Growth Platform

Data Management - DOU

Requesting Entity:
16 March - 1
napadala@in.ibm.com

Approvals by:
Pepe Valiente, Growth Platform Offering Manager
Kevin Dzwonchyk, Engineering Leader

Document Version: 1.0

Issue Date: Mon Mar 16 2020 21:39:02 GMT+0530

Security classification: IBM Confidential

INTRODUCTION

This Document of Understanding (DOU) between IBM Digital Growth and Commerce (DGC) – Growth Platform and the Business
Unit sets forth the terms regarding the use of the 3rd party Segment (www.segment.com) and related tools managed by DGC.
Segment is a tool that collects data on product usage events as a customer uses IBM products. This data enables IBM’s
understanding of aggregate product usage and helps address failure cases with a single customer. Additionally, that data are used
for marketing outreach and product notifications. With the initiation of EU GDPR on May 25th, 2018, IBM practices with regard to
the collection and use of personal data are regulated, thus DGC requires the Business Unit to adhere to the terms defined in this
document.

As the Growth Platform contains Personal Information (PI) about IBM clients or potential clients, access and protection of PI client
data is subject to international/country laws and IBM usage guidelines, as such, it is tightly enforced and monitored by the Growth
Platform stakeholders.

The Business Unit is responsible for understanding, agreeing to, and adhering to the access and protection conditions outlined in
this document of understanding, this includes but not limited to sharing data downstream or to other parties.

To understand more about how access is managed within the Growth Platform, click here: Link to new access management module:
http://nurturelove.w3bmix.ibm.com/documentation/

1 – DESCRIPTION

1.1 Purpose.

The purpose of this project is to create a unified method of collecting product usage data at IBM. Through use of an IBM-wide
analytics stack, the project should:

Reduce the costs of the product teams by removing responsibility for managing an analytics stack.
Provide a common API across the environments to support the need for teams to handle cloud, ICP, and on-prem
Comply with rapidly changing privacy regulations.
Become a single point in the company for procurement of analytics tools and services.
Provide a common dashboard platforming across IBM products.
Build end-to-end user funnel to improve the effectiveness of marketing campaigns.
Identify high-potential customers based on usage activity to assist the sales process
Be a unified customer activity view that assists support

1.2 Project Effective Period

This DOU will become effective when approved in writing by authorized parties and remains in place until termination. This
document is valid until both parties agree to any modification proposed by either party or termination requested by either party as
defined under section “8.0 Termination”.

Neither party will make commitments affecting the other party without that party’s prior written agreement. Any required changes
will be subject to normal DOU project change control procedures outlined in this DOU.

2 – TEAM DESCRIPTIONS

2.1 DGC Growth Platform Mission

The DGC Growth Platform team’s mission is to assist IBM product teams in creating delightful customer experiences. The team
operates a digital stack aimed at exploring product usage patterns, interpreting those patterns, and delivering on new tools and
processes that increase the number of users, the usage, and revenues of IBM products.

At the core of this stack is the customer usage events collected by a technology service operated by an independent company
called Segment (https://segment.com/). DGC Growth Platform uses Segment to 1) Capture , store, and process data related to in-
product user activities, 2) Prepare and translate event data into a common format consumable by downstream tools, and 3) Make
available the necessary data to designated tools for additional functionality.

For IBM, DGC Growth Platform team’s use of Segment:

drives incremental revenue through enablement of intelligent nurture based on user behaviors
 enables real-time, data-driven decision-making for each IBM function along a customer journey
ushers event data to in-app campaigns to improve engagement and progression
builds universal view of a customer for sellers and customer success managers to know what a customer is doing (or not) to
better seize opportunities and improve retention
informs product managers of user behaviors and friction points to improve their products.

Additional tools are investigated regularly by the team to uncover value. These tools include, but are not limited to, customer
messaging systems, analytic tools, SEO optimization tools, and predictive analytic engines. Once tools are found to match business
needs, they will be introduced into to the DGC Growth Platform stack.

3 – BUSINESS JUSTIFICATION AND BENEFITS

Business Unit: test

WHAT IS THE BUSINESS JUSTIFICATION and BENEFITS FOR THIS REQUEST?

test

4 DIGITAL GROWTH AND COMMERCE (DGC) RESPONSIBILITIES

4.1 Segment Terms of Use

DGC is responsible for ensuring consistent use of Segment across offering teams. All Offering Teams will agree to this Document of
Understanding and the attached DGC Segment Terms of Use. DGC has defined acceptable usage criteria for use of DGC instance
of Segment (“DGC Segment”) for data consumers, data providers, and engineers. This defined acceptable usage is compliant with
governance standards, including all applicable security and privacy policies and regulations.

DGC will also define the Segment Terms of Use (TOU) document (attachment 1) and maintain compliance via a DOU with all
internal owners of applications and 3rd party assets, as well as product & offering owners who utilize DGC Segment in any way.

4.2 Data Governance

Data collected through this process will be used for current agreed use cases of:
Informing Offering Management, Marketing and Digital Growth teams as to the usage characteristics of IBM products;
Enabling Offering Management, and Digital Growth teams to power user engagement capabilities and automation capabilities, to
nurture users through successful use of the offerings;
Informing client-facing IBMers such as Client Success Managers and Sellers (and associated lead routing and scoring
processes) with the information necessary to convert, maintain and expand relationships with our clients.

Data will not be used to support consulting engagements with clients outside of the Business Unit without the express permission of
the Business Unit. In the event that a new use case of data is defined, then a mutual agreement between DGC and the Business
Unit(s) will be put in place before activating that use of the data. In the interest of agility and good faith, any request for a mutual
agreement should be responded within 3 business days, or this will be interpreted as approval. Requests from DGC will indicate the
3 day timeline for a reply, and stipulate failure to reply is interpreted as approval.

4.3 IBM Product and Segment Implementation Process

DGC will provide IBM product and offering teams with a standard instrumentation process to send data into DGC Segment via the
DGC’s Growth Platform. DGC will educate, assist, review instrumented events and approve all new offerings onboarding to
Segment instrumentation that collect data for adherence to DGC’s defined schema. The Growth Platform process is meant to be an
additive process and should minimize the impact on your offering.

The Growth Platform process uses common business words in its documentation, and all words in Growth Platform documentation
are scoped to the Growth Platform process only. For instance, uses of words like "milestone" and "code" are confusing for some
Business Units due to similar terminology used in existing Business Unit processes. The usage of common business words in the
Growth Platform process should not be confused as referring to any "milestone" or "code" that the Business Unit may define in non-
Growth Platform processes. Neither should terms similar to "milestone" nor "code" be understood to be referring to those previously
defined by the Business Unit. The phrase "code review" in the Growth Platform process refers to an event code review, which has a
member of the Growth Platform team confirm the events transmitted by the Business Unit to the DGC Growth Platform is done with
proper event codes. There may be other words used in the Growth Platform documentation which are used in other areas of
business, and the words, when used in the Growth Platform documentation, should not be conflated to have more meaning than the
Growth Platform process.
DGC shall maintain backwards compatibility to ensure the Business Unit’s Offerings do not require modifications. DGC will do this
by minimizing or abstracting changes to Segment or related technologies and 3rd party vendors. Any updates that DGC requires of
the Business Unit’s Offerings will be accompanied with 180 day notification period before becoming required.

4.4 Applications and Vendor management

DGC will directly procure and manage 3rd party vendor contracts with DGC owned Segment and Segment-integrated vendors. All
vendor integrations managed by DGC will be assessed, managed and held compliant to all applicable IBM corporate standards and
procurement requirements, such as corporate security standards, privacy policies, and EU Global Data Privacy Regulation
(“GDPR”). Vendor integrations managed by DGC:

Segment (https://www.segment.com)
Clearbit (https://clearbit.com)
Amplitude (https://amplitude.com)

In investigations for additional value, vendors will be integrated by the DGC team after testing, staging, and beta period that will
assess value and compliance of the vendor’s service.

DGC will integrate technical capabilities, ensure agreement compliance with all security, privacy and usage requirements as defined
in the DGC Segment Terms of Use (TOU), with all application owners, including owners of any 3rd party vendor contracts/
relationships. 3rd party vendors include, but not limited to:

Gaia (https://www.salesforce.com)
Tray (https://tray.io)
Gainsight (https://www.gainsight.com)
Success360
Looker (https://looker.com)
Chartio (https://chartio.com)
Appcues (https://www.appcues.com)

DGC will only procure and manage 3rd parties which are scalable across all of IBM and have shown value to be selected by DGC
as part of an integrated technology stack.

If the Business Unit would like to add a vendor to the Segment ecosystem, check with the DGC Growth Platform team to determine
if the vendor integration is currently available. If unavailable, the Business Unit will need prior approval from DGC before adding data
integrations. If the additional integration is approved, the Business Unit, not DGC, will be responsible for managing the following, but
not limited to, vendor agreements, GDPR, compliance, audits, and DOUs.

DGC Growth Platform will keep an update-to-date schema of all data flows and data-usage. At any time, the Business Unit can
request the latest copy of this schema.

4.5 User consent for data capture from a customer's web browser

For IBM.com pages, DGC Growth Platform has worked with the IBM.com team to integrate Segment with the Tealium and TrustArc
tag management systems. All consent for data capture on these pages is within compliance.

For offering pages that capture product usage events from the customer's web browser, DGC Growth Platform has worked with IBM
Cloud team to integrate TrustArc into the Bluemix Common Library found at https://github.ibm.com/Bluemix/Bluemix.Analytics.
When using the Bluemix Common Library to capture events from a customer's browser, all consent for data capture on these pages
is ensured to be compliant using TrustArc.

TrustArc is a JavaScript tool that loads on a browser prior to any tracking scripts, such as Segment. TrustArc, then determines the
location of the user, and acts based on the laws within the jurisdiction of the end user. If consent is required for tracking, then
TrustArc will prompt action from the user for permission to load tracking JavaScript. With regard to the law and to required consent,
only compliant data is captured. DGC will ensure that proper consent requests and disclosures, approved by the GDPR project
office, are provided prior to collecting usage data in DGC Segment from IBM web pages and IBM Cloud.

DGC Growth Platform uses the marketing team consent system for ensuring compliance of email communications and customer
consent.

4.6 Data Subject Access Requests for DGC Growth Platform Tools with IBMid or IBMId Federated Authentication
For compliance with GDPR, DGC Growth Platform works with the IBM GDPR PMO to process all Data Subject Access Requests.
IBM GDPR PMO is launching a portal which will allow users to make Data Subject Access Requests to IBM. Based on the
identifiers transmitted to DGC Growth Platform from IBM PMO, DGC Growth Platform will accept and process all data subject
access requests (delete, modify, port) submitted by users and processed by the IBM GDPR PMO. The tools which DGC Growth
Platform will propagate this request to include: Segment, Intercom, Amplitude, and DGC Data Warehouse.

4.7 IBM Employee User Access Control

DGC Growth Platform will administer and manage user access to DGC Growth Platform managed integrations. DGC Growth
Platform requires all teams using Segment to agree to DOUs stating an acceptance of compliance requirements. Individuals who
seek to gain access, are required to agree to DGC Segment TOU (Attachment 1), which establishes behavior requirements,
removal of access, SSO access via W3ID, and an annual access validation process.

5.0 THE BUSINESS UNIT RESPONSIBILITIES

5.1 Segment Terms of Use

Any use of Segment and/or any Segment related applications and/or data must be consistent with the DGC Segment TOU
(attachment 1). Any deviation from any part of the TOU is prohibited and will require written approval from DGC and an update to
this DOU.

5.2 Own Asset(s)

Any and all security and privacy assessment of your own assets, that includes product, offering, and/or application is under your
own responsibility.

Cumulus and/or Global Privacy Assessment (GPA) and any necessary/applicable remediation for your own assets are under your
own responsibility.

Cumulus and/or Global Privacy Assessment (GPA) and any necessary/applicable remediation for your own assets are under your
own responsibility.

Any existence of Segment data in your own application or code (not including code for DGC Growth Engine instrumentation), such
as for the purposes of processing data or storing data locally in a database or data warehouse you own, will be under your own
responsibility for GDPR assessment and compliance, including fulfillment of DSAR requests through the IBM-wide DSAR tool,
consent management, data retention, and disclosure of purpose for data usage.

User Access control, including user agreement to DGC Segment TOU (attachment 1), handling access requests with management
approval, deleting access, SSO access via W3ID, and annual access validation process.

5.3 User consent for data capture on non-IBM web pages and non-cloud applications

With regards to non-IBM web pages or non-cloud applications, it is the responsibility of the Business Unit to ensure consent before
capturing, transmitting, or storing product usage metrics. When requesting consent for capturing, transmitting, or storing product
usage metrics, consent should cover:

Personalized real-time support

Customer requested support
Renewal/extension sales
Product Improvement
Research towards future products

The Business Units guarantees that any user within a jurisdiction requiring consent, has consented to the above use cases prior to
sending event data to DGC Growth Platform. The Business Unit will ensure that proper consent requests and disclosures, approved
by the GDPR project office, are provided prior to collecting product usage data in DGC Segment.

For collection from browsers to an Internet service, the best tool to use is TrustArc. It is compliant with IBM for cookie needs.
Instructions for implementation of TrustArc can be found at: https://github.ibm.com/wdp-digital-transformation/Nurture-Love/blob/
master/growth-engine/dou/cookie-consent-recommendation.pdf

For teams who cannot use TrustArc, or those collection from a browser not connected to the Internet, and using data for the above
purposes, the following consent statement will cover data capture if the user explicitly consents:

5.4 Data Subject Access Requests for non-DGC Growth Platform Tools or non-IBMid or non-IBMId Federated
Authentication

It is the responsibility of the Business Unit to respond to Data Subject Access Requests published by IBM GDPR PMO for their
tools that consume DGC Growth Platform data. Tools that consume this are tools that consume this data are SalesForce and
Gainsight.

For non-IBMid and non-IBMid Federated Authentication, it is the responsibility of the Business Unit to communicate all Data Subject
Access requests to IBM GDPR PMO.

5.5 Data Analysis and Volumes

Data Sources in Segment are encouraged to follow the Common Schema, in case that an exception is strictly required, the
Business Unit needs to follow a process to request the data exception and it has to be approved by the Data Council. To know more
about this process please write to: nl@us.ibm.com

5.6. Monthly Tracked Users (MTU) and Segment Data Usage.

In the case that the source incurs unexpected data spikes that significantly increase the Segment Usage through our contracted
Monthly Tracked Users (MTU), the Growth Platform reserves the right to charge “potential” overage costs to the Business Unit
responsible for the spike. Any instrumentation that potentially drives a spike must be communicated to the Growth Platform in
advanced. The Growth Platform reserves the right to turn off the offending source to prevent additional overages.

6.0 COMMUNICATION

6.1 Team Contact List

Name: Naga Srinivasa Padala, Email: napadala@in.ibm.com

6.2 Problem Reporting and Resolution Process

Additionally, we have created a “DGC Growth Platform” mailing list for team-wide communication. Please email that list to ensure
you are connected with a team member. DGC Growth Platform uses an issue tracking boarding. After initial correspondence, DGC
Growth Platform will provide a link to an issue that can be tracked.

All issues with external vendors will be handled by the DGC Growth Platform team. DGC Growth Platform will then track
remediation of those issues. Any changes required will be communicated by the DGC Growth Platform team to the Business Unit.

Due to the characteristics of the project, the Business Unit is expected to code defensively against failures of Segment or
downstream tools. Should failures happen, the following chart will be used for addressing issues:

Severity 1: Events causing end-customer downtime should be addressed to the Support Contact in section 6.1 of this document
and to the “DGC Growth Platform” mailing list using urgent language. DGC Growth Platform will respond to the initial request
within 3 hours on the current business day, or the next business day.
Severity 2: Events causing significant loss of functionality to the Business Unit’s offering should be addressed to the Support
Contact in section 6.1 and to the “DGC Growth Platform” mailing list using urgent language. DGC Growth Platform will respond to
the initial request within 6 hours on the current business day, or the next business day.
Severity 3: Events causing neither end-customer downtime nor significant loss of functionality to the Business Unit’s offering
should be addressed to the Support Contact in section 6.1 and to the “DGC Growth Platform” mailing list using urgent language.
DGC Growth Platform will respond to the initial request within 3 business days.

Because DGC Growth Platform works with vendors and multiple parties with regards to the metrics system, resolution times cannot
be guaranteed. DGC Growth Platform will only guarantee initial response times and responses to subsequent requests until
resolution is found.

7 TERMINATION
Both parties can terminate this agreement with a minimum 30-day prior notice. If the DOU is terminated by either party, it is the
responsibility of both parties to assess their compliance with regard to privacy policies and regulations in retaining the shared data.
This includes, but is not limited to:

user consent to retain personal data

data subject access request compliance and GDPR
relationship with 3rd party vendors who retain a copy of the data
code and tooling collecting and processing the data

DGC Growth Platform will retain any data captured while this DOU was in place. The data will be managed with respect to IBM
privacy policy and privacy regulations.

Prior to termination of the contract, the Business Unit has right to request export of all data captured by the offering.

8 APPROVALS

APPROVED FOR SOURCE OWNER: napadala@in.ibm.com

APPROVED FOR SOURCE: 16 March - 1

APPROVED By: napadala@in.ibm.com

Date APPROVED: Mon Mar 16 2020 21:39:02 GMT+0530

9.0 DOU APPROVED DOCUMENT REVISION PROCESS

A Project Change Request (PCR) must be submitted by email. The PCR must describe the change, the rationale for the change
and the effect of the change to any section of the DOU.

Both the parties will review the proposed change and approve or reject it. If the change is approved, a DOU Revision will be created
and associated approvals documented, authorizing implementation of the agreed changes.

10.0 DOCUMENT REVISION HISTORY

For a full list of the modifications to this document, please see: https://github.ibm.com/wdp-digital-transformation/Nurture-Love/
commits/master/growth-engine/dou/default.md