenticated with your Attosol employee account, such as Udemy, Microsoft Learn, or Viva Learning. Attosol uses Learning and Skills Data for the varied purposes set out below, which may involve automatic processing.

  1. To manage our employment or working relationship with you – including your career development opportunities. We process Learning and Skills Data for the purpose of managing our employment or working relationship with you, including fulfilling our obligations and commitments to you. Failure to provide your Learning and Skills Data when requested may prevent us from being able to carry out these tasks and/or comply with our legal obligations. For example, Attosol uses Learning and Skills Data to: • Verify you have completed training activities required in your role or as required by applicable laws; • Facilitate, at your direction, professional development and career planning; • Review, reward, and enhance employee performance and career development; • Identify career and growth opportunities for employees; • Determine appropriate resources for a particular customer opportunity or support scenario; • Assess employee potential for advancement; • Validate you have attended training paid for or reimbursed by Attosol; and • Assist you in identifying content or materials that may be aligned with your interests. • Administer the learning activities and programs including, for example, verifying prerequisites, communicating with learners or participants about the activity or program, and collecting feedback about the learning activity or program or other related activities.

  2. To provide and improve our services We process Learning and Skills Data to provide and improve our services. For example, when you register for Microsoft training or certification exams, we use your Learning and Skills Data to determine if you have completed the training and, if appropriate, meet certification benchmarks. We process Learning and Skills Data for the purpose of improving our services. For example, we may: • Analyse Learning and Skills Data to determine which learning activities are most popular among new employees or employees with certain titles; • Combine Learning and Skills Data with other business intelligence data to identify and evaluate, on an aggregated basis, the effectiveness of learning products and services. For example, we may inquire whether certain learning activities increase satisfaction levels, improve employee safety, reduce security incidents, or have impact on career development opportunities or employee performance; or • Use feedback from learning activities to improve our services.

  3. Other lawful purposes We process Learning and Skills Data for other lawful purposes, such as when: • Necessary for our legitimate business purposes, such as running our business, conducting business intelligence, for auditing and reporting purposes, managing our network and information systems security, and providing and improving employee services. • We suspect or discover violations of law or violations of our internal policies. • Permissible, with your lawfully obtained consent. • We consider it necessary for complying with laws and regulations, including collecting and disclosing personal data as required by law (e.g., for minimum wage, working time, tax, health and safety, anti-discrimination laws), under judicial authorization, or to exercise or defend Attosol’s legal rights.

Attosol Data Program (ADP) Addendum

This addendum applies to the Attosol Data Program (ADP) and the business-related data processed by ADP for purposes of debugging, testing, developing, and improving new and existing products and services (“ADP Data”). ADP data may be used for scientific research purposes and to train AI and machine learning models. ADP and the terms of this addendum apply to Attosol employees only, including former employees if they were employed at the time the data is extracted. External staff, guests and candidate data are specifically excluded from the scope of ADP. Employees may opt-out to limit their participation in the program at any time, without adverse consequence by writing to people@attosol.com. ADP is aimed primarily at the processing of data or information that is transmitted, created, exchanged or stored by Attosol employees using Attosol internal systems, software, services, and assets within the scope of their employment. Attosol will make reasonable efforts to implement controls to exclude nonbusiness-related data from the scope of ADP, where possible. While those controls are intended to limit the scope of ADP to processing Attosol business-related data, ADP may incidentally process certain personal content for employees that is created, stored or transmitted in Attosol owned or provided systems and resources. When that occurs, Attosol will continue to make reasonable efforts to refine its controls to better exclude such data in the future. At all times, ADP’s processing of data will comply with the stated requirements for ADP, as well Attosol’s internal policies, and local law. Sources of ADP data include, but are not limited to, emails and calendar information in Exchange, files stored in OneDrive for Business, content of meeting recordings, voice collected on work devices, messages in Viva Engage and Teams, content on SharePoint sites, diagnostic data from work devices, search data, product and services feedback data, and internal line of business applications. These are representative and non-exhaustive examples of the types of Attosol business-related data from which ADP may process data. In addition to content-related data from the above sources, Attosol may also process various additional kinds of data from the above sources in support of ADP including (but not limited to): • Basic Demographic Data, including, for example, your name and alias, etc.; • Meta-data associated with the applicable content, such as time and date information, signals related to authorship and modification of data, document and meeting titles, etc.; and • Telemetry data, such as data related to product and feature usage, associated with the above content types and services, or machine-related data such as software version history, machine type, operating system version, etc. Attosol’s use of ADP data is premised on Attosol’s legitimate interest in using its own business data for business-related purposes, as that use strongly exceeds our employee’s individual interest in the privacy of such business-related data. Attosol may process certain ADP data based on employee consent, to the extent: (1) an individual’s privacy interest would exceed Attosol’s interest in the processing; and (2) local law requires Attosol to obtain consent prior to such processing. Where consent constitutes the primary basis for processing data under ADP, Attosol will in all cases ensure consent is voluntary and informed and will also ensure employees suffer no adverse consequence for refusing to give or later revoking such consent, and gain no specific benefit from choosing to participate or contribute data to ADP.