C

CONFIDENTIAL INFFORMATION
P
PROTECTION PROG GRAM (CIPP)
B
BOSE GLOBAL
G POLICY
Y
IIntroducttion

BBose personnel are expeected to guard against th he disclosuree of Bose co

onfidential in
nformation aand
pprotect the confidential
c information
n of our custoomers, supppliers, fellow
w employees, and otherss. This
ppolicy provid
des guidance
e on how Em mployees and d In‐House CContractors ddefined beloow) should hhandle
cconfidential information
n and is appliicable to Em
mployees andd In‐House C Contractors oof Bose and Bose
ssubsidiaries worldwide.
w

BBose Employyees or In‐Ho

ouse Contractors who need assistannce interpretting or impleementing this policy
sshould seek help from th
heir immediaate supervisor, local ma nagement, o
or their CIPP
P representaative.

AAs used in th
his document, Employee es are regular full‐time oor part‐time employees o of Bose Corp
poration
oor one of the
e Bose subsidiaries. In‐H
House Contractors are non‐employeees (including independeent
ccontractors and
a employe ees of staffin
ng agencies)) that regula rly work witthin a Bose ffacility.

C
Classification of In
nformatio
on
Information is classified into the thre
ee categorie
es illustratedd in Figure 1 and describ
bed below:

1
1. Public Infformation –
– information
n that can bee
shown too be in the public domain, including
such info
ormation as:

 published patentt applications

 presss releases
 inform
mation on thhe Bose pubblic internet
sites (e.g., www.bbose.com, www.bose.fr
w r,
www w.bose.cn, ettc.)

2
2. Confidenntial Informa ation (CI) – nonpublic
n FIGURE 1 
information related tot or held byy Bose,
includingg (but not lim
mited to): 

 technnical informaation
 identtity of existin
ng and poten
ntial suppliers
 unrelleased produ ucts
 organnizational ch harts

TThe fact thatt information

n is classified
d as Confide
ential Inform
mation (and nnot Highly Co onfidential
Information)) does not diiminish the value
v of the informationn to Bose or the need to o protect it.
EEmployees and
a In‐House e Contractorrs are expectted to take ccare to proteect all Bose C
Confidentiall
Information and HCI.
1 | BOSE CONFIDENTIAL
 CIPP POLICY v2.0

Classification of Information, continued

3. Highly Confidential Information(HCI)  – an internal designation for a subset of Confidential

Information that falls into one of the 8 categories defined below.

1. Financial HCI. Except for total annual Bose revenue (which is Confidential Information), all other
Bose financial information is HCI. This includes sales by division, theater, channel, country,
product, store, etc., margins, cost of goods sold, component costs, profit and loss statements,
balance sheets, cash flow statements, forecasts, other forward‐looking financials, as well as cost
center financials.

2. Research HCI. Descriptions of active Bose research projects, and key findings (typically
documented in research reports) of active or previous research projects, are HCI.

3. Algorithm HCI. Bose‐generated algorithms in human‐readable form which provide a

competitive advantage and which are used in a current Bose product or may be used in a future
Bose product are HCI. Examples of Algorithm HCI includes (but is not limited to) source code, block
diagrams, and other human‐readable descriptions of Bose algorithms used for audio signal
processing, feedback or feedforward control, room calibration and equalization, channel up‐mixing
or down‐mixing.

4. Engineering Tools HCI. Bose‐generated engineering tools used to create, optimize, or tune Bose
products, including (but not limited to) custom modules developed for off‐the‐shelf engineering
software programs such as Matlab and PSpice, are considered HCI.

5. Manufacturing HCI. Bose‐generated manufacturing processes, equipment and know‐how which

provide a competitive advantage and are used to make a current Bose product or may be used to
make a future Bose product are HCI. Examples include (but are not limited to) cone fabrication
processes and cone formulations and unique transducer manufacturing processes and materials.

6. Product, Plans and Strategy HCI. Corporate and division strategies, succession plans, product
plans, marketing plans, and technology roadmaps are HCI.

7. Security HCI. Encryption keys and users’ security credentials (e.g., login passwords) are HCI.

8. Personal Information HCI. Employee or customer personal information, including (but not
limited to) taxpayer identifications, salary, and credit card information, is HCI. Note that much of
this information is also protected by privacy laws throughout the world. Bose Employees and In‐
House Contractors must comply with this policy as well as all applicable privacy and other laws.

In addition to these categories of HCI, a General Manager or Vice President of a business unit may
designate additional Confidential Information as HCI. If a GM or VP makes such a designation, they
must communicate this to the appropriate people within Bose.

Questions about how to classify information should be directed to a Bose manager or a CIPP
representative.
2 | BOSE CONFIDENTIAL
 CIPP POLICY v2.0

Disclosing Bose Confidential Information 

Disclosing Bose Confidential Information to Bose Employees

Bose Confidential Information: Bose Employees and Bose In‐House Contractors shall use their best 
judgment in determining whether to share Bose Confidential Information with Bose Employees.

Bose Highly Confidential Information: Bose Employees and Bose In‐House Contractors shall only

disclose HCI to those Bose Employees having a legitimate Bose business need to know the
information. To put another way, if disclosure of HCI to a Bose Employee may help an employee
perform their job, then there is a legitimate business need to know and the HCI should be shared.

Disclosing Bose Confidential Information to Bose In‐House Contractors

Bose Confidential Information: Bose Employees or Bose In‐House Contractors shall only disclose

Bose Confidential Information to Bose In‐House Contractors having a legitimate Bose business need 
to know the information.

Bose Highly Confidential Information: Bose Employees or Bose In‐House Contractors shall only

disclose HCI to a Bose In‐House Contractor if (i) the In‐House Contractor has a legitimate Bose 
business need to know the HCI and (ii) a Bose director (or above) approves in writing the disclosure
of HCI to the In‐House Contractor. Such approval may be obtained via email.

Disclosing Bose Confidential Information to External Business Associates

Before disclosing Confidential Information to external business associates (e.g., a supplier, potential
vendor, OEM customer, etc.), Bose Employees shall take the following steps:

1. Perform a Self‐Check. Bose Employees must first satisfy themselves that Bose has a legitimate
business need to disclose the information. If an Employee can effectively get the job done
without disclosing the Confidential Information, the Employee shall not disclose it.

2. Obtain Special Approval for Highly Confidential Information. If the information sought to be

disclosed is highly confidential, then the Bose Employee must get written approval from their
executive‐level Vice President or General Manager before disclosure. Such approval may be
obtained via email.

3 | BOSE CONFIDENTIAL
 CIPP POLICY v2.0

Disclosing Bose Confidential Information, continued

3. Ensure that a Nondisclosure Agreement (NDA) is in Effect. If there is a legitimate business

need to disclose the information (and, for Highly Confidential Information, approval is given),
then Employees must either:

a. Verify that a valid and sufficient NDA (or equivalent confidentiality agreement*) is in place
with the business associate to whom the Employee will make the disclosure; or

b. Enter into a NDA with the business associate by following the procedure set forth on the
Corporate Legal Department’s intranet site. (Questions about NDAs should be directed to
the Corporate Legal Department.)

* Some external business associates’ confidentiality agreements are contained in purchasing

agreements, consulting agreements or other contracts, rather than in a separate NDA. If you
have questions about whether an NDA or equivalent agreement is in place, you should
contact Global Supply Management or the Corporate Legal Department.

4. Make the disclosure. Once the above steps have been completed, the Employee may make the
disclosure to the external business associate. Even with an NDA in place, the Employee must
only disclose that Confidential Information which is necessary for the external business
associate to complete the work. As discussed further in the next section (Identifying
Confidential Information), the Employee must make clear to the external business associate
that the information being disclosed is confidential.

Bose In‐House Contractors are generally not permitted to disclose Bose Confidential Information or HCI
to External Business Associates. However, a Bose director (or above) may give an In‐House Contractor
permission to disclose Bose Confidential Information or HCI to an external business associate, provided
(i) that the above steps are followed and (ii) the Bose director (or above) gives written permission to
make the disclosure to the external business associate (email permission is acceptable).

4 | BOSE CONFIDENTIAL
 CIPP POLICY v2.0

Disclosing Bose Confidential Information, continued

Summary of Disclosure rules for Bose Employees:

If a Bose Employee want to … to another … to a Bose In‐House … to an external

disclose this type of Bose Bose Employee Contractor business associate
information …
Public No restrictions No restrictions OK when in accordance
with Public Relations
guidelines
Confidential (CI) Best judgment Legitimate business  Legitimate business
need need; and
 Only under NDA
Highly Confidential (HCI) Legitimate  Legitimate business  Legitimate business
business need need; and need; and
 Approval from a  Only under NDA; and
Bose director (or  Written approval from
above) executive‐level VP or
GM to disclose HCI
outside of Bose.

5 | BOSE CONFIDENTIAL
 CIPP POLICY v2.0

Disclosing Bose Confidential Information, continued

Summary of Disclosure rules for Bose In‐House Contractors:

If an In‐House Contractor … to a Bose … to another In‐ … to an external

want to disclose this type Employee House Contractor business associate
of Bose information …
Public No restrictions No restrictions OK when in accordance
with Public Relations
guidelines
Confidential (CI) Best judgment Legitimate business  Legitimate business
need need;
 Only under NDA and
 Written approval from
a Bose director (or
above) permitting In‐
House Contractor to
make the disclosure.
Highly Confidential (HCI) Legitimate  Legitimate  Legitimate business
business need business need; and need;
 Only under NDA;
 Approval from a  Written approval from
Bose director (or Executive‐level VP or
above) GM permitting
disclosure of HCI outside
of Bose; and
 Written approval from
Bose director (or above)
permitting In‐House
Contractor to make the
disclosure.

Vice Presidents and General Managers may impose additional limitations on the disclosure of
Confidential Information residing within their organization.

6 | BOSE CONFIDENTIAL
 CIPP POLICY v2.0

Labeling Confidential Information

Employees and In‐House Contractors are expected to label print and electronic documents containing
Confidential Information or Highly Confidential Information with the following legends:

Bose Confidential or
Bose Highly Confidential

In instances where the Bose confidential information cannot be marked (e.g., when making an oral

disclosure ‐‐ such as information conveyed during a telephone conversation ‐‐ or when making a visual
disclosure ‐‐ such as conducting a plant tour or the showing of a pre‐production industrial design
model), the Employee or In‐House Contractor is expected to state that the information being 
disclosed or shown is confidential.

In addition, after making an oral or visual disclosure to a third party under NDA, the Employee or In‐
House Contractor making the disclosure is highly encouraged to follow up in writing (e.g., e‐mail) to 
confirm that the Bose information disclosed is considered confidential. This written confirmation
should not describe in detail the Confidential Information itself. A sample follow‐up email message can
be found on the CIPP website here.

The failure to mark or identify information as confidential does not render the information non‐
confidential. Employees should assume that all non‐Public Information generated or held by Bose is
confidential whether or not the information is marked as confidential.

7 | BOSE CONFIDENTIAL
 CIPP POLICY v2.0

Receiving & Handling Confidential Information from Third Parties 

Receiving Third Party Information Under NDA

Before receiving confidential information from a third party, Bose Employees shall follow the
following steps:

1. Perform a Self‐Check. Before receiving confidential information from external business

associates (e.g., a supplier, potential vendor, In‐House Contractor, etc.), Employees shall
satisfy themselves that there is a legitimate business need for Bose to know the information.
If the Employee can get the job done without receiving the confidential information, the
Employee must not receive it.

2. Ensure That Any Required NDA is Properly Reviewed and Approved. Before making a

disclosure to Bose, a third party will often request that an NDA is in place. If there is also a
need to share Bose Confidential Information with the third party,
then the Employee shall ensure that a mutual NDA is in place (instructions on how to obtain
a mutual NDA is available at the Corporate Legal Department intranet site). If only the third
party will be making a disclosure of confidential information, they may request use of their
NDA form. In this case, the form must be reviewed and approved by the Legal Department
and then signed by a person at Bose with authority to execute mutual NDAs. (These persons
are also listed on the Corporate Legal Department intranet site.)

3. Receive Information and Limit Distribution. Once any required NDA is approved and

executed, the Employee may receive the third party confidential information. The third
party confidential information provided to Bose under the NDA (i) may only be used for
the purpose of the NDA; and (ii) may only be distributed within Bose to other Bose
Employees who have a need to know.

Bose In‐House Contractors are often not permitted to receive the confidential information of
external business associates. A Bose In‐House Contractor seeking to receive the confidential
information of an external business associate should contact the Bose Legal Department for
guidance.

Receiving Unsolicited Confidential Information of Others

Bose competes vigorously but fairly, in conformity with Bose Corporation’s ethical guidelines and
legal requirements. Just as Bose carefully safeguards its intellectual property, Bose expects its
Employees and In‐House Contractors to respect the intellectual property and confidentiality rights
of others.

If any Bose Employee or In‐House Contractor is offered by one party the confidential information
belonging to another party (e.g., a Bose competitor or customer), he/she shall not accept, review or
make any use of that confidential information. Instead, the Bose Employee or In‐House Contractor
should immediately notify his/her supervisor and the Legal Department.

8 | BOSE CONFIDENTIAL
 CIPP POLICY v2.0

Receiving & Handling Confidential Information from Third Parties, continued

Handling the Confidential Information of Former Employers

Bose Employees and In‐House Contractors shall not retain, use, disclose or bring to Bose any
information of a former employer or client that might be considered to be confidential information
of that employer or client.

If an Employee’s or In‐House Contractor’s responsibilities at Bose might risk the use or disclosure of
confidential information of a former employer or client, the Employee or In‐House Contractor
should promptly disclose that risk to his/her manager. Any questions regarding the possession,
retention or use of information of a former employer or client should be referred to the Legal
Department.

Disposal of Bose or Third Party Confidential Information

Printed documents that contain Confidential Information shall be disposed of in a shredder or shred
bin.

Obsolete or otherwise no longer used physical components or devices containing Confidential

Information (e.g., PCs, disk drives, circuit boards and the like) shall be destroyed in accordance with
local practice. Contact your manager or Corporate Security for more information.

9 | BOSE CONFIDENTIAL
 CIPP POLICY v2.0

Other Applicable Laws, Policies and Agreements

CIPP provides general guidance on handling of all types of information possessed within Bose.
However, there are also many laws, contractual agreements, and other Bose policies that provide
additional rules applicable to various types of information possessed by Bose. The following is a
summary of some (but not all) of the other applicable laws, policies and agreements:

Law, Policy, Contract Applicable Information

CIPP (this policy)
Privacy laws of countries
where Bose does business
Financial information
protection laws of countries
where Bose does business
Export control laws
of countries where Bose does
business
Non‐disclosure agreements
(NDAs)
Purchase Agreements
Applies to all information possessed
by Bose, its Employees, and In‐
House Contractors
Applies to personal information of
individuals (e.g., address, taxpayer
identification number, telephone
number, email address, health
information, etc.)
Applies to credit card numbers,
bank account information, etc.
possessed by Bose
Applies to information deemed of
strategic importance to national
security of a country
Applies to confidential information
of other companies that the other
company has disclosed to Bose
Typically contain a non‐disclosure
agreement that applies to
information exchanged between
Bose and the supplier.

This list is not exhaustive. Employees and In‐House Contractors with questions about handling of
information should be directed to the Corporate Legal Department or your CIPP representative.

10 | BOSE CONFIDENTIAL
 CIPP POLICY v2.0

Monitoring of Confidential Information Protection Policy Compliance

To the extent permitted by local law, Bose reserves the right to employ manual and technological
measurement and monitoring tools and techniques to audit and control the internal and external
transfer of Confidential Information (in all types of media and/or formats), and to ensure compliance
with this policy.

Penalties
Individuals who violate the provisions of this policy will be subject to disciplinary action in accordance
with the Bose Corrective Action Policy.

Exceptions
Exceptions to this policy may be granted on a case‐by‐case basis by written approval from a Bose Vice
President (or above).

11 | BOSE CONFIDENTIAL