As a nonprofit 501(c)(3), Nest’s mission is to generate global workforce inclusivity, improve women’s wellbeing beyond factories, and preserve cultural traditions. Nest collects data during programming activities to monitor and report program progress over time, and measure program impact. Nest maintains a data ownership policy that allows the organization to continue and expand Nest’s programmatic activities by leveraging the learnings and insights gathered through Nest’s data collection efforts.

1.Data Collection + Management

1.1 Nest reserves primary rights to ownership and management of all data gathered during the assessment and programmatic processes, exclusive of explicit mention of those partners (both Client and handworker partners) whose supply chains may be anonymously represented within collected data sets. This includes the following categories of data subjects and types of personal data, when applicable:

• Nest baseline data collection during the training portion of the assessment process

• Nest data assessment results

• Nest worker well-being results

• Case studies gathered on site

• Photographs taken on site

• Nest Corrective Action Plans

• Categories of Data Subjects include: Employees, agents and contractors of the Client

• Personal Data processed includes the following types of non-sensitive data: First and last name, employer, physical address, phone, email address, and IP address. The parties do not process sensitive data.

1.2 Nest maintains the following confidentiality rules in regards to worker related data:

• Nest receives signed informed consent from workers prior to participation in any surveys or photography

• Nest anonymizes all data captured for public use

• Nest only uses the data in aggregated form for public use; any individual data used for case studies will be anonymized with changes made to names and other personal identifiers

2. Data Usage + Sharing

2.1 In engaging in Nest services and program offerings, Client automatically receives full usage rights to all data collected throughout the duration of the program. All partners, both the Client and Identified Supply Chain, have the right to request any of the available data from Nest. However, all data is owned by Nest, and ownership of any data is not transferable to partners.

2.2 Nest will provide the following findings from Nest data to active identified supply chains and vendors from their projects, where available:

• Baseline survey data

• Crude numbers of workers impacted

• Descriptive data of handworkers with whom Nest engages

• Corrective Action Plans from Nest’s assessments

These findings will eventually be available to active partners through virtual dashboards. Partners will receive data relevant to their business/brand and additional aggregate data of all of Nest’s projects to facilitate relative comparisons. Raw data or additional data, outside of those listed in 2.1, will have to be requested through a formal process. All data sharing will be at the discretion of Nest and requests for additional data will be assessed on a case-by-case basis. The collection and sharing of additional data will be established in individual data sharing agreements outlining data usage and rights (see annex) as well as resources expended to obtain certain data may be subject to service fees.

2.3 All shared data will be de-identified of personal identifiers regardless of the type of data requested.

2.4 Nest Client or handworker partners are allowed to use the data obtained from Nest, internally, for tracking compliance and impact. They are restricted from sharing the data with non-participating partners, other external entities, or for public use (exceptions are allowed, see 3.5) without prior written consent from Nest.

2.5 It is at Nest’s discretion to share data with non-participating partners, which will likely be done for a fee or with the understanding that those new partners will pay into future programming for the handworker/handcraft business site. In cases where there is overlap between participating and/or non-participating partner relations with handworkers, costsharing options can be discussed.

2.6 Nest may engage third-party sub-processors to process personal data for the purpose of the agreement between the parties, provided that Nest impose data protection obligations on each sub-processor that requires it to protect the personal data subject to this agreement to at least the same standard imposed on Nest in this Exhibit B. Nest will provide a listing of its current sub-processors available upon request. If Nest intends to add a new sub-processor, Nest will provide notice, in advance, prior to making any personal data available to such sub-processor. Nest will have in place procedures so that any third party authorized to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorized or required by law or regulation to have access to the personal data.

2.7 Client may object to any additional or replacement sub-processor before it is appointed, provided that such objection is based on objective and reasonable grounds relating to data protection. Nest chooses not to suggest an alternative sub-processor, or if Client objects to all Nest alternative sub-processors, Nest will not disclose Client’s personal data to such sub-processor. If Nest is unable to perform the services without such sub-processor, then Client may either approve such sub-processor or terminate this agreement upon 30 days prior written notice.

2.8 Nest will be liable for any breach of this Exhibit B, to the extent caused by an act, error or omission of one or more of its sub-processors.

2.9 Nest will not share, transfer, disclose, or otherwise provide access to any personal data to any third party, unless Nest (a) enters into a written agreement that imposes obligations on the third party that are consistent with GDPR, (b) transfers the personal data to the third party only for a limited and specified purpose, (c) requires the third party to notify Nest if the third party determines that it can no longer meet its obligation to provide the same level of protection as required under GDPR, and (d) upon notice, take reasonable and appropriate steps to remediate unauthorized processing of personal data. Client hereby provides Nest with consent to use processors as necessary to provide the services.

3. Public Data Use

3.1 Nest reserves the right to share anonymized data with its community of media subscribers (i.e. website visitors, e-newsletter subscribers, social media followers) at its own discretion, and may further disseminate the information publicly via strategic conversations with key members of the press.

3.2 If Nest plans to use any data with personal identifiers, informed consent from the individual will be obtained.

3.3 In any instances in which Nest seeks to include explicit mention of a partner in relation to a Nest project, Nest will seek approval of said partner and must receive written permission from the partner to include its name in any materials associated with the data.

3.4 Nest reserves the right, as outlined in contracts with clients, to publicly state all paying clients and list them on any relevant documents such as impact reports and social media platforms.

3.5 Partners who wish to use data collected by Nest for public purposes will have to submit formal requests that Nest will assess on a case-by-case basis.