PRGX Global, inc.
Privacy statement

November 11, 2021

November 11, 2021

PRGX Global, Inc. and its affiliates and subsidiaries (collectively referred to in this Statement as “PRGX”, “we”, “our”, or “us”) are committed to respecting and protecting the privacy of individuals with whom we come into contact, including our employees, our clients and their suppliers and vendors, our suppliers and vendors, our investors and those individuals who browse and use our websites. We believe in protecting individual rights with respect to the privacy of their Personal Information.

This Privacy Statement (“Statement”) governs our collection, use, disclosure and processing of Personal Information that we collect and process about our clients, our suppliers and vendors, our investors and individuals who browse and use our websites (collectively referred to in this Statement as “you” or “your”). In addition, we may also receive Personal Information from our clients to perform services on their behalf, and from other third parties as described in this Statement.

This Statement may be updated from time to time to reflect changes in our Personal Information practices, and we will post a prominent statement on our website to notify you of any significant changes and highlight the changes in the Statement. This Statement may also be supplemented by differing terms that apply to you, such as specific client contracts.

Lavante Inc., a wholly owned subsidiary of PRGX USA, Inc., is a covered entity under this Statement. Please visit www.lavante.com/company/privacy-policy to view Lavante’s Privacy Statement.

1. DEFINITIONS

Personal Information (“Personal Information”) is information that pertains to or is about any individual, or is capable of being associated with or can be linked to or used to identify that individual. Personal Information does not include information that is encoded or publicly available information that has not been combined with non-public Personal Information. Personal Information does not include information that pertains to or is about a specific individual, but from which that individual could not reasonably be identified. Without prejudice to the foregoing, with respect to information under the territorial scope of applicable data protection laws of the European Union (“EU”) or the United Kingdom (“UK”), “Personal Information” is any information relating to an identified or identifiable natural person.

Sensitive Personal Information (“Sensitive Personal Information”) means Personal Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or specifies sex life.

Without prejudice to the foregoing, with respect to Personal Information under the territorial scope of applicable data protection laws of the EU or the UK, “Sensitive Personal Information” is any information as described in the definition above and also includes data concerning sexual orientation, genetic data and biometric data for the purpose of uniquely identifying a natural person.

2. INFORMATION WE COLLECT

We collect Personal Information in a variety of ways through our normal business activities, in both online and offline contexts. This includes, for example, when you communicate and interact with us, including when you participate in events, register for webinars, submit website contact forms, opt-in or request information from PRGX, register as a user on our website or web-based software-as-a-service-based applications, or visit and use our websites. We may also receive Personal Information from third parties, including public databases, social media platforms, trade-show lists, sponsorships, or third-party partners such as analytics or marketing providers. In the normal course of activities, we may collect the following types of Personal Information:

• Contact information that allows us to communicate with you, such as your name, job title, age and prefix, username, mailing address, tax identification number, telephone numbers, email address or other addresses that allow us to send you messages, company information and registration information you provide on our website.

• Relationship Information that helps us do business with you, such as the types of products and services that may interest you, contact and product preferences, languages, creditworthiness, marketing preferences and demographic data.

• Transaction Information about how you interact with us, including purchases, inquiries, customer account information, order and contract information, delivery details, billing and financial data, details for taxes, transaction and correspondence history, and information about how you use and interact with our websites.

• Security and Compliance Information that helps us to secure our interests, including information for conflict checks, fraud prevention and internal verification, as well as information necessary for the security of our premises, such as visual or audio recordings.

We do not knowingly collect Sensitive Personal Information about you except when this is provided by you on a voluntary basis.

We may also receive and process third party Personal Information from and on behalf of our clients to perform our services (please refer to Section 4 of this Statement if you would like to find out how we protect this Personal Information).

Please note: Personal Information of our job applicants and employees is protected by the PRGX Employee Privacy Statement that is readily available on career sites that collect applicant Personal Information.

3. HOW WE USE YOUR PERSONAL INFORMATION

We take reasonable steps to ensure that the Personal Information we process is reliable for its intended use, is accurate, up-to-date and complete, and is limited to the Personal Information required to carry out the purposes of the processing, as described in this Statement. Where appropriate, we may ask you to ensure that your Personal Information that we hold is accurate and up to date.

When we collect Personal Information, our use and processing of your Personal Information is limited to the following legal bases and purposes:

• To Provide Our Services: managing our contractual obligations, including interacting with you, fulfilling your orders for products or services and related activities, such as product and service delivery, customer service, account and billing management, support and training and to provide other services related to the contract you have with us.

• To Comply with Our Legal Obligations: corporate governance, audit, reporting and legal compliance and the establishment, exercise or defense a legal claim.

• For Other Legitimate Business Purposes: managing our everyday business needs, such as payment processing and financial account management, product development, contract management, website administration, fulfillment, consumer research, trend analysis, financial analysis and other customary internal purposes, such as anonymous benchmarking, reporting or quality assurance purposes and marketing and to ensure the security of our websites, networks and systems, and premises, as well as protecting us against fraud. • Based on Your Consent: managing your ongoing relationship with us, including interacting with you, informing you about our products or services that may be of interest to you, as well as special offers and promotions.

When you visit our websites, otherwise request us to provide a service or decide to enter into agreement with us, we will notify you when information is required to provide our services, enter into agreement or as required by law, upon which you may decide to provide us with your Personal Information or not. Where your Personal Information is required, we may be unable to provide you with our services or enter into agreement with you unless you provide us with the relevant information.

4. HOW WE PROTECT PERSONAL INFORMATION WE PROCESS ON BEHALF OF OUR CLIENTS

PRGX is a business-to-business information and professional services firm that collects and processes transactional client data for improving clients’ financial performance by reducing costs, improving business processes and increasing profitability. PRGX’s core business segment is recovery audit services which is the processing of source-to-pay transactional information (e.g., accounts payable data, vendor file information and line item/product data) to identify client overpayments made to their third-party suppliers or vendors. Other business segments include providing analytics and advisory services to senior financial executives.

We process this transactional information on behalf of our clients to perform the requested services. This transactional information may contain Personal Information in limited circumstances, such as when a client’s third-party supplier or vendor happens to be a sole proprietor. Information on these individuals is used and processed as instructed by our clients for accounts payable recovery auditing or other requested services in accordance with client contractual requirements. In any event, regarding transactional information that constitutes Personal Information, we act in a data processor capacity, meaning we collect and process this Personal Information only as instructed by our client and will not use or disclose it for our own purposes.

We do, however, maintain information security controls to protect this Personal Information and will only disclose or transfer this information as instructed by or agreed upon with our client to provide the requested service. Unless otherwise instructed by our clients, we treat the Personal Information we process on behalf of our clients in line with our commitments on disclosure and transfer as set forth in this Statement.

5. DISCLOSURES OF PERSONAL INFORMATION

We may disclose Personal Information collected by or provided to us to the following recipients:

(1) our affiliated companies (including our subsidiaries and branches) for purposes stated in this Statement;

(2) to third party service providers, such as agents and contractors, for customary business purposes or for facilitation or improvement of the services we provide to our clients;

(3) to third party vendors, whom we contract with for specific purposes;

(4) to public authorities in response to lawful requests to meet national security or law enforcement requirements;

(5) where needed to protect our legal rights;

(6) to a newly formed or acquiring organization if PRGX is involved in a merger, sale or transfer of some or all of its business;

(7) where otherwise required by law;

(8) where permitted by law, such as with your consent or in the event of an emergency; or (9) at the request of an individual client, to a third-party agent for additional services, as arranged by the client.

In all circumstances, we complete a screening process in which we validate that the third party has appropriate technical, administrative, and physical controls in place to protect the security, confidentiality, and integrity of Personal Information. In addition, we ensure that appropriate contracts are reviewed and executed to ensure adequate controls around confidentiality, limited use, proper disposal, and retention of Personal Information.

6. INTERNATIONAL DATA TRANSFERS

PRGX may perform services, including the processing of Personal Information, using one or more of its worldwide affiliates (wholly-owned PRGX company group entities), including those based in the UK, EU member states, the United States (“U.S.”), and India, unless otherwise prohibited by client contractual requirements.

As such, in case your Personal Information originates from the European Economic Area (“EEA”) or the UK, this may include transferring Personal Information outside the EEA or the UK to locations in the U.S. and other countries that have different data protection laws than those in the country of origin and that may not have been granted an adequacy decision by the European Commission or the Information Commissioner’s Office in the UK.

In this regard, for any such Personal Information subject to EU or UK data protection laws, PRGX takes measures designed to provide the level of data protection required in the EU and UK, including ensuring transfers are governed by the requirements of the Standard Contractual Clauses adopted by the European Commission or another adequate transfer mechanism. PRGX entities have also entered into intragroup transfer agreements based on the Standard Contractual Clauses which allows for the processing and transfer of Personal Information. In addition, PRGX USA, Inc. is subject to the investigatory and enforcement powers of the Federal Trade Commission or any other U.S. authorized statutory body.

For further information, please contact us through the “How to Contact Us” section below.

7. SECURITY AND DATA INTEGRITY

PRGX is committed to protecting the privacy, confidentiality, and security of the data that is provided to us, including Personal Information, through a combination of technical, physical and administrative controls, including internal policies, practices and procedures.

We apply appropriate technical, physical and organizational measures that are reasonably designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access where Personal Information is transferred over a network, and against all other unlawful forms of processing. Access to Personal Information is restricted to authorized recipients on a need-to-know basis. We maintain a comprehensive information security program that is proportionate to the risks associated with the processing. The program is continuously adapted to mitigate operational risks and to ensure the protection of Personal Information taking into account industry-accepted practices. We will also use enhanced security measures in case we process any Sensitive Personal Information.

PRGX’s privacy and security framework is based on ISO 27001 standards and, as such, we have a strong focus on establishing, maintaining, and continuously improving information security management systems and identifying, analyzing, and addressing information security risks. The ISO 27001 standards cover all aspects of security including physical protection of equipment and people, hiring practices, employee training, network security, and access controls. This framework combined with regular monitoring and testing of controls, allows us to ensure that appropriate levels of data confidentiality, integrity, and availability are maintained.

8. DATA RETENTION

We will retain your Personal Information only for as long as necessary to achieve the purposes outlined in this Statement, usually for the duration of any contractual relationship, if necessary to provide our services and for any period thereafter as legally required or permitted by applicable law. This means that, in some cases, we may be required to retain your Personal Information for a period following termination of your relationship with us. Our retention policies reflect all applicable domestic and international law, including relevant statute of limitation periods and other legal requirements.

9. COOKIES

Cookies may be used on some pages of our sites. In many cases, the information we collect using cookies and other tools is only used in a non-identifiable way, without any reference to Personal Information. For example, we use information we collect about all website users to optimize our websites and to understand website traffic patterns. In some cases, we do associate the information we collect using cookies and other technology with your Personal Information. This Privacy Statement applies to the collection and use of any Personal Information that is obtained using cookies and otherwise.

What is a cookie?

A cookie is a text file unique to you that is related to your computer or mobile device and that can be picked up by a server, allowing a website to pick up things such as your preferences, what is in your shopping basket or that allows the website to recognize you when you return. This information helps a website to dynamically generate web content and design web functionality specifically for its users and enables it to provide you with a customized experience each time that you visit.

What types of cookies does PRGX use?

Most common technologies such as cookies, pixel tags, browser analysis tools, server logs and web beacons are used on most PRGX websites. Pixel tags and web beacons are tiny graphic images placed on website pages or in emails that allow us to determine whether you have performed a specific action. When you access these pages, or open or click on an email, the pixel tags and web beacons generate a statement of that action. These tools allow us to measure response to our communications and improve our web pages and promotions.

PRGX may use flash cookies (also known as Local Stored Objects) and similar technologies to personalize and enhance your online experience. The Adobe Flash Player is an application that allows rapid development of dynamic content, such as video clips and animation. We use Flash cookies for security purposes and to help remember settings and preferences. We do not use Flash cookies or similar technologies for behavioral or interest-based advertising purposes. To manage Flash cookies, you may visit Adobe’s website at Adobe Flash Player or visit www.adobe.com.

How do we collect information using cookies?

We collect many different types of information from cookies and other related technologies. For example, we may collect information from the device you use to access our website, your operating system type, browser type, domain, web page visits, web form fills, content clicks/view, email opens/clicks and other system settings, as well as the language your system uses and the country and time zone where your device is located. Our server logs may also record the IP address assigned to the device you are using to connect to the Internet. An IP address is a unique number that devices use to identify and communicate with each other on the Internet. We may also collect information about the website you were visiting before you came to a PRGX website and the website you visit after you leave our site.

Can cookies and tracking be disabled?

In most cases, if you prefer not to allow the use of cookies or related technologies, you can manage cookie preferences and opt-out of having cookies and other tracking technologies used by adjusting the settings on your browser. In most cases, “Do Not Track” (DNT) is a web browser setting that send a signal to other websites, plug in providers, ad networks, and the like, to stop tracking your activity. All browsers are different, so please visit the “help” section of your browser to learn about the privacy settings that may be available. Please be advised that disabling cookies may result in limited functionality on our sites.

IP Addresses.

The website captures usage information such as: date and time of webpage visit, referring address (location from which a visitor comes to the website), type of Internet browser, and visitor’s IP address and DNS name, web form fills, content clicks/views, email opens/clicks. This information helps us to support and improve the operation of the website.

10. YOUR PERSONAL INFORMATION RIGHTS

You have certain rights with respect to our processing of your Personal Information, which include:

(1) Access, Correction and Transmission: You may reasonably access the Personal Information pertaining to you that is on file with us. You also have the right to request that we correct incomplete, inaccurate or outdated Personal Information. To the extent required by applicable law, you may also request that we transmit Personal Information you have provided to us to you or to another company.

(2) Information About Data Processing: You may request details about how we process Personal Information, including the categories of Personal Information we have collected, the categories of sources for Personal Information we collect, the business or commercial purposes for collecting Personal Information, and the categories of third parties with which we share Personal Information.

(3) Objection: We respect your right to object to any uses or disclosures of your Personal Information that are not (i) required by law, (ii) necessary for the fulfillment of a contractual obligation, or (iii) required to meet legitimate interests of PRGX (such as general administration disclosures for auditing and reporting purposes, internal investigations, management of network and information systems security, or protection of our assets). If you do object, we will work with you to find a reasonable accommodation. You may also withdraw your consent at any time in relation to our processing of Personal Information based on your consent. In addition, you may always object to the use of your Personal Information for direct marketing purposes, including related profiling activities. Also, in case you have specific reasons that relate to your situation, you may object to our processing of your Personal Information based on our legitimate interests.

(4) Deletion: You may request the deletion of your Personal Information as provided by applicable law. This applies, for instance, where your information is outdated; where the processing is not necessary or is unlawful; where you withdraw your consent to our processing based on such consent; or where we determine we should accommodate an objection you have raised to our processing. In some situations, we may need to retain your Personal Information pursuant to our legal obligations or for the establishment, exercise or defense of legal claims. (5) Restriction of Processing: Similarly, and where provided by applicable law, you may request that we restrict processing of your Personal Information while we are answering your request or complaint pertaining to (i) the accuracy of your Personal Information, (ii) our legitimate interests to process such information, or (iii) the lawfulness of our processing activities. You may also request that we restrict processing of your Personal Information if you wish to use the Personal Information for litigation purposes.

If you wish to exercise these rights, you may contact the PRGX Privacy Office as described below in the “How to Contact Us” section or, complete the Personal Information Rights Request Form on our website. Where reasonable, we will accommodate your request and use reasonable efforts to respond to requests in a timely manner. In some situations, we may refuse to act, charge a reasonable fee or impose limitations on your rights if, for instance, your request is likely to adversely affect the rights and freedoms of PRGX or others, prejudice the execution or enforcement of the law, interfere with pending or future litigation, or infringe applicable law. In all cases, you have a right to file a complaint with the applicable Data Protection Authority.

We assume that our clients have provided any notice required for PRGX to process Personal Information they provide to us, consistent with this Statement, and will provide further notice of any uses or disclosures that are materially different from those described in this Statement. Please note that if you wish to exercise any of your rights in relation to Personal Information we process on behalf of our clients we recommend that you contact the client directly. If you need assistance, please contact us and we will reasonably request our clients to correct, amend or delete any erroneous information, subject to their own policies and instructions.

Where reasonable, we will accommodate your request. However, PRGX may charge a reasonable fee or refuse to act on a request if it is manifestly unfounded or excessive in particular because of its repetitive character. In some situations, PRGX may refuse to act or may impose limitations on your rights if, for instance, your request is likely to adversely affect the rights and freedoms of PRGX or others, prejudice the execution or enforcement of the law, interfere with pending or future litigation, or infringe applicable law. In all cases, you have a right to file a complaint with the applicable Data Protection Authority.

To obtain PRGX’s Personal Rights Request Forms, please contact the PRGX privacy office at privacyoffice@prgx.com

11. YOUR OBLIGATIONS

Bear in mind that you are responsible for the accuracy of your Personal Information. Please let us know when changes to your Personal Information are needed by contacting us through the “How to Contact Us” section and in accordance with applicable law. We will use reasonable efforts to respond to all such requests in a timely manner.

12. ENFORCEMENT

In compliance with appliable EU and UK data protection laws, PRGX commits to resolve complaints of individuals covered under such laws regarding our processing of their Personal Information. Such individuals with inquiries or complaints should first contact PRGX at: privacyoffice@prgx.com. We will respond to your inquiry or complaint within the timeframes set forth in such applicable laws, and if not specified, within 45 days.

For unresolved privacy complaints relating to such Personal Information, PRGX has further committed to cooperate with any applicable dispute mechanisms established by EU and UK regulatory authorities, including local data protection authorities, and to provide this recourse free of charge. If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, please contact such applicable regulatory authority directly for further information.

13. INFORMATION ABOUT CHILDREN

We do not knowingly provide products or services to or solicit Personal Information from children under the age of 18.

14. SOCIAL SECURITY NUMBERS

In some cases, PRGX collects Social Security Numbers, mainly in the U.S., in the ordinary course of its business, such as from our employees, as well as in certain records we process for our clients. We have implemented reasonable technical, physical and administrative safeguards to protect the Social Security Numbers. All our employees are required to follow these established procedures. Access to Social Security Numbers is limited to those employees and service providers with an approved business need to access the information to perform tasks for us and our clients.

Social Security Numbers are only disclosed to third parties in accordance with our established policies. We only disclose Social Security Numbers to (i) those service providers, auditors, advisors, and/or successors in interest who are legally or contractually obligated to protect them or (ii) as required or permitted by law.

For Personal Information that PRGX USA, Inc. receives from the EEA or the UK, PRGX USA, Inc. has committed to handling such Personal Information in accordance with all applicable data protection laws and applicable Standard Contractual Clauses.

15. ADDITIONAL INFORMATION FOR CALIFORNIA RESIDENTS

The California Consumer Privacy Act (“CCPA”) requires businesses that collect Personal Information of California residents to make certain disclosures regarding how they collect, use, and disclose for certain categories of Personal Information. This section addresses those requirements. For a description of all of our data collection, use and disclosure practices, please read our Privacy Statement in its entirety.

The categories of Personal Information we collect about you are as follows:

• Customer Records and Identifiers (such as your name, mailing address, telephone numbers, email address or other addresses that allow us to send you messages, tax identification number, and IP address);

• Commercial Information (such as products or services purchased or the types of products and services that may interest you);

• Internet Activity Information (such as your interactions with our website);

• Protected Classifications (such as age or other demographic data);

• Visual or Audio Information (such as visual or audio recordings necessary for the security of our premises);

• Professional and Employment-Related Information; or

• Inferences drawn from any of the above information categories.

We disclose the above categories of Personal Information for certain “business purposes,” such as disclosures to service providers and vendors that assist us with securing our services or marketing our products. We do not sell Personal Information.

The “Information We Collect” section of this Statement describes the categories of sources from which we collect your Personal Information. “How We Use Your Personal Information” describes the purposes for which we collect your Personal Information. “Disclosures of Personal Information” sets forth the types of third parties with which we share your Personal Information.

California law grants state residents certain rights, including the rights to access specific types of Personal Information, to learn how we process Personal Information, to request deletion of Personal Information, and not to be denied goods or services for exercising these rights. For more information on how to exercise your rights, please refer to Section 10 of this Privacy Statement. If you are an authorized agent wishing to exercise rights on behalf of a California resident, please contact us at privacyoffice@prgx.com and provide us with a copy of the consumer’s written authorization designating you as their agent. We may still require consumers to directly verify their identify and confirm that they provided you permission to submit the request.

16. CHANGES TO THIS STATEMENT

As specified, we may decide to make changes to this Statement from time to time. The changes made in the past include the following:

January 20, 2010: As part of the launch of our new PRGX website, the “Cookie” section of this Statement has been updated to reflect new and limited uses of cookies which are used to monitor the traffic and use within our site as well as to enhance web content and functionality. Cookies on our site do not collect Personal Information.

October 10, 2014: PRGX’s Global Privacy Statement was updated to reflect compliance with U.S. and international data protection laws and regulations including the European Union Data Privacy Directive, Mexico’s Federal Law Protecting Personal Data, and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).

June 10, 2015: The “Cookie” section of PRGX’s Global Privacy Statement was updated to reflect new and limited uses of cookies, and other similar technologies, which will be used to associate web activity with limited Personal Information to personalize and enhance user experience. In addition, information regarding users’ ability to opt-out of cookie usage was added to the Cookie section of this Statement.

July 1, 2016: Updated the introductory section to reflect the European Court of Justice’s decision on October 6, 2015 whereby Safe Harbor was deemed invalid.

September 20, 2016: Updated Statement to reflect certification under the EU-U.S. Privacy Shield Framework.

August 8, 2017: Updated Statement to reflect Lavante Inc. as a covered entity under the PRGX Global, Inc. Global Privacy Statement.

May 25, 2018: Updates related to collection, use, disclosure, transfers, and protection of Personal Information as well as updates regarding your Personal Information rights to reflect the entry into force of the EU General Data Protection Regulation.

September 24, 2019: Updated to ensure Statement remains compliant with the Privacy Shield Principles after the UK’s withdrawal from the EU. November 11, 2021: Updated to reflect the European Court of Justice’s invalidation of EU-US Privacy Shield Framework and to add CCPA compliance requirements.

17. HOW TO CONTACT US

Questions about this Statement, or requests in relation to Your Personal Information Rights section above may be sent by email to privacyoffice@prgx.com or by contacting:

Attention: Alicia Jackson

Data Protection Officer & Vice President, Global Privacy and Security

200 Galleria Parkway, Suite 450
Atlanta, GA 30339
USA

770-779-3042

alicia.jackson@prgx.com

This Statement was last updated on November 11, 2021.

©2021 PRGX Global, Inc. All rights reserved. Many of the trademarks and service marks appearing on this website are registered trademarks. Use of this site is subject to certain Terms of Use which constitute a legal agreement between you and the Company. By using this site, you acknowledge that you have read, understood, and agree to be bound by the Terms of Use. Please review the Terms of Use; and if you do not agree to the terms, please do not use this site

Have some concerns or questions? Email our support team today.