You are now in an EthicsPoint Secure Area | File a Report

DATA PROTECTION & PRIVACY NOTICE

The data privacy regulations of some countries require that a person making a report containing personal data must be notified of certain collection and retention practices regarding the information submitted by that person and must accept the terms and conditions for the use of this service.

You are being asked to read and accept the terms contained below. If you do not wish to accept the terms below, we are unable to accept any information through this system and suggest you report this matter directly to your supervisor or manager or to a representative of the Human Resources, Legal, or Corporate Compliance Departments, depending on the nature of the possible violation.

1. General

This service is a web and phone-based intake system provided by NAVEX on behalf of Elastic to Elastic’s employees, vendors, suppliers and business partners for reporting suspected violations of laws or regulations, Elastic’s Code of Business Conduct and Ethics or Elastic’s compliance policies.

In certain countries, this service may also be used to report suspected violations of other matters. This service and the database in which the personal data and information that you may report is stored, are operated by NAVEX.

To proceed further, you must read this notice in its entirety. If you agree, check the I CONSENT box that follows. You will then be able to submit a report or question using this service. If you do not provide your consent, you will not be able to submit a report or question through this service.

2. Use of this service

Use of this service is entirely voluntary. You are encouraged to report possible violations directly to your supervisor or manager, or to a representative of the Human Resources, Legal, or Corporate Compliance Departments, depending on the nature of the possible violation. If you feel that you are unable to do so, you may use this service to make your report.

The purpose of this service is to provide a confidential online reporting system that allows you to report suspected violations of law or Elastic’s compliance policies, as well as other concerns you may have, to Elastic. In certain countries, Elastic may only accept reports through this service on limited topics, generally restricted to financial, accounting, auditing, bribery, competition law, discrimination and harassment and environment, health, hygiene, and safety matters. If your concern pertains to a matter that, under local law, may not be accepted by Elastic through this service, you will need to contact your supervisor or local management or a representative of the Human Resources, Legal or Corporate Compliance Departments to report the matter.

Please note that we are only able to receive and process reports through this service if you confirm that you have read and taken note of this Data Protection and Privacy Notice and expressly consent to the processing of the reports and your personal information as described below by clicking the I CONSENT box. If you do not consent then you may not use this service to file a report and should contact your supervisor or local management or a representative of the Human Resources, Legal or Corporate Compliance Departments to report the matter.

Please be aware that the information you supply about yourself, your colleagues, or any aspect of the company’s operations may result in decisions that affect others. Therefore, we ask that you only provide information that you believe is true. You will not be subject to retaliation from Elastic for any report of a suspected violation that is made in good faith, even if it later turns out to be factually incorrect. Please be aware, however, that knowingly providing false or misleading information will not be tolerated. The information you submit will be treated confidentially except in cases where this is not possible because of legal requirements or in order to conduct an investigation, in which case the information will be handled sensitively. We encourage you to identify yourself in order for Elastic to follow up with questions they may have.

3. What personal data and information is collected and processed?

This service captures the following personal data and information that you provide when you make a report: (i) your name and contact details (unless you report anonymously) and whether you are employed by Elastic; (ii) the name and other personal data of the persons you name in your report if you provide such information (i.e.: description of functions and contact details); and (iii) a description of the alleged misconduct as well as a description of the circumstances of the incident. Note that some country laws may not allow anonymous reporting; however, your personal information will be treated confidentially and will only be disclosed as set out below.

4. How will the personal data and information be processed after your report and who may access personal data and information?

The personal data and information you provide will be stored in a database which is located on servers hosted and operated by NAVEX in the United States. NAVEX has entered into contractual commitments with Elastic to secure the information you provide in accordance with applicable law. Personal data and information provided in a report may be transferred outside of the United Kingdom, the European Union, and/or the European Economic Area for the purpose of providing interpretations or administration of this service. NAVEX is committed to maintaining compliance with applicable data protection requirements and adheres to applicable privacy and security practices. For the purpose of processing and investigating your report and subject to the provisions of local law, the personal data and information you provide may be accessed, processed and used by the relevant personnel of Elastic, including Human Resources, Finance, Internal Audit, Legal, Compliance, management, external advisors (e.g. legal advisors), or, in limited circumstances, by technical staff at NAVEX. Those individuals may be located in the United States or elsewhere.

Personal data and information you provide may also be disclosed to the police and/or other enforcement or regulatory authorities. The relevant bodies that receive and process personal data can be located in the US or in another country that may not provide the level of data protection available in the EU or other jurisdictions with more stringent data protection laws.

The personal data you provide will be kept as long as necessary to process your report, or, if applicable, as long as necessary to initiate sanctions or to meet Elastic’s legal or financial needs.

5. Accessing information concerning the report

Elastic will timely notify any person who is the subject of a report to this service, except where notice needs to be delayed to ensure the integrity of the investigation and preservation of relevant information. Further, you have the right to request access, correction, or erasure of personal data or to object to the processing or receive a copy of the personal data held through this service. Any such request should be directed to Elastic. You also have the right to lodge a complaint with the relevant supervisory authority.

In some cases, the subject of the report may access information concerning the report, including the source from which the report originates, (with the exception of the identity of the reporter), and request correction of personal data that is inaccurate or incomplete in accordance with applicable law. To make any such corrections, please contact the General Counsel or the Chief Ethics & Compliance Officer of Elastic.

6. Special country regulations

Throughout much of the European Union and surrounding areas, reports can only be made relating to limited topics, typically accounting, auditing, bribery, competition law, discrimination and harassment and environment, health, hygiene, and safety matters. Further, some countries restrict reports such that only employees in key or management functions may be the subject of a report.

Any issues or concerns relating to topics not permitted by law to be reported via this service should be reported directly to your Manager or Supervisor or a representative of the Human Resources, Legal or Corporate Compliance Departments as appropriate for the subject matter of the possible violation. In some countries, anonymous reports may not be permitted under the law except under extremely restrictive circumstances.

7. Elastic’s Privacy Policy

For more information on processing of personal data by Elastic please see also Elastic’s General Privacy Policy at https://www.elastic.co/legal/privacy-statement