tibco personally identifiable information policy revision...

of 8

TIBCO Personally Identifiable Information Policy

Revision 2-10242012

1. Purpose

TIBCO’s Personally Identifiable Information Policy (“PII Policy”) has been developed to guide employees regarding the circumstances under which Personally Identifiable Information (“PII”) belonging to our customers may be acquired by TIBCO and the rules that TIBCO applies to the handling and use of such PII once it has been acquired. This policy is applicable only to customer-owned PII, in any form, that either originated in, or was transferred into the United States; PII that did not originate in, or does not enter the United States may not be subject to this Policy, but is likely to be subject to similar laws of the country in which it originated. Please check with your TIBCO legal representative if you are unsure as to the laws that apply to particular PII. Furthermore, this Policy does not apply to similar data concerning TIBCO employees that is created or maintained by TIBCO in the ordinary course of business and is subject to other policies.

All employees of TIBCO, including its subsidiaries and affiliates (collectively, “the Company” or “TIBCO”), whose positions may result in access to PII are required to read and understand this PII Policy, comply with these and all other applicable policies and procedures, and ensure that all agents and contractors who may be provided access to PII are aware of, understand and adhere to this Policy. You should contact the Legal Department if you have any questions regarding this Policy. It is TIBCO’s policy to investigate and address all circumstances in which there is a possibility that PII entrusted to TIBCO or our contractors by our customers may have been acquired, accessed, used, or disclosed in a manner that is inconsistent with Federal or state statutes and regulations, or TIBCO’s policies, codes, or procedures.

We are committed to continuously reviewing and updating our policies and procedures. Therefore, this PII Policy is subject to modification. In the event of conflicts between this Policy and future modifications, the latest modification will control. 2. Introduction – What Is PII And Why Does It Matter? PII is information that we receive from a business partner about individuals that normally would be confidential and that contains data from which the identities of the individuals could be determined. PII includes confidential information found in health care, financial, and government records, such as: social security numbers; bank account

of 8

numbers; age; ; race; salary; home or office telephone numbers; military rank; marital status; and other demographic, biometric, personal, medical, or financial information. PII does not include contact information for a business partner’s employees that is provided for the purpose of allowing us to conduct routine business with that partner (e.g., business card information). Depending upon the type of PII at issue, federal, state and local laws may govern: the uses that can be made of such information; the manner in which the handling of such information must be documented; the security that must be afforded the information; and the rights of an individual to an accounting of each access or use that was made of his or her PII. Applicable laws such as HIPAA/HITECH (for health care records) and the Gramm-Leach-Bliley Act (for financial records) require that a holder of PII document each person who viewed, accessed or obtained knowledge of the information; each copy made of the information; each use of the information; and evidence of the proper destruction of each copy of the information. HITECH grants the individual who is the subject of the record the right to demand an accounting of all storage, access and use of his or her information from any company that received it. Many laws require notification of government regulators in the event of an improper disclosure or loss of PII and some require notification of the media. Fines and remediation costs incurred by companies for violations of PII regulations routinely amount to millions of dollars and criminal liability can attach to individuals for violation of laws governing PII access or use. Because of the risks inherent in holding such information, our Company policy is not to accept PII from a third party unless absolutely necessary and not until after all necessary controls have been put into place to isolate and protect the PII while it is in our Company’s hands. Before entering into a business transaction that will require the Company to accept such information, it is the responsibility of the business team, working with groups that include Legal, Operations, IT, Support and Services to insure that all necessary controls are in place to allow the Company to satisfy its obligations under both the applicable contract and the law. If you become aware of, or suspect that an unauthorized acceptance, use, disclosure or loss of personally identifiable information has occurred, you are required to report this event. Reports may be made, without fear of reprisal, threats, retribution or retaliation, through any of the whistleblower channels described in our Code of Business Conduct and Ethics, to TIBCO’s Privacy Officer, and through the EthicsPoint hotline and the www.ethicspoint.com site, where a special form is available for reporting PII matters. Safeguarding PII is critical to our business. Violations of law, this PII Policy, or other Company policies or procedures governing the acquisition, access, use, transmission or disposition of PII may lead to disciplinary action up to and including

http://www.ethicspoint.com/

of 8

termination. If you are unsure about your obligations under this policy, please seek assistance in interpreting the requirements of these practices by contacting the Legal Department. 3. General Rules In its normal course of operations, TIBCO does not maintain, process or utilize PII during the provision of services related to TIBCO’s software products, and only accesses such PII while on customer premises via the customer’s own networks and systems during the provision of consulting services. Where an exception to these rules is required, the provisions of Sections 4 and 5 of this Policy shall be followed. In the provision of Maintenance, where prior approval has been obtained from the head of Support services, TIBCO may take possession of PII where a problem report related to TIBCO software products is submitted by the customer as part of a service request to the TIBCO Technical Assistance Center. In such cases, the responsible Maintenance team personnel shall promptly determine whether possession of the PII is necessary to address the customer’s issue. If it is determined that possession or retention of the PII is not necessary to address the customer’s issue, the PII immediately shall be deleted from TIBCO’s IT systems and a notification shall be sent to the customer informing it of the destruction of the PII and of TIBCO’s determination that PII is not needed to address the customer’s service request. If it is determined that PII is needed for the performance of the Maintenance service, the PII shall either immediately be de-identified (i.e. protected information elements within the PII are deleted), or it shall be stored in a secured and safe location and such handling of the PII shall be documented (see Section 5, below). TIBCO has acceptable levels of encryption and passwords to protect email and its own internal systems. When providing on-site consulting services related to TIBCO software products, TIBCO personnel are not authorized to retain PII in whole or part in any form (e.g., printed paper, an electronic file on a TIBCO laptop, a memory stick or a thumb drive), to disclose PII to third parties, or to allow PII to leave the customer premises, systems or networks either physically or electronically. Remote access by TIBCO personnel to networks or systems of customers that maintain, process or utilize PII in connection with their implementation of TIBCO software products is strictly prohibited unless the customer can guarantee such access will not include inadvertent exposure or the introduction of PII into TIBCO’s networks or systems.

of 8

4. Corporate Approval To Accept PII Where a customer transaction will require the acceptance by TIBCO of PII, an agreement shall be executed with the customer detailing: the nature of the PII involved; the form in which the PII shall be provided to and maintained by TIBCO; the uses to which the PII shall be put and/or the nature of the services to be performed; an agreed destruction schedule for the PII; and any other necessary information. The agreement shall contain warranties that the customer shall provide TIBCO with only the minimum PII necessary for TIBCO’s performance of its obligations, and that the customer has the right to provide the PII to TIBCO. The agreement shall also contain an indemnification of TIBCO for a breach of these warranties. Execution of the agreement by TIBCO shall not occur until such time as the business unit(s) requesting the agreement have documented how compliance with the PII handling requirements (see Section 5, below) shall be achieved. Such documentation shall be subject to the review and approval; reviewers may include TIBCO’s Legal Department, IT Department, Engineering Department, Support Group, Professional Services Group, Privacy Officer, Security Officer, Privacy Committee, and/or other corporate stakeholders. PII shall not be accepted by TIBCO prior to the execution of the required agreement; non-disclosure agreements, teaming agreements, and standard confidentiality provisions do not satisfy this requirement for an agreement and shall not be used as the basis for accepting PII. 5. PII Handling Requirements As already noted, the receipt, access, use, and disposition of PII is governed by numerous laws and regulations. Essentially, these authorities require that PII be transmitted, maintained and utilized in a secure and accountable manner to protect the privacy, financial, and other rights of the individuals to whom the PII pertains. They also require that access to PII be strictly controlled and limited to those employees with a valid need to know. The following requirements for handling PII within TIBCO are general in nature and are provided for acquainting employees with the overarching considerations that apply when dealing with PII. A set of detailed, specific requirements can be found in the TIBCO Regulatory Guide for Handling Personally Identifiable Information, which is available on insideTIBCO. A. Receipt of PII PII shall only be provided to TIBCO in encrypted, electronic form. Unencrypted PII shall not be accepted and shall be destroyed immediately, with notice provided to the sender. PII shall not be accepted in paper form. Upon receipt of PII, the TIBCO

http://inside.tibco.com/pps/tibco/p/Pages/d?doc=-49146996_13a9319fde3_337e0a6a8072

http://inside.tibco.com/pps/tibco/p/Pages/d?doc=-49146996_13a9319fde3_337e0a6a8072

of 8

employee responsible for PII management for the project immediately shall record in a log the receipt of the PII. The log entry shall identify the customer that provided the PII, the TIBCO employee who received the PII, the date of receipt, and the initial disposition (storage, upload, destruction, etc.), and shall include a reasonably detailed description of the PII received. B. Handling of PII While in TIBCO’s possession, all activity regarding PII shall be recorded in the log referenced in Section 5A, above. Activities that must be logged include each time the PII was:

• accessed (including: the identity of the accessing employee; the date of access; the reason for access; and a description of any changes made to the PII while accessed);

• transmitted (including: the identities of the sender and recipient(s); the date of transmission; the reason for transmission; the method of transmission; and the security utilized (e.g., encryption) for transmission);

• utilized (including the identity of the person(s) utilizing the PII, the date of utilization, and the manner in which the PII was utilized)

• destroyed (including: the identity of the person performing the destruction; the extent of the destruction (e.g. all known copies or some subset thereof); the reason for the destruction; the process used to perform the destruction; and the date the PII was destroyed).

Access to any particular PII shall be restricted to those TIBCO personnel and contractors with a valid need to know the information and who have been instructed in, and have agreed to, TIBCO’s PII handling requirements, as supplemented by any specific contractual obligations. Personnel no longer requiring access to the PII must delete or surrender the PII in their possession and terminate future access to it. A right to access PII under one agreement does not carry over to PII obtained under a different agreement. PII may only be used for the express purposes stated in the agreement under which the PII was received. No other use of PII is permitted, regardless of whether such other use would result in a disclosure of the PII. Under the law, PII is owned by the individual to whom it pertains; there are no exceptions in the law for “harmless” unauthorized uses of PII. Reasonable steps shall be taken at all times to minimize the risk of access to PII by unauthorized personnel. When not being used, PII – and any media or devices containing it -- shall be stored in locked rooms, locked desks, file cabinets, bookcases, or

of 8

similar, secured containers. PII stored electronically on devices such as company issued laptops, Personal Digital Assistants (PDAs), and removable media is to be encrypted by IT Department-approved encryption methods, in addition to being physically protected when not under direct individual control. PII may not be accessed or displayed in public places, such as airports, airplanes, restaurants, etc. PII may not be accessed or displayed on public computers (e.g., those available for use by the general public in kiosks, hotel business centers, libraries or the like) or on computers that do not have access control. Employee owned computers and devices are not authorized for storing or processing PII. Packages containing PII that has been printed to physical documents and/or media containing PII shall only be released for delivery to a courier service (such as Federal Express) that allows the tracking of the package and documents its receipt through recipient signature. Under no circumstance shall ordinary postal service be used for the delivery of packages containing PII. Telephonic and/or fax transmissions of PII shall only be allowed when the sender is certain that the information will not be overheard or seen by unauthorized personnel at both the sender’s and the recipient’s locations. Transmission of PII by other electronic means (e-mail; internet file transfer; etc.) shall only be allowed when over secure networks and only with the use of encryption. Do not post PII to web pages that are publicly available or have access limited only by domain/IP restrictions. Do not post PII to social media or use social media tools to transmit PII (see TIBCO’s Social Media Policy). Where permitted by the customer, PII may be posted to web pages or sites that control access by user ID/password, user certificates, or other technical means, and which provide protection via use of secure sockets, or other equivalent technologies. Posting PII to such web pages or sites constitutes transmission of PII under this policy and must be documented. C. Contractor Access To PII Where it is necessary to provide access to PII to a TIBCO contractor, and the agreement with the customer providing the PII allows such access, the PII shall not be made available to the contractor until such time as the contractor has entered into an agreement or contract amendment with TIBCO that incorporates the obligations regarding the PII from our contract with our customer. The contractor also must agree in writing to be bound by the requirements of TIBCO’s policies addressing PII and to indemnify TIBCO for any violations of our contract, our policies, and any applicable laws and regulations that concern PII. Where the PII involves healthcare information, it is likely that the contractor will need to execute a HIPAA Business Associate Agreement; templates for this agreement are available from your regional legal support.

http://inside.tibco.com/pps/tibco/p/Pages/d?doc=-49146996_13a9319fde3_15f60a6a8072

of 8

D. Destruction of PII Physical documents containing PII shall be destroyed either (1) by placing the PII into a secure, document destruction receptacle located in a TIBCO office, or (2) by crosscut shredding the document so as to render it incapable of being reconstructed. Where destruction shall occur through the use of a document destruction service, the service receptacle into which the PII is placed must be locked so as to render removal or recovery of the PII impossible. Destruction of electronic files shall be done using a state of the industry file destruction tool approved by the IT Department; such tool must be utilized in a manner approved by the IT Department to insure the complete destruction and non-recoverability of the electronic file(s). 6. Suspected Unauthorized Disclosures Or Loss Of PII As briefly described in Section 2, above, many of the laws governing PII contain provisions requiring notice, reporting, investigation and remediation of unauthorized disclosures or losses of PII. Unauthorized disclosures include allowing others to see or be exposed to the PII where such persons were not intended recipients of the PII. This includes those TIBCO employees or contractors who were exposed or had access to the PII without a valid need to know. An unauthorized use of the PII (i.e. a use not contemplated by our contract with our customer) also would constitute an unauthorized disclosure, regardless of whether the employee utilizing the PII would otherwise have been entitled to access it. Loss of PII can occur through the loss or theft of any media on which the PII was stored, regardless of whether the PII was the only information lost or was the object of the theft. For example, where a laptop containing PII is stolen, it is does not matter that the thief’s interest was in the hardware itself and not the files on it. If you suspect or know of the unauthorized disclosure or loss of PII, it is essential that you report this immediately. Reports can be made using the PII reporting form on the www.ethicspoint.com website or by any of the other methods of reporting possible violations described in the TIBCO Code of Business Conduct and Ethics. Reports will be reviewed by TIBCO’s Privacy Officer to determine whether, in fact, a reportable disclosure or loss of PII has occurred. In cases in which there is an absence of likely harm to the individual whose PII was involved (e.g., if a laptop with PII was lost, but the data was encryptedso as to be inaccessible to a finder), a report of a suspected unauthorized disclosure or loss may be able to be closed without further action being required. However, in the event further action is required by contract, law or regulation, it is imperative that TIBCO learn of the suspected disclosure or loss as soon as possible since many of our contracts and applicable laws establish deadlines by which

http://www.ethicspoint.com/

of 8

certain actions must be taken (e.g., notification of the individuals whose data was compromised). 7. Conclusion Being entrusted with PII is a great responsibility, as misuse or careless handling of the information, regardless of intent, can cause great harm to the person whose life is detailed in that PII. For this reason, TIBCO takes very seriously its contractual and legal obligations to safeguard PII and utilize it only as our contracts permit. It, therefore, is the responsibility of every TIBCO employee and contractor to understand and abide by the restrictions governing access and use of PII, and to promptly report any suspected misuse or loss of PII. It not only is what the law requires, it is the right thing to do.

TIBCO Software Inc. 3303 Hillview Ave. Palo Alto, CA 94304 USA (650) 846-1000 (650) 846-1005 (fax)

Record Management Policy

Record Management Policy November 2008

- 1 -

Table of Contents I. Policy ................................................................................................... 2 II. Primary Objectives .................................................................................. 2

A. Records Covered ........................................................................... 2 B. Persons Covered ........................................................................... 2 C. Basis for Retention ........................................................................ 2

III. Retention and Disposal ............................................................................. 4

A. Retention..................................................................................... 4 B. Annual Review and Disposition......................................................... 4 C. More Frequent Review and Disposition .............................................. 4 D. General Guidelines for Disposal ........................................................ 4

IV. Email Retention ...................................................................................... 5 V. Legal Hold............................................................................................. 6 VI. Compliance............................................................................................ 7 Schedules Record Retention Schedule Part One (Records to be Routinely and Promptly Disposed of) ... A-1 Record Retention Schedule Part Two (Required Retention Period for Certain Records by Department) Sales and Field Services ....................................................................... B-1 Engineering ...................................................................................... C-1 Legal ............................................................................................... D-1 Shareholder Services ........................................................................... E-1 Human Resources............................................................................... F-1 Facilities........................................................................................... G-1 Finance ............................................................................................ H-1 Payroll............................................................................................. I-1 Tax ................................................................................................. J-1 Treasury .......................................................................................... K-1 Investor Relations............................................................................... L-1 Information Technology....................................................................... M-1 Marketing ........................................................................................ N-1


- 2 -

I. POLICY This Record Management Policy (the “Policy”) of TIBCO Software Inc. (the “Company”) establishes a uniform system for identifying, retaining, protecting and disposing of Company records. The Policy is designed to insure that record retention practices throughout the Company adhere to legal, audit, management or operational and business requirements and are conducted in a consistent and cost-effective manner. II. PRIMARY OBJECTIVES The objectives of the Policy include:

• Identify corporate records • Retain corporate records for periods consistent with legal, audit, management or

operational and business requirements • Dispose of corporate records pursuant to the Policy when there is no longer a legal,

audit, management or operational or business reason to retain them • Identify and safeguard records essential to the Company • Develop and maintain adequate records to document the Company’s compliance with

relevant laws • Protect confidential and proprietary information by limiting access to such

information • Identify and retain records relative to any threatened or pending legal action,

governmental investigation or audit until the Legal Department approves the lifting of the legal hold

• Apply the Policy to all forms of storage media A. Records Covered

Records covered by the Policy include, but are not limited to, all recorded information relating to the Company and generated by the Company’s employees and independent contractors/consultants, regardless of the information’s medium or characteristics. Records include, but are not limited to: paper documents, electronic documents, computer hard disks, email, CD-ROMs, DVD-ROMs, floppy disks (or “memory sticks”), microfiche, microfilm and other media.

B. Persons Covered All Company employees and independent contractors/consultants are subject to the Policy.

C. Basis for Retention


- 3 -

Most of the Company’s records do not require long-term retention. Records should be retained so long as they may be required to be kept pursuant to a legal, audit, or management or operational requirement, or so long as the records are necessary for a business purpose related to the Company’s current goals and current operations. It is the Company’s policy to comply with such legal, audit and management or operational requirements.

The attached Record Retention Schedule indicates the appropriate retention period for each type of record. All records are to be routinely and promptly disposed of according to the timetable indicated in the Record Retention Schedule. Records should not be disposed of before the prescribed retention period has expired, and records should not be retained for longer than their prescribed retention period. If no retention period has been set for a particular category of records, a retention period for those records should be developed by the applicable Department or Business Unit in conjunction with the Legal Department, and the Record Retention Schedule will be supplemented accordingly.

The meaning of “legal requirement,” “audit requirement” and “management or operational requirement” as used in the Policy is explained below: A “legal requirement” means that

• A specific federal, state or local law, statute or regulation requires the Company to retain the record;

• Important property rights (including intellectual property rights) that the Company has a

legal obligation to protect are implicated; or • The Company is aware of a specific threatened or pending legal action or governmental

investigation for which the record must be retained. When the Company receives notice of a legal action or governmental investigation prior to the date of a scheduled routine disposition of any record that might relate to the legal action or investigation, such records must be retained in their original forms (to the extent permissible). Because specific legal requirements regarding record retention may be triggered when a legal action or government investigation is threatened or initiated, any questions about the retention of records related to such legal action or investigation should be directed to the Legal Department. Specific legal advice is essential because the destruction of records related to a legal action or governmental investigation may give rise to negative legal consequences to the Company as a matter of law, even if the destruction occurs inadvertently. Additional information on this topic is described below under the heading “Legal Hold.” An “audit requirement” refers to audits by taxing authorities, such as federal, state and local tax audits. All records needed for such audits are retained for the “current year plus seven (7) years,” a period long enough to cover typical limitation periods on the audit plus extensions.


- 4 -

A “management or operational requirement” refers to the specific needs of Company departments producing records of proprietary, technical or economic value to retain records for future operations of the Company. The mere fact that Company departments “might need certain records” does not necessarily render the records subject to a management or operational requirement warranting a longer retention period.

III. RETENTION AND DISPOSAL

A. Retention The Company’s employees and independent contractors/consultants are responsible for complying with the Policy. The importance of individual compliance is described below under the heading “Compliance.” Although all records need to be retained pursuant to the attached Record Retention Schedule, the Company may not need to consistently refer to certain records while they are being retained. In such cases, and due to the finite amount of storage space available on Company premises, these records may need to be stored off-site. Any questions about off-site storage should be directed to the Facilities Department.

B. Annual Review and Disposition Each department is to conduct, at least once a year, a formal record retention review. All employees and independent contractors/consultants must participate in this formal record retention review. As part of this review the Company will audit its record retention program and confirm the retention and disposition of records consistent with the Policy. On the attached Record Retention Schedule, retention periods are specified for record types and are generally expressed in terms of the number of calendar years to be added to the current calendar year. For example, if a record is classified as “current year plus two (2) years,” a record generated during 2009 should be retained during the remainder of 2009, as well as through 2010 and 2011, and then disposed of upon review.

C. More Frequent Review and Disposition The Company does not expect employees and independent contractors/consultants to conduct comprehensive review and disposition of records disposals more often than once a year. When the Policy or the attached Record Retention Schedule calls for retention periods shorter than one year (e.g., email), those records should be disposed of either (1) systematically, such as through periodic purging of email, or (2) if systematic purging is not practical, opportunistically, e.g., by disposing of outdated materials as they are observed in files. Records that have no lasting value, such as memos, progress reports and other informal work papers not required to support final documents, should not be filed in the first instance, so as to alleviate record storage and retrieval problems.

D. General Guidelines for Disposal


- 5 -

Every employee is expected to participate in the annual record retention review under the supervision of the employee’s manager. Independent contractors/consultants are to participate in the annual record retention review at the direction of their principal contact within the Company. All disposed materials must be securely disposed of in a manner appropriate for each record, e.g., shredded, reformatted, etc. All backup and archive copies of a record should be disposed of when the original is disposed of. All employees and independent contractors/consultants are expected to comply with the Policy and dispose of records from their personal hard disks, home computers, PDAs and home files, etc., in accordance with these guidelines. On an ongoing basis, duplicate and multiple materials should be eliminated. Whenever possible, the official record is the record that should be retained. Generally, the author of a record is the custodian of the official record. Accounting records should not be disposed of without approval from both (1) the Company’s Chief Financial Officer and (2) the Company’s General Counsel. Engineering, research and product development records should not be disposed of without approval from both (1) the Company’s Executive Vice President, Products & Engineering and (2) the Company’s General Counsel. Marketing records should not be disposed of without approval from both (1) the Company’s Executive Vice President, Worldwide Marketing and (2) the Company’s General Counsel. Any deviations from the Policy must receive approval from the Company’s General Counsel. IV. EMAIL RETENTION

The Company supplies email to its employees and independent contractors/consultants to assist such employees and independent contractors/consultants in the performance of their jobs. The email system, and all email messages and attachments that are composed, sent or received via the Company’s email system, are owned by the Company and are corporate property.

Email should be retained based on its content for the period of time necessary to meet legal, audit and management or operational requirements, and business needs. Each employee and independent contractor/consultant should regularly review their email and dispose of messages for which there is no legal, audit, management or operational or business need to retain.

Because of the need to (a) identify electronically stored information of continuing

business value, (b) identify electronically stored information subject to retention or preservation obligations and (c) reduce the costs of storing needless information, the Company’s employees and independent contractors/consultants have one hundred eighty (180) days from the date of the email to determine whether it is subject to legal, audit or management or operational retention


- 6 -

requirements, or if there is a business need to retain the email. The Company’s email system will delete messages and attachments that are one hundred eighty (180) days old (based on the date the message was received/sent). The Company’s employees and independent contractors/consultants can folder, download, forward or print emails in accordance with the Record Retention Schedule and any litigation hold.

Employees and independent contractors/consultants should take great care in writing and

sending emails, as they may be corporate records, and the equivalent of regular business correspondence. Employees and independent contractors/consultants should keep in mind that emails can be forwarded outside the Company without their knowledge or control, and thus, employees and independent contractors/consultants should protect confidential and proprietary information by (1) considering whether email is the appropriate medium for communicating the information, (2) limiting the distribution of email messages, (3) considering whether attachments are necessary, and not including unnecessary attachments and (4) marking messages with confidential or proprietary information “Contains confidential and proprietary information not to be disclosed beyond original recipients.” V. LEGAL HOLD

The Company has an obligation to preserve potentially relevant information once the Company has notice of pending or threatened litigation, governmental investigations or audits (i.e., the Company is aware that a claim has been or soon will be filed). Potentially relevant information includes (1) hard copy documents, (2) electronic documents, including email and email attachments and (3) physical evidence. The Company must preserve all information that is potentially relevant to the subject matter of the pending or threatened litigation, investigation or audit.

A legal hold suspends all disposal procedures under the Policy in order to preserve appropriate records under special circumstances, such as litigation, governmental investigations or audits. The Legal Department determines and identifies what types of records are required to be placed under a legal hold. The Legal Department will notify you if a legal hold is placed on records for which you are responsible. You then are required to acknowledge the legal hold and confirm your compliance, i.e., to preserve and protect such records in accordance with instructions from the Legal Department. RECORDS OR SUPPORTING DOCUMENTS THAT HAVE BEEN PLACED UNDER A LEGAL HOLD MUST NOT BE DISPOSED OF, ALTERED OR MODIFIED UNDER ANY CIRCUMSTANCES. A legal hold remains effective until it officially is released in writing by the Legal Department. If you are unsure whether a record or supporting document has been placed under a legal hold, you should preserve and protect that record or supporting document until you verify its status with the Legal Department.

All Company employees have a duty to notify their supervisor and the Legal Department

of any pending or threatened litigation, governmental investigation or audit for which Company records may be wanted or needed. If you become aware of special circumstances, such as


- 7 -

litigation, a governmental investigation or audit, or records evidencing a possible criminal offense, you should suspend all disposal procedures and contact your supervisor and the Legal Department immediately.

VI. COMPLIANCE Every employee and independent contractor/consultant has an affirmative responsibility to comply with the Policy. Failure to comply with the Policy will subject the employee and independent contractor/consultant to disciplinary action, up to and including termination of employment or business relationship at the sole discretion of the Company. Also, failure to comply with the Policy could subject the employee and independent contractor/consultant to civil and criminal penalties.


A-1

RECORD RETENTION SCHEDULE

PART ONE

RECORDS TO BE ROUTINELY AND PROMPTLY DISPOSED OF The following records should be routinely and promptly disposed of by all persons who possess them:

• Drafts of board minutes and proposed board agendas and board resolutions after they are incorporated into approved minutes;

• Drafts of securities law filings (prospectuses, registration statements, Forms 3, Forms 4,

Forms 5, Forms 10-K, Forms 10-Q, etc.) after the filing has been filed with the Securities and Exchange Commission;

• Drafts of business plans after the subsequent or final version is prepared;

• Drafts of strategic plans after the subsequent or final version is prepared;

• Drafts of press releases after the subsequent or final version is prepared;

• Draft or Interim Financial Results;

• Non-essential correspondence and documents pertaining to the matters listed above; and

• Notes or memos, tapes/transcripts of meetings or conference calls with analysts (retain

only approved scripts, if any).


B-1

RECORD RETENTION SCHEDULE

PART TWO

REQUIRED RETENTION PERIOD FOR CERTAIN RECORDS BY DEPARTMENT

SALES AND FIELD SERVICES DEPARTMENT TYPE OF RECORD RETENTION PERIOD Customer and Vendor Files, including Correspondence

Current year plus seven (7) years

Sales Forecasts One hundred eighty (180) days following the end of the fiscal quarter to which such sales forecasts relate

Price Lists Permanent


C-1

PRODUCTS & TECHNOLOGY DEPARTMENT TYPE OF RECORD RETENTION PERIOD Drawing Originals or Computer Aided Design Source Media

Life of product or life of patent, design or copyright, whichever is longer, plus twenty (20) years

Engineering and Technical Documentation (including documents related to the proposals, requirements, design implementation, testing and release of the product and project)

Life of product or life of patent, design or copyright, whichever is longer, plus twenty (20) years

External (Third Party) Test Data and Reports Six (6) years after final payment of contract Internal Test Data Life of product or life of patent, whichever is

longer Specifications Life of product or life of patent, whichever is

longer, plus twenty (20) years Technical Proposals Six (6) years after final payment of contract Product Certifications Life of product or life of patent, whichever is

longer History of Policy, Process, Procedures and Standard Documentation

Indefinite (review every five (5) years)

Audit Related Information Indefinite (review every five (5) years)


D-1

LEGAL DEPARTMENT TYPE OF RECORD RETENTION PERIOD Certificate of Incorporation, Bylaws and Minutes of Stockholder and Board Meetings (including Written Consents)

Permanent

Minutes of Meetings of Committees of Board Permanent Presentations Made at Board Meetings and Committee Meetings

Permanent

Filings with the Securities and Exchange Commission (10-K, 10-Q, 8-K, etc.)

Permanent

Certifications; Back-up Information for Filings with the Securities and Exchange Commission

Permanent

NASD Listing Agreements Permanent Notices of Stockholder and Board Meetings Permanent Proxy Statements and Related Correspondence Permanent Due Diligence Files Indefinite (review every seven (7) years) Filings with Regulatory Bodies Indefinite (review every ten (10) years) Litigation Files (Non-IP) Seven (7) years after final resolution IP Litigation Files (including settlement documents and agreements arising from IP litigation or disputes)

Permanent

Copyright and Trademark Registrations and Assignments, Licenses and Related Agreements

Permanent

Trademarks (Applications, Registrations and Common Law marks) and Assignments, Licenses and Related Agreements

Permanent

Patents, Patent Licenses and Related Files, including Assignments, Licenses and Related Agreements

Permanent

Samples and Specimens of Early Use of Trademarks by Country

Indefinite (review every ten (10) years)

Non-Disclosure Agreements Permanent Customer Claims Six (6) years after settlement Agreements (Signed)/ Drafts of Agreements Containing Substantive Changes and Associated Documentation

Six (6) years after expiration

Memorandum of Understanding, Letters of Intent

Six (6) years after expiration

Disputes Arising Out of Contracts (Non-IP) Six (6) years after final payment of contract unless specified in contract, or six (6) years after settlement of the dispute, unless specified in the settlement agreement


D-2

Disputes Arising Out of IP Contracts Permanent Domestic Consultant Agreements Seven (7) years after expiration or termination International Consultant Files Ten (10) years after expiration Export License Applications/ Export Clearance Documentation

Permanent

Letters Which Constitute All or Part of a Contract or Which Clarify Certain Points in a Contract

Corresponds to retention period of principal record/document

Letters Pertaining to Patents, Trademarks and Copyrights, Licensing Agreements, etc.


Letters Denying or Affirming Liability of the Company


Investigation Information Current year plus six (6) years


E-1

SHAREHOLDER SERVICES DEPARTMENT TYPE OF RECORD RETENTION PERIOD Canceled Stock Certificates Current year plus twenty-five (25) years Closed Stockholder Accounts Permanent Daily Stock Transfer Sheets Permanent Proxy Tabulations Current year plus seven (7) years Stockholder Lists for Annual or Special Meetings


Stockholder Register/Ledger Permanent Register of Loss of Stock Certificates Permanent Transfer Journals Permanent Voted Proxies Permanent ESPP Applications Indefinite (review every ten (10) years) Employee Shareholder Services Files, including Section 16 Filings



F-1

HUMAN RESOURCES DEPARTMENT TYPE OF RECORD RETENTION PERIOD Disability and Sick Benefit Files Indefinite (review every ten (10) years) Employee Group Insurance Cost Data Current year plus three (3) years Governmental Filings Current year plus seven (7) years Benefit Plan Legal Filings Indefinite (review every ten (10) years) 401(k) Diligence Files – Investment Documentation, Board Meeting Minutes


Application and Resume for Employment – Unsuccessful Candidates

Current year plus five (5) years or until resolution if a claim is made

Application and Resume for Employment – Successful Candidates

Indefinite (review every ten (10) years) EMEA: Must be disposed of after 1 year

Employee Agreements or Contracts Indefinite (review every ten (10) years)

Domestic Consultant Agreements Seven (7) years after expiration or termination Incentive Compensation Plans Indefinite (review every ten (10) years) Personnel Evaluations Indefinite (review every ten (10) years)

EMEA: 6 years, after which time no longer relevant and should be disposed of

Position Description One (1) year after the position is eliminated Training and Development Current year plus three (3) years

EMEA: 6 years Unemployment Compensation Claims Current year plus three (3) years

EMEA: 6 years (Payroll data) Out-placement Data Current year plus three (3) years Authorizations for Employment, Changes in Wage and Salary Rates, Leaves of Absence, Termination, etc.


Safety and Health Procedures Indefinite (review every two (2) years) EMEA: Permanent

Government Safety and Health Records and Filings

Current year plus five (5) years EMEA: Permanent

Current Employee Handbook and Prior Versions of Employee Handbook

Permanent

Employee Address Indefinite (review every ten (10) years)

EEO Affirmative Action Plan Current year plus six (6) years Worker’s Compensation Indefinite (review every ten (10) years)

Organization Charts Current year plus six (6) years Form 1-9, Employment Eligibility Verification, with Supporting Copies of Documents Inspected

Three (3) years after date of employee termination


F-2

Form ETA-9035, Labor Condition Attestation, with Supporting Copies of (1) SESA Prevailing Wage Determination and (2) Internal Posting

One (1) year after date of employee termination

Payroll Records of All Employees Who Do Not Have Permanent Work Authorization

Six (6) years after date of employee termination

All Other Immigrant Records Relating to Employees

Six (6) years after date of employee termination

U.S. and International Employee Files Indefinite (review every ten (10) years)

Sales Compensation Files Indefinite (review every ten (10) years) Due Diligence Files Indefinite (review every seven (7) years)

Sales Commission Plan Files Ten (10) years after termination or longer as

required by each jurisdiction Investigation Information Current year plus six (6) years Pay Structures and Pay Policy Guidelines; Stock Guidelines

Current year plus three (3) years EMEA: Six years after date of employee termination as Equal Pay awards can be applied retrospectively for 6 years

Focal Planning Spreadsheets Current year plus three (3) years EMEA: Six years after date of employee termination as Equal Pay awards can be applied retrospectively for 6 years


G-1

FACILITIES DEPARTMENT TYPE OF RECORD RETENTION PERIOD Leases – Real Property Final year of lease plus twelve (12) years

Title Documents Year of sale plus twenty (20) years

Lease Supporting Documentation Twelve (12) years after expiration of lease Purchases and Sales Documents – Real Property

Permanent

Property Appraisals Current year plus four (4) years Safety Inspections Current year plus four (4) years Safety and Health Procedures Indefinite (review every two (2) years)


H-1

FINANCE DEPARTMENT TYPE OF RECORD RETENTION PERIOD Agreements (Signed) Six (6) years after expiration

Business Plans Five (5) years after end of program/project Strategic Plans Permanent Internal Auditor Reports Permanent Budgets Current year plus six (6) years

Annual Financial Statements Permanent Quarterly/Monthly Financial Statements Current year plus five (5) years Accounts Receivable Supporting Documents Six (6) years after final cash receipt

Bank Deposit Slips, Bank Statements, Canceled Checks, Reconciliations


Accounts Payable Ledger Six (6) years after final payment of contract Accounts Payable Supporting Documents Six (6) years after final payment of contract Accounts Receivable Ledger Four (4) years after final cash receipt Credit Memos and Sales Invoices Current year plus six (6) years Cash Receipts/Disbursement Journals Current year plus seven (7) years Vendor Invoices, Employee Expense Reports (Non-EFT)


Vendor Invoices, Employee Expense Reports (EFT)


Fixed Asset and CIP Records Seven (7) years after retirement Fixed Asset and CIP Detail Records by Asset Seven (7) years after retirement Depreciation and Asset History by Month Current year plus six (6) years

General Ledger, Journal Entries Permanent Journal Entries Back-up Current year plus seven (7) years Vendor Files Current year plus seven (7) years AP and AR Subledger Current year plus seven (7) years Trial Balance Sheets Permanent Audit Reports (External) and Work Papers Current year plus six (6) years

Financial Policies, Other than Revenue Recognition Policy

Current year plus one (1) year

Revenue Recognition Policy Current year plus seven (7) years Revenue Files Five (5) years after expiration of associated

agreement Revenue Status Reports One hundred eighty (180) days after date of

report Chart of Accounts at Year End Current year plus seven (7) years Cost Center Master at Year End Current year plus seven (7) years


H-2

Trust Agreements Permanent Trustee Billings and Correspondence Indefinite (review every ten (10) years) Due Diligence Files Indefinite (review every seven (7) years) Corporate International Business Plan Current year plus seven (7) years Title Documents Year of sale plus twenty (20) years


I-1

PAYROLL DEPARTMENT TYPE OF RECORD RETENTION PERIOD Timesheets Current year plus seven (7) years Payroll Tax Returns Current year plus seven (7) years Payroll Journals Current year plus seven (7) years 1099, W-2, W-4 Records or Country Equivalent


Accrued Payroll Details Current year plus seven (7) years Payroll Deduction Authorizations Six (6) years after termination

Payroll Earnings Register Indefinite (review every ten (10) years)

Payroll Journal Entries Current year plus five (5) years Payroll Reports to Federal, State and Local Agencies

Current year plus six (6) years


J-1

TAX DEPARTMENT *** The document entitled “Memo Re: TIBCO Tax Records Retention Policy by Country” located on Inside TIBCO contains information regarding record retention for the Tax Department, and such document is incorporated herein by reference. If there is a conflict between (1) the document entitled “Memo Re: TIBCO Tax Records Retention Policy by Country” and (2) this Record Management Policy, the Record Management Policy will govern.


K-1

TREASURY DEPARTMENT TYPE OF RECORD RETENTION PERIOD Agreements (Signed) Six (6) years after expiration

Insurance Claims, Appraisals, Reports Current year plus six (6) years

Insurance Policies Current year plus six (6) years Bank Reports (Bamtrac) Current year plus seven (7) years FX Contracts/FX Hedge Detail Current year plus seven (7) years LCs Three (3) years after expiration Applications for Credit, Approval Three (3) years after inactivity Accounting Reports Permanent Billings, including Correspondence and Performance Data


Brokerage Commission Reports Indefinite (review every ten (10) years) In-house Trades Indefinite (review every ten (10) years) Quarterly and Annual Investment Reports Indefinite (review every ten (10) years) Transaction Reports Indefinite (review every ten (10) years) Bank Account Files Current year plus seven (7) years


L-1

INVESTOR RELATIONS DEPARTMENT TYPE OF RECORD RETENTION PERIOD Annual Reports Current year plus six (6) years

Annual Investor Relations Plan Three (3) years after completion of plan Earnings Release/Commentary to Investors Current year plus four (4) years Financial Distributions to Investors Current year plus five (5) years Approved Scripts Current year plus two (2) years


M-1

INFORMATION TECHNOLOGY DEPARTMENT *** The documents entitled “Procedures – Backup and Restore Strategy” and “IT Process Control Matrix: Backup Restore Procedure” located on Inside TIBCO contain information regarding record retention for the Information Technology Department, and such documents are incorporated herein by reference. If there is a conflict between (1) the documents entitled “Procedures – Backup and Restore Strategy” and “IT Process Control Matrix: Backup Restore Procedure” and (2) this Record Management Policy, the Record Management Policy will govern.


N-1

MARKETING DEPARTMENT TYPE OF RECORD RETENTION PERIOD Biographies of Company Executives Permanent Mailing Lists Indefinite (review and update annually)

News Releases Permanent Product and Customer Literature and Surveys Current year plus three (3) years Externally Used Marketing Documents Current year plus three (3) years Market Share Data Current year plus three (3) years