Pentaho Corporation

SAFE HARBOR PRIVACY POLICY

Pentaho Corporation and its affiliates under direct control (hereafter referred to as “Pentaho”) is committed to protecting your privacy, and values the confidence of its customers, business partners, applicants for employment, employees and others who may use its services. Pentaho has put in place internal procedures to ensure that your personal information is processed responsibly and in accordance with applicable data protection/privacy laws. Pentaho has a tradition of upholding the highest ethical standards in its business practices. This Safe Harbor Privacy Policy (“the Policy”) sets out the privacy principles that Pentaho follows with respect to transfers of personal information from the European Economic Area (“EEA”) and Switzerland to the United States.

To learn more about our privacy practices, please see our Privacy Statement at http://www.pentaho.com/privacy.

SAFE HARBOR OVERVIEW

Pentaho Corporation complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Pentaho Corporation has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view Pentaho Corporation’s certification, please visit http://www.export.gov/safeharbor/

SCOPE

This Policy applies to all personal information, either in electronic or paper format, received by Pentaho in the United States from the EEA and Switzerland.

PRIVACY PRINCIPLES

1. Notice. When Pentaho collects personal information, it will give timely and appropriate notice about the purposes for which it collects and uses personal information, the types of non-agent third parties to which Pentaho discloses that information and the choices and means, if any, Pentaho offers individuals for limiting the use and disclosure of their personal information.

2. Choice. Should Pentaho wish to share personal information, Pentaho will provide choices about the ways it uses and shares personal information, and it will respect the choices made.

3. Relevance. Pentaho will collect only as much personal information as is needed for specific, identified purposes. Such information will not be used for other purposes without obtaining consent.

4. Retention. Pentaho will keep personal information only as long as needed for the purposes for which it was collected, or as permitted by law.

5. Accuracy. Pentaho will take appropriate steps to make sure the personal information in its records is accurate.

6. Access. Pentaho will provide ways for users to access personal information, as required by law, in order to correct any inaccuracies.

7. Security. Pentaho will take appropriate physical, technical, and organizational measures to protect personal information from loss, misuse, unauthorized access or disclosure, alteration, and destruction.

8. Sharing. Except as described in this policy, Pentaho will not share personal information with non-agent third parties without consent.

9. International Transfer. If Pentaho transfers personal information to another country, it will take appropriate measures to protect the privacy of the personal information being transferred.

10. Enforcement. Pentaho will regularly review how it is meeting these privacy promises, and will provide an independent way to resolve any complaints about its privacy practices.

DISPUTE RESOLUTION and PRIVACY COMPLAINTS

Any questions or concerns regarding the use or disclosure of personal information should be directed to the Pentaho Data Protection Officer at the address given below. Pentaho will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information, in accordance with the principles contained in this Policy.

For complaints that cannot be resolved between Pentaho and the complainant, Pentaho has agreed:

a) To participate in the dispute resolution procedures established by the EU Data Protection Authorities to resolve disputes pursuant to the Safe Harbor Principles in respect of personal information received from the EEA, and

b) For personal information received from Switzerland, Pentaho will cooperate with and comply with any advice given by the Swiss FDPIC, in the investigation and resolution of complaints brought under the US – Swiss Safe Harbor.

CONTACT INFORMATION

Questions or comments related to this policy should be submitted to the Pentaho Data Protection Officer by mail as follows:

Data Protection Officer: Anthony Carter

Pentaho Corporation

5950 Hazeltine National Drive, Suite 460

Orlando, FL 32822-5023, USA

LIMITATIONS

Pentaho’s adherence to the Safe Harbor Principles may be limited by any applicable legal, regulatory ethical or public interest consideration and as expressly permitted or required by any applicable law, rule or regulation.

CHANGES TO THIS POLICY

Pentaho may update its Safe Harbor Privacy Policy from time to time and consistent with the requirements of the Safe Harbor Principles. When the policy is changed in a material way, a notice will be posted on our website along with the updated Safe Harbor Privacy Policy.

EFFECTIVE DATE

This Policy is effective as of November 7, 2013.