Ariba Privacy Statement

ARIBA PRIVACY STATEMENT

Ariba offers products and services in the business-to-business market sector. As such, when Ariba does collect information about an individual (that is, personal information), it is generally only related to that person's role at his or her company, and is not related to him/her as a private person or as an individual consumer. This document describes Ariba's policy for handling, processing, storing, and otherwise treating personal information submitted to certain Solutions (defined below).

Ariba Customers may be referred to as "Buyer" or "Supplier" throughout this document. Individual users of the Solutions (whether employees of the Buyer or Supplier organizations) collectively and individually may be referred to as "you" and "your" throughout this document.

Contents
Definitions

Personal Information Data Handling and Privacy

Questions (including TrustE Statement)
Miscellaneous

Definitions

"Solution" means the Ariba service which includes a link to this Privacy Statement, including:

  1. the Ariba Network ("AN") (including the "Supplier Connectivity" offering) (https://service.ariba.com),
  2. the Ariba hosted On-Demand Basic and On-Demand Professional offerings (also called, "Ariba Technology Features", "Ariba OnDemand Solutions", or "Ariba Application Services" ) (https://s1.ariba.com),
  3. project management, market execution, and strategic procurement services provided by Ariba's global sourcing team ("Ariba Sourcing Services"), and
  4. Ariba Hosting Service(s) (accessible via customer-specific URLs).

"Trading Partner" means an entity with which a Buyer or Supplier transacts using the Solution.

Personal Information Handling and Privacy

Personal Information
"Personal Information" is a person's name and information associated with his or her personal identity as opposed to information associated with a business. Personal Information, such as name, business address, business email, and individually used corporate credit card number, may be required for use of some features of the Solution, such as Ariba's Travel and Expense service. If you do not want to provide Personal Information to Ariba or wish to have Ariba remove your Personal Information from the Solution, please contact your employer's Ariba Account Administrator to find out if there is an optional way for you to perform the applicable business function without submitting Personal Information.

Buyers may have the ability to use the Solution to track which of their Trading Partners have special ownership status or meet certain other criteria. If a Supplier objects to submitting this summary information to a Buyer via the Solution, please contact the Buyer directly to investigate options.

"Sensitive Personal Information" means government id numbers or financial account numbers associated with individual persons (e.g. U.S. Social Security numbers, driver's license numbers, or personal credit card or banking account numbers), and medical records or health care claim information associated with individuals, including claims for payment or reimbursement for any type of medical care for an individual.

Use of Personal Information by Ariba
Ariba will treat Personal Information as confidential and will use it only to: facilitate operation of the Solution and its related services; enhance use of the Solution and its related web pages; perform internal tracking and Solution improvement; enable us to contact you; process requested transactions through the Solution (including use of templates and document creation); and analyze the volume and history of a company's Solution usage. Some of our Solution areas utilize cookie technology for these same purposes. You may configure your browser to reject cookies, but this may affect your ability to utilize our Solution to the same extent as a user who accepts cookies. We do not link the information we store in cookies to Personal Information you submit while using the Solution.

Other Corporate Entities
Ariba may share Personal Information with our global affiliates, parent, subsidiaries, agents and integrated service providers ("Affiliates") that cooperate to provide the Solution and related services to you, throughout the world. Our Affiliates follow practices no less protective of all users of the Solution than our practices described in this policy, to the extent allowed by applicable law. If Ariba and/or its Affiliates were to one day merge with or be acquired by another business entity you should agree that Ariba may share some or all of your Personal Information in order to continue to provide the Solution. You will receive notice of such an event (if it occurs) and we will require that the new combined entity follow the practices disclosed in this policy.

Consent
By submitting Personal Information to the Solution, you are consenting to Ariba's collection, processing, storage, and use of that information in accordance with this policy. Before providing, Personal Information to the Solution, obtain that individual's consent for the collection, transfer, processing, and use of that information in accordance with this policy (as well as the Terms of Use for the Ariba Network, if using the AN).

Transfer
The Solution is primarily located in and operated from the United States. The Controller of personal data processing through the Solution is Ariba, Inc. headquartered at 910 Hermosa Court, Sunnyvale, CA 94085. By submitting data to the Solution, you consent to having such data transferred to the United States and other Solution operation locations selected by Ariba, and Ariba's authorized service providers. Ariba Affiliates controlled by Ariba, Inc. are located inside and outside the European Economic Area. Any transfer of Personal Information from the European Economic Area to Ariba Affiliates located in countries outside the European Economic Area, which may not provide for an adequate level of data protection within the meaning of the European Data Protection Directive, will be subject to a confirmation by Ariba that adequate safeguards are in place under the U.S. Department of Commerce Safe Harbor program or a so-called data transfer agreement based on standard contractual clauses, as approved by the European Commission.

Correcting Account Information (Exercising Your Right to Access Personal Information)
You have a right to access and modify your Personal Information and to delete your Personal Information, subject to constraints identified below. To exercise these rights, Ariba has procedures to allow you to update Personal Information in a timely manner. In most Solutions, the administrative contact for your company can directly change most contact information by logging on to the Solution and managing your account profile directly. For certain Solutions, changes may be requested by calling Ariba customer support.

Deletion of your Personal Information may require approval by your employer (e.g. expense report data) and may require Ariba assistance. Some requests to delete data must be made to Ariba through the administrative contact for your company.

Ariba may refuse to give access to the Solution for legitimate reasons including delinquent payments on the account, a legal dispute, or security concerns. If you are unable to correct, update, or delete your personal information due to the fact that you are no longer an employee of the business that is the account holder, or your account has been terminated, you may contact the Ariba Privacy Coordinator at the address provided below. In each case, Ariba will take reasonable measures to accommodate your request or respond in writing with the legal basis for denying the request within thirty (30) days.

Disclosure by Ariba to Third Parties
Ariba does not provide your Personal Information to third parties, except as described elsewhere in this policy and in our contracts with our Customers, unless (1) you request or authorize it; (2) such disclosure is necessary to process transactions or provide services which you have requested (e.g., PCARD processing with credit card companies or settlement services with banks, or employee travel reservations via an integrated travel services provider); (3) Ariba is compelled to do so by a governmental authority, regulatory body, or under subpoena or similar governmental request or to establish or defend a legal claim; or (4) the third party is acting as our agent or sub-contractor in performing services (e.g., Ariba's use of a third party telecommunications provider).

Security
Ariba uses industry standard security measures to protect Personal Information from unauthorized disclosure. Ariba takes steps to appropriately safeguard credit card and remittance information using recommended industry encryption methods. We've designed our services so that these categories of information can only be viewed from within the Solution. We offer you the use of roles to limit access to the users with a need to see such information. Please see our Security Disclosure for information about the measures Ariba takes to address the security of the Solution and the protection of your Personal Information. Information about Ariba's participation in the WebTrust Program can be found at http://www.ariba.com/legal/ariba_webtrust.cfm. General information on the WebTrust Program can be found at http://www.webtrust.org/.

Data Retention
Ariba will retain Personal Information in active databases for varying lengths of time depending upon the specific Solution, type of data, and applicable law. The policy regarding data retention for each Solution is set forth in the documentation or terms for each Solution. Consistent with Ariba's backup and storage procedures and due to the close integration of data with the Solution, Personal Information might be stored by Ariba in backup logs and files for the duration necessary for legal requirements or the purposes described in this policy. However, Ariba makes no commitment to indefinitely store such data. During your subscription to the Solution, you will be able to access your Personal Information for a certain period based on the particular Solution that you purchased and the policies for the Solution and we suggest that inquiries be directed through the administrative contact for your company and directed to the Ariba Privacy Coordinator at the address designated below.

Changes to this Policy
From time to time Ariba will need to make changes to this policy. Some of the changes will be in response to changes in applicable laws and regulations. In addition, as Ariba adds new features and new services to a Solution, Ariba will continue to handle Personal Information consistently with this policy, but some changes or clarifications may be required.

If Ariba seeks to make a material change to Ariba's policy to allow use of Personal Information for a new, legitimate business purpose, Ariba will document the change to this policy, note the date of the last update at the bottom of the policy, and send a notice to the administrative contacts on file with Ariba for each Buyer and Supplier. You are encouraged to check this policy occasionally to stay informed of any changes in our policies and procedures regarding Personal Information. For substantial and material changes to the this policy, Ariba will use reasonable efforts to provide notification to all affected users and suggest that such users review the updated policy.

Safe Harbor Program
With regard to the Ariba Network, the Ariba OnDemand Solutions, and the Ariba Hosting Service, Ariba has formally joined the Safe Harbor Program managed by the U.S. Department of Commerce and has committed to abiding by the Safe Harbor privacy principles for the collection, use, and retention of personal data from the European Union and Switzerland. For more information about Safe Harbor or to access Ariba's certification statement, go to http://www.export.gov/safeharbor/.

Questions
If you have questions about this policy, please send an e-mail to privacy@ariba.com attn: Ariba Privacy Coordinator, or send written correspondence to Ariba Privacy Coordinator, Legal Department, Ariba, Inc., 910 Hermosa Court, Sunnyvale, CA 94085.

Ariba, Inc. is a licensee of the TRUSTe Privacy Program. TRUSTe is an independent, non-profit organization whose mission is to build users' trust and confidence in the Internet by promoting the use of fair information practices. The "Personal Information Handling and Privacy" section of this policy covers the Solutions (and web sites) identified above under the definition of "Solution" (https://service.ariba.com, https://s1.ariba.com, https://www.sourcingservice.com), and customer-specific URLs) Because these web sites want to demonstrate Ariba's commitment to your privacy, Ariba has agreed to disclose its information practices and have its privacy practices reviewed for compliance by TRUSTe.

If you have questions or concerns regarding the Personal Information Handling and Privacy section of this policy, you should first contact your company's administrator or the Ariba Privacy Coordinator listed above (privacy@ariba.com). If you do not receive acknowledgment of your inquiry or your inquiry has not been satisfactorily addressed, you should then contact TRUSTe at http://www.truste.org/consumers/watchdog_complaint.php. TRUSTe will then serve as a liaison with Ariba to resolve your concerns regarding the handling of your Personal Information.

Miscellaneous
The English version of this policy shall govern in the event of any conflict or substantive translation changes into a non-English language.

Ariba has other privacy policies. This document is the Ariba Privacy Statement and is targeted at individuals who are users of specific Ariba products and services. Ariba also has an internal Privacy Policy targeted at its employees, contactors, etc., and a separate Privacy Policy for its internet facing marketing websites and community information exchange sites (e.g. www.ariba.com and exchange.ariba.com). Certain of Ariba subsidiaries also have separate privacy policies. These other policies are separate and distinct from the activities governed by this policy.

Country-Specific Terms
Italy:This Privacy Statement for the data processing of the data subject (that is, the section entitled "Personal Information Handling and Privacy" above plus this clause) is provided according to Section 13 of the Italian Data Protection Code, Legislative Decree no. 196 (June 30, 2003) consolidated ("Italy Privacy Code"). Ariba, Inc. hereby informs you that the processing of your personal data through the Solution as defined above will be performed according to this Privacy Statement and in compliance with the Italy Privacy Code. The Controllers of the data processing are Ariba, Inc., 910 Hermosa Court, Sunnyvale, CA 94085, USA and your employer. If you have questions or concerns about this policy, you may contact Ariba using the email address as identified above or by written correspondence to the local Italian privacy representative for Ariba at: Mark Lubienski, Ariba Italia Srl, Largo G. Tartini, 3/4, 00198 Roma, Italy.

******

Ariba Privacy Statement v1 April 15, 2011

(Address update September 1, 2011)