CGI Federal's data privacy policy

Name	Provider	Purpose	Expiry	Type
JSESSIONID	NewRelic	General purpose platform session cookie, used by sites written in JSP. Usually used to maintain an anonymous user session by the server.	Session	First party
__cfruid	HubSpot	This cookie is set by HubSpot’s CDN provider because of their rate limiting policies.	Session	First party
hs-membership-csrf	HubSpot	This cookie is used to ensure that content membership logins cannot be forged. It contains a random string of letters and numbers used to verify that a membership login is authentic.	Session	First party
__cf_bm	CloudFlare	This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.	30 Minutes	First party
cookie-agreed	www.cgi.com	Stores the user's cookie consent state for the current domain	23 Days	First party
AKA_A2	Akamai	This cookie is generally provided by Akamai and is used for the Advanced Acceleration feature, which enables DNS Prefetch and HTTP2 Push.	1 Hour	First party

Name	Provider	Purpose	Expiry	Type
hs-messages-is-open	HubSpot	This cookie is used to determine and save whether the chat widget is open for future visits. It is set in your visitor's browser when they start a new chat, and resets to re-close the widget after 30 minutes of inactivity. If your visitor manually closes the chat widget, it will prevent the widget from re-opening on subsequent page loads in that browser session for 30 minutes. It contains a boolean value of True if present.	30 Mins	Third party
__hsmem	HubSpot	This cookie is set when visitors log in to a HubSpot-hosted site. It contains encrypted data that identifies the membership user when they are currently logged in.	7 Days	Third party
starlight	www.cgi.com	In specific parts of our website, we have disclaimer flags with buttons to accept or reject the disclaimer. If user accepts the disclaimer, then this cookie stores the information about the fact that a visitor has accepted the disclaimer	365 Days	First party
player	Vimeo	This cookie saves your settings before you play an embedded Vimeo video. This means that the next time you watch a Vimeo video, you will get your preferred settings back.	365 Days	Third party
hs_ab_test	HubSpot	This cookie is used to consistently serve visitors the same version of an A/B test page they’ve seen before. It contains the id of the A/B test page and the id of the variation that was chosen for the visitor.	Session	Third party
_cfuvid	CloudFlare	This cookie is a part of the services provided by Cloudflare - Including load-balancing, deliverance of website content and serving DNS connection for website operators	Session	Third party
lang	LinkedIn	This domain is owned by LinkedIn, the business networking platform. It typically acts as a third party host where website owners have placed one of its content sharing buttons in their pages, although its content and services can be embedded in other ways. Although such buttons add functionality to the website they are on, cookies are set regardless of whether or not the visitor has an active LinkedIn profile, or agreed to their terms and conditions. For this reason it is classified as a primarily tracking/targeting domain.	Session	Third party
WFESessionId	Microsoft Azure	This cookie is necessary to enable a Power BI session, a Microsoft tool that helps visualize data.	Session	Third party
YSC	Youtube	YouTube is a Google owned platform for hosting and sharing videos. YouTube collects user data through videos embedded in websites, which is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites.	Session	Third party
<id>_key	HubSpot	When visiting a password-protected page, this cookie is set so future visits to the page from the same browser do not require login again. The cookie name is unique for each password-protected page. It contains an encrypted version of the password so future visits to the page will not require the password again.	14 Days	Third party
s_cc	Adobe Analytics	Used to determine if cookies are enabled for Adobe Analytics	Session	Third party
__hs_opt_out	HubSpot	This cookie is used by the opt-in privacy policy to remember not to ask the visitor to accept cookies again. This cookie is set when you give visitors the choice to opt out of cookies. It contains the string "yes" or "no".	6 Months	Third party
__hs_do_not_track	HubSpot	This cookie can be set to prevent the tracking code from sending any information to HubSpot. It contains the string "yes".	6 Months	Third party
_GRECAPTCHA	Google reCAPTCHA	This cookie is set by Google reCAPTCHA, which protects our site against spam enquiries on contact forms.	6 Months	Third party
hs_langswitcher_choice	HubSpot	This cookie is used to save a visitor’s selected language choice when viewing pages in multiple languages. It is set when a visitor selects a language from the language switcher and is used as a language preference to redirect them to sites in their chosen language in the future if they are available. It contains a colon delimited string with the ISO639 language code choice on the left and the top level private domain it applies to on the right. An example will be "EN-US:hubspot.com".	2 Years	Third party
cookieValue	www.cgi.com	This cookie used for the disclaimer acceptance flag.	1 Day	First party
__hs_cookie_cat_pref	HubSpot	This cookie is used to record the categories a visitor consented to. It contains data on the consented categories.	6 Months	Third party
ARRAffinitySameSite	Microsoft Azure	ARRAffinitySameSite is for Azure Web Sites for load balancing our application. This cookie is used to distribute traffic to the website on several servers in order to optimize response times.	Session	Third party
__hs_initial_opt_in	HubSpot	This cookie is used to prevent the banner from always displaying when visitors are browsing in strict mode. It contains the string "yes" or "no".	7 Days	Third party
language	www.cgi.com	This cookie remembers your preferred language based on your previous selections, allowing the website to present content in your chosen language without you having to manually select it each time you visit.	365 Days	First party
VISITOR_INFO1_LIVE	Youtube	This cookie is used as a unique identifier to track viewing of videos	365 Days	Third party
cookie-agreed-categories	www.cgi.com	Stores the user's cookie consent category states for the current domain	23 Days	First party
hs-messages-hide-welcome-message	HubSpot	This cookie is used to prevent the chat widget welcome message from appearing again for one day after it is dismissed. It contains a boolean value of True or False.	1 Day	Third party

Name	Provider	Purpose	Expiry	Type
_tr	Meta	This cookie is used to track your interactions with ads that are powered by Meta. It is stored for 30 days.	30 Days	Third party
tiktok_ads_id	Tiktok	This cookie is used to track your interactions with ads that are powered by TikTok. It is stored for 13 months.	13 Months	Third party
VID	LinkedIn	A visitor-related identifier for a LinkedIn microsite used to determine conversions for lead gen purposes.	1 Year	Third party
li_c_user	LinkedIn	This cookie is used to track your activity on websites that have the LinkedIn Pixel installed. It is stored for 1 year.	1 Year	Third party
_ga	Google Analytics	This cookie enables Google Analytics to distinguish one visitor from another in order to generate statistical website usage data. Each ‘_ga’ cookie is unique to the specific property, so it cannot be used to track a given user or browser across unrelated websites.	365 Days	First and third party
ms_ta*	Bing	These cookies are used to track your interactions with ads that are powered by Bing. They are stored for 1 year.	1 Year	Third party
__utmb	Google Analytics	This is one of the four main cookies set by the Google Analytics service which enables website owners to track visitor behaviour and measure site performance. This cookie determines new sessions and visits and expires after 30 minutes. The cookie is updated every time data is sent to Google Analytics. Any activity by a user within the 30 minute life span will count as a single visit, even if the user leaves and then returns to the site. A return after 30 minutes will count as a new visit, but a returning visitor.	365 Days	First party
s_ppv	Adobe	Used by Adobe Analytics to retain and fetch what percentage of a page was viewed	Session	Third party
tiktok_pixel	Tiktok	This cookie is used to track your activity on websites that have the TikTok Pixel installed. It is stored for 13 months.	13 Months	Third party
__hssc	HubSpot	This cookie keeps track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.	30 Minutes	First party
gpy_pn	Adobe	Used to store and retrieve the previous page in Adobe Analytics.	6 Months	Third party
__utmc	Google Analytics	This is one of the four main cookies set by the Google Analytics service which enables website owners to track visitor behaviour and measure site performance. It is not used in most sites but is set to enable interoperability with the older version of Google Analytics code known as Urchin. In this older versions this was used in combination with the __utmb cookie to identify new sessions/visits for returning visitors. When used by Google Analytics this is always a Session cookie which is destroyed when the user closes their browser. Where it is seen as a Persistent cookie it is therefore likely to be a different technology setting the cookie.	365 Days	First party
s_tslv	Adobe	Used to retain and fetch time since the last visit in Adobe Analytics	6 Months	Third party
_ga_LC0YVRL587	Google Analytics	This is a pattern-type cookie set by Google Analytics, where the name element contains the unique identifier of the account or website to which it is associated. Used to store and count pageviews.	1 Year	First party
_gat	Google Analytics	This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 1 minute.	365 Days	First party
fr	Facebook	Contains browser and user unique ID combination, used for targeted advertising.	365 Days	Third party
sc_hit	SnapChat	This cookie is used to track your activity on websites that have the Snapchat Pixel installed. It is stored for 1 year.	13 Months	Third party
mf_[website-id]	Mouseflow	1st party cookie, session lifetime: A cookie for identifying the current session on a website	Session	First party
simpli.fi_visit	Simpli.fi	This cookie is used to track your visits to websites that have the Simpli.fi Pixel installed. It is stored for 30 days.	30 Days	Third party
s_pltp	Adobe	Provides page name value (URL) for use by Adobe Analytics	Session	Third party
s_tp	Adobe	Tracks percent of page viewed	2 Years	Third party
mf_user	Mouseflow	This cookie establishes whether the user is a returning or first-time visitor. This is done simply by a yes/no toggle and no further information about the user is stored. This cookie has a lifetime of 90 days.	3 Months	First party
__utmz	Google Analytics	This is one of the four main cookies set by the Google Analytics service which enables website owners to track visitor behaviour measure of site performance. This cookie identifies the source of traffic to the site - so Google Analytics can tell site owners where visitors came from when arriving on the site. The cookie has a life span of 6 months and is updated every time data is sent to Google Analytics.	365 Days	First party
s_plt	Adobe	Tracks the time that the previous page took to load	Session	Third party
vuid	Vimeo	This domain is owned by Vimeo. The main business activities are: Video Hosting / Sharing	365 Days	Third party
_fbp	Meta	This cookie is used to track your activity on websites that have the Meta Pixel installed. It is stored for 30 days.	30 Days	Third party
_gid	Google Analytics	Registers a unique ID that is used to generate statistical data on how the visitor uses the website. This cookie expires after 1 day.	1 Day	Third party
_hjid	Hotjar	This is a pattern-type cookie set by Google Analytics, where the name element contains the unique identifier of the account or website to which it is associated. It is a variation of the _gat cookie that is used to limit the amount of data that Google stores on high-traffic websites.	365 Days	First party
simpli.fi_id	Simpli.fi	This cookie is used to track your activity on websites that have the Simpli.fi Pixel installed. It is stored for 30 days.	30 Days	Third party
gpv_pn	Adobe	This cookie gathers data for analyzing the visitor's use of the website including activity tracking, page visits and links clicked	2 Hours	Third party
_gat_UA-114077998-1	Google Analytics	This is a pattern-type cookie set by Google Analytics, where the name element contains the unique identifier of the account or website to which it is associated. It is a variation of the _gat cookie that is used to limit the amount of data that Google stores on high-traffic websites.	365 Days	First party
appcast_job_ad	Appcast	This cookie is used to track your interactions with job ads that are powered by Appcast. It is stored for 30 days.	30 Days	Third party
appcast_visitor	Appcast	This cookie is used to track your visits to the Appcast website. It is stored for 30 days.	30 Days	Third party
li_cs	LinkedIn	This cookie is used to track your interactions with ads that are powered by LinkedIn. It is stored for 1 year.	1 Year	Third party
RT	Boomerang	It measures page load time, or other timers associated with the page.	365 Days	First party
_ga	HubSpot	This cookie records a unique identification which is used to generate statistical data about how the visitor uses the Website.	Session	First party
AnalyticsSyncHistory	LinkedIn	Used to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries	30 Days	Third party
ai_session	Microsoft Azure	This cookie name is associated with the Microsoft Application Insights software, which collects statistical usage and telemetry information for apps built on the Azure cloud platform. This is a unique anonymous session identifier cookie. The main purpose of this cookie is: Performance	Session	First party
__utma	Google Analytics	This is one of the four main cookies set by the Google Analytics service which enables website owners to track visitor behaviour and measure site performance. This cookie lasts for 2 years by default and distinguishes between users and sessions. It it used to calculate new and returning visitor statistics. The cookie is updated every time data is sent to Google Analytics. The lifespan of the cookie can be customised by website owners.	365 Days	First party
__hstc	HubSpot	The main cookie for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).	6 Months	First party
ai_user	Microsoft Azure	This cookie name is associated with the Microsoft Application Insights software, which collects statistical usage and telemetry information for apps built on the Azure cloud platform. This is a unique user identifier cookie enabling counting of the number of users accessing the application over time. The main purpose of this cookie is: Performance	1 Year	First party
_gclxxxx	Google Analytics	This is the Google conversion tracking cookie. It allows to count visits and traffic sources, so we can measure and improve the performance of our site.	365 Days	First party
aam_uuid	Adobe	Set for ID sync for Adobe Audience Manager	30 Days	Third party
_gid	Google Analytics	This cookie name is associated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited.	365 Days	First and third party
ms_u*	Bing	These cookies are used to track your activity on websites that have the Bing Pixel installed. They are stored for 1 year.	1 Year	Third party
lms_analytics	LinkedIn	Used to identify LinkedIn Members in the Designated Countries for analytics	30 Days	Third party
__utmt	Google Analytics	This cookie is set by Google Analytics. According to their documentation it is used to throttle the request rate for the service - limiting the collection of data on high traffic sites. It expires after 10 minutes	365 Days	First party
appcast_session	Appcast	This cookie is used to track your session on the Appcast website. It is deleted when you close your browser.	30 Days	Third party
__hssrc	HubSpot	Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session. It contains the value "1" when present.	Session	First party
hubspotutk	HubSpot	This cookie enables us to deliver the service and or response that individuals needs and expects from us, in a seamless manner	6 Months	First party
mf_user	Mouseflow	1st party cookie, persistent: A cookie for checking if the user is new or returning	90 Days	First party
s_ips	Adobe	Tracks percent of page viewed	Session	Third party
__hjSessionUser_204526	HubSpot	Hotjar cookie that is set when a user first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.	Session	First party
_gat_UA-nnnnnnn-nn	Google Analytics	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.	365 Days	First party
_gat_UA-399437-1	Google Analytics	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.	365 Days	First party
sc_gpt	SnapChat	This cookie is used to track your interactions with ads that are powered by Snapchat. It is stored for 1 year.	13 Months	Third party

Name	Provider	Purpose	Expiry	Type
sp_t	Spotify	The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.	364 Days	Third party
bcookie	LinkedIn	Browser Identifier cookie to uniquely identify devices accessing LinkedIn to detect abuse on the platform.	365 Days	Third party
dpm	Adobe marketing cloud	The cookie is used for targeted advertising and marketing. Domain is owned by Adobe Audience Manager.	365 Days	Third party
NID	Google Ads Optimization	This is a Google cookie that allows a company, such as CGI, to target advertising to users who have signed out of their service. A cookie allows CGI to show you useful content on Google services. By accepting marketing cookies, you authorize Google to process your information. You can also influence your own information or withdraw your consent in the Google services settings or by modifying your cookie settings from this cookie manager (link at the bottom of the page). Learn more: https://policies.google.com/technologies/cookies	365 Days	Third party
lissc	LinkedIn	Used by the social networking service LinkedIn for tracking the use of embedded services.	365 Days	Third party
UserMatchHistory	LinkedIn	This domain is owned by LinkedIn, the business networking platform. It typically acts as a third party host where website owners have placed one of its content sharing buttons in their pages, although its content and services can be embedded in other ways. Although such buttons add functionality to the website they are on, cookies are set regardless of whether or not the visitor has an active LinkedIn profile, or agreed to their terms and conditions. For this reason it is classified as a primarily tracking/targeting domain.	365 Days	Third party
_gcl_au	HubSpot	Google Adsense to store and track conversions.	89 Days	Third party
c	Cision	This domain is owned by IPONWEB and is used to provide a real time bidding platform for online advertising.	184 Days	Third party
_gcl_au	Google Adsense	Used through Google Analytics to understand user interaction with the site and advertising	3 Months	Third party
_fbp	Facebook	Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers	365 Days	Third party
IDE	Google DoubleClick	This cookie, used by Google DoubleClick, helps measure the effectiveness of ads and delivers targeted ads to users. It tracks actions after viewing or clicking an ad to improve user experience, with a focus on ad preferences.	2 Years	Third party
lidc	LinkedIn	This domain is owned by LinkedIn, the business networking platform. This cookies is used to facilitate data center selection.	365 Days	Third party
ln_or	LinkedIn	Used to determine if Oribi analytics can be carried out on a specific domain	1 Day	Third party
uuid	MediaMath	MediaMath uses cookies to help recognize a computer or device so that they can deliver relevant advertising to you, measure the impact of that advertising and better understand and recognize digital media usage patterns.	13 Months	Third party
_cc_aud	Lotame	We use this cookie to target advertising that is appropriate for you through the Adform service. This domain is owned by Lotame. The cookie can be used to collect the following information: Cookie ID, Mobile Advertising ID, Partner ID, browser and device information, IP address and analytics information about the functionality of advertising. By accepting cookies, you allow Adform and Lotame to process your cookie information. You can influence the processing of your information by contacting dpo@adform.com or modifying your cookie settings.	365 Days	Third party
AMCVS_*	Adobe experience cloud	Indicates the start of a session for Adobe Experience Cloud	Session	Third party
c_user	Facebook	The c_user cookie contains the user ID of the currently logged in user. The lifetime of this cookie is dependent on the status of the ‘keep me logged in’ checkbox. If the ‘keep me logged in’ checkbox is set, the cookie expires after 90 days of inactivity. If the ‘keep me logged in’ checkbox is not set, the cookie is a session cookie and will therefore be cleared when the browser exits.	3 Months	Third party
bscookie	LinkedIn	This cookie is used for remembering that a logged in user is verified by two factor authentication and has previously logged in.	365 Days	Third party
_fbp	HubSpot	Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers	3 Months	Third party
lms_ads	LinkedIn	Used to identify LinkedIn Members off LinkedIn in the Designated Countries for advertising	30 Days	Third party
AMCV_*	Adobe experience cloud	Unique Identifier for Adobe Experience Cloud	180 Days	Third party
datr	Facebook	The purpose of the Datr cookie is to identify the web browser used to connect to Facebook, regardless of the logged in user. This cookie plays a key role in Facebook's security and site integrity functions.	2 Years	Third party
sb	Facebook	Facebook – Allows Facebook to recover your account in the event that you forget your password, or to require additional authentication if you tell us that your account has been hacked.”sb” and “dbln” cookies enable Facebook to identify your browser securely.	2 Years	Third party
RUL	Google DoubleClick	Used by Google DoubleClick to determine whether website advertisement has been properly displayed.	1 Year	Third party
personalization_id	X	This cookie is set due to X integration and sharing capabilities for the social media.	2 Years	Third party
GPS	Youtube	YouTube is a Google owned platform for hosting and sharing videos. YouTube collects user data through videos embedded in websites, which is aggregated with profile data from other Google services in order to display targeted advertising to web visitors across a broad range of their own and other websites.	365 Days	Third party
liap	LinkedIn	This cookie locates LinkedIn functionalities in the page and share the Website information on social networks.	1 Year	Third party
demdex	Adobe marketing cloud	This cookie helps Adobe Audience Manger perform basic functions such as visitor identification, ID synchronization, segmentation, modeling and reporting	365 Days	Third party
A3	Yahoo	This domain is owned by Yahoo, whose principal business is Search and Advertising Services.	365 Days	Third party
_gcl_aw	Google Adsense	to provide ad delivery or retargeting.	90 Days	Third party
sp_landing	Spotify	The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.	23 Days	Third party
li_sugr	LinkedIn	Used to make a probabilistic match of a user's identity outside the Designated Countries	90 Days	Third party
_kuid_	Salesforce.com	We use this cookie to target advertising that is appropriate for you online. This domain is owned by the Krux Digital.	365 Days	Third party
xs	Facebook	Session cookies are c_user and xs. c_user stores the username and the xs session secret, these two cookies together determine whether the user is logged in or not.	3 Months	Third party
_guid	LinkedIn	Used to identify a LinkedIn Member for advertising through Google Ads	90 Days	Third party

Purpose

CGI Federal protects the personal data that we handle and works closely with our clients and third-party suppliers to address the challenges of the evolving data protection regulatory landscape.

CGI Federal maintains this Data Privacy Policy1 detailing our privacy principles, standards, requirements, and how we protect all personal data as part of our operations, whether we process personal data for our own purposes or for the needs of our clients. Key terms for this policy are defined in Appendix 1.

Principles

As a global IT and business consulting services organization, CGI Federal is committed to maintaining levels of protection of personal data aligned to best practices, the applicable data protection legislation, and CGI Federal’s contractual obligations. CGI Federal and its wholly owned subsidiaries have adopted and follow the principles and practices included in this policy.

CGI Federal collects and/or uses personal data for its own needs. CGI Federal may also handle personal data on behalf of and upon instructions of a client, including the technical and organizational measures required to prevent accidental or unlawful destruction, loss, alteration, disclosure, or access to the personal data. any commitment regarding these responsibilities and measures must be expressly reflected in any agreements entered between CGI Federal and our clients.

CGI Federal’s value proposition includes data protection and data risk exposure prevention. CGI Federal guides and assists its clients on how to manage and protect their personal data to meet compliance requirements. Upon a client’s instructions, CGI Federal will implement effective security measures to safeguard the personal data and avert data breaches.

Scope and Compliance

This Data Privacy Policy is an integral part of CGI Federal’s commitment to protect CGI Federal and client data and is based on CGI’s foundational principles. This policy applies to all CGI Federal legal entities and employees (i.e., Federal CGI Partners 2) regardless of their location, as well as third-party suppliers engaged by CGI Federal. To the extent permitted by law, any violation of this Data Privacy Policy may result in administrative and/or disciplinary action by CGI Federal (including monetary penalties, suspension, or termination).

CGI Federal is a wholly owned subsidiary of CGI, but for operational reasons maintains a separate data privacy policy. CGI Federal adheres to other CGI policies unless specifically disclaimed.
For the purposes of this document, the term Federal CGI Partner includes both Federal CGI Partners and CGI Federal subcontractors with access to CGI Federal assets, resources, and data or access to client-managed assets, resources, and data unless otherwise specified.

Federal CGI Partners acknowledge these requirements and annually confirm acceptance of this Data Privacy Policy consistent with the data privacy and confidentiality requirements in the CGI Federal Standards of Ethics and Business Conduct. In addition to this Data Privacy Policy, Federal CGI Partners must also comply with other applicable confidentiality and privacy obligations, including those set out in applicable data protection legislation, their employment agreements, and/or client instructions.

Any third-party supplier that processes personal data on CGI Federal’s behalf is required to implement appropriate technical and organizational measures to ensure compliance with the principles and requirements of this Data Privacy Policy. When CGI Federal processes personal data on behalf of a client, any contractual commitments, or other obligations of CGI Federal towards its client need to be passed down to all engaged third-party suppliers. Any commitment or obligation must be expressly reflected in agreements entered between CGI Federal and third-party suppliers.

Which Personal Data Categories Does CGI Federal Process as Part of Its Operations?

Subject to applicable data protection legislation, CGI Federal and any third-party supplier may process the following non-exhaustive list of personal data categories.

Demographics & Private Life Information
- (e.g., age, gender, physical traits, date of birth, home address, marital status, memberships, preferences, interests)
Location, Login, Traffic, & Tracking
- (e.g., IP address, browser fingerprint, logs)
Economic & Financial
- (e.g., account number, financial health, shares, tax status, salary, financial transactions)
Sensitive Personal Data
- (e.g., Social Security Number, biometrics, health information, driver’s license number, passport number)
Professional Life & Business Information
- (e.g., employer, department, job title, employment history, performances, interviews, degrees and certifications, billing, delivery address)
Identity & Contact Information
- (e.g., name, email address, telephone number, mobile device IDs, photo, national ID)

These categories of personal data relate to the following non-exhaustive list of individuals:

Employment candidates, trainees, and students
Federal CGI Partners and former employees and their relatives
Clients’ employees and former employees and their relatives
Clients’ patients, customers, or citizens
Prospective clients’ employees and customers
Visitors of CGI Federal websites
Shareholders
Third-party suppliers’ employees and freelancers

More detailed information will be available in the relevant privacy information notices.

With Whom Does CGI Federal Share Your Personal Data?

As part of its operations, CGI Federal may disclose personal data to CGI legal entities, clients and prospects, third-party suppliers, and/or other third parties (including banks and financial advisors, external advisors, and auditors), as well as administrative, judicial, or governmental authorities, state agencies, or public bodies in accordance with applicable data protection legislation. CGI Federal never sells Federal CGI Partners’ personal data. CGI Federal shares Federal CGI Partners’ personal data with other CGI legal entities, staff representatives, CGI Federal clients/prospects, CGI Federal’s third-party suppliers, and/or public authorities where legally required and in compliance with applicable laws.

How Does CGI Federal Protect Personal Data Processed for Its Own Needs?

CGI Federal is responsible for protecting any persona; data handled as part of its operations.

As a result, Federal CGI Partners comply with the following core principles:

01 Transparency, Fairness and Lawfulness: Personal data is processed lawfully, fairly, and in a transparent manner in relation to the individual, in accordance with the requirements of this Data Privacy Policy. CGI Federal provides detailed data processing information to relevant individuals, in an easily understandable and accessible format, through privacy information notices.
02 Purpose Limitation: Any processing of personal data is preceded by the identification of the specific purpose for such processing, which must be explicit and legitimate and in line with what would reasonably be expected by an individual.
3 Data Minimization: Personal data is only collected and used to the extent required to accomplish the purpose for which it is processed. Personal data must be adequate, relevant, and limited to what is strictly necessary in relation to such purpose.
04 Accuracy: Collected personal data must remain accurate and up to date. Reasonable steps must be taken to ensure that any inaccurate personal data is erased or rectified without delay including through self-service options for individuals. Adequate means must be provided to individuals to inform CGI Federal of any change to their personal data.
05 Storage Limitation: Personal data must not be kept for longer than strictly necessary to achieve the purpose for which it is collected. Consequently, CGI Federal follows data retention requirements in the CGI Federal Records Retention Policy.
06 Integrity and Confidentiality: Appropriate technical and organizational measures, as prescribed in CGI’s Enterprise Security Management Framework (ESMF), must be implemented to guard against unlawful access and/or processing of personal data.

On Which Legal Basis Does CGI Federal Process Personal Data for Its Own Needs?

Most commonly, CGI Federal may process personal data in the following circumstances:

When CGI Federal needs to comply with a legal obligation.
When it is necessary for the execution of a contract with an individual.
When CGI Federal has a legitimate interest in doing so as part of its operations.

*There can be some occasions where it becomes necessary for CGI Federal to process personal data to protect individuals' interests or with the prior consent of the individuals.*

Sensitive Personal Data Processed for CGI’s Own Needs

CGI Federal will not Process Sensitive personal data unless one of the following conditions is met:

The individual has given their prior consent, or
The processing is required for the purposes of carrying out the obligations and exercising specific rights of CGI Federal or of the individual in the field of employment, social security and social protection law, or
If the individual is not able to give their consent (e.g., for medical reasons), the processing is necessary to protect the vital interests of the individual or another person, or
The processing is required in the context of preventive medicine or medical diagnosis by a health professional under local legislation, or
The individual has already manifestly placed the relevant sensitive personal data in the public domain, or
The processing is essential for the purpose of establishing, exercising, or defending legal claims, unless the individual has an overriding legitimate interest in ensuring that such sensitive personal data is not processed, or
The processing is explicitly permitted by local legislation, or

How Does CGI Federal Protect Clients’ Personal Data?

When CGI Federal posses clients' personal data, CGI Federal ensures that personal data is processed for the client's sole expressed purposes, and according to the client's written instructions, including in respect of duration, set out in the terms and conditions agreed between CGI Federal and the client.

The client remains solely responsible for ensuring that there is a valid legal basis for the processing performed by CGI Federal and that the instructions given to CGI Federal in respect of the processing comply with applicable data protection legislation, including the retention period to be applied. Nonetheless, CGI Federal will promptly inform the client if, in its opinion, any such instructions conflict with applicable data protection legislation.

Unless otherwise instructed by the client, CGI Federal will apply (at a minimum) CGI’s security baseline as prescribed in CGI’s Enterprise Security Management Framework (ESMF). Any deviation to this baseline requires relevant risk reviews and the approval of CGI Federal’s Privacy and Security teams.

CGI Federal will, subject to financial, technical, and organizational conditions agreed in writing, provide reasonable assistance to the client to support it in undertaking its obligations under applicable data protection legislation.

Privacy by Design and Privacy by Default

To ensure that the principles defined in this Data Privacy Policy are effectively considered when CGI Federal processes personal data, CGI Federal will identify and address data protection constraints at the beginning of any new internal project or client opportunity so that the principles contained herein are reflected in the design of the project and appropriately implemented. CGI Federal has therefore implemented data privacy and security review processes and several frameworks (e.g., Responsible Use of Data, Responsible Use of Artificial Intelligence and Responsible Use of Cloud Technology) applicable to all CGI Federal internal projects and client opportunities involving the processing of personal data and assisting each relevant Federal CGI Partner in analyzing and addressing data privacy risks.

The CGI Federal Privacy organization reviews and approves the privacy aspects of proposals and/or services developed for clients, as well as of any CGI Federal Intellectual Property or new internal project. The Federal CGI Partner responsible for the solution, service, and/or project retains evidence of compliance with CGI Federal Privacy organization approval requirements.

What Are the Rights of Individuals and How Can They Be Exercised?

Rights of individuals over their personal data differ among states and other countries. CGI Federal acts in accordance with applicable data protection legislation.

Depending on jurisdictions, applicable data protection legislation may provide individuals with the following rights:

Have access to their personal data and the information on how it is processed,
Request the rectification or deletion of any inaccurate or incomplete personal data relating to them,
Revoke consent or object on legitimate grounds to the processing of their personal data, unless such processing is imposed by law,
Request restrictions to the processing where the personal data is no longer accurate or necessary, or the processing is unlawful,
Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects the individuals,
Receive their personal data in a structured, commonly used, and machine-readable format, and
Appoint an individual to exercise their rights upon their death or incapacity.

Individuals who wish to exercise these rights and/or obtain information on the processing of their personal data may send a request as set out in the Questions, Requests, and Recourses section below.

When CGI Federal processes personal data for its own needs: CGI Federal communicates any rectification or deletion of personal data or restriction of processing carried out in accordance with applicable data protection legislation to each recipient to whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort. CGI Federal ensures that it handles requests without undue delay in accordance with CGI Federal’s individual rights request process.

When CGI Federal processes clients’ personal data: If CGI Federal receives a complaint or request from individuals wishing to exercise their rights, CGI Federal will promptly communicate all relevant information to the client and will expressly indicate to the individual that it is the client’s responsibility to handle such complaint or request. CGI Federal is only responsible for handling complaints or requests in accordance with the client’s instructions.

How Does CGI Federal Manage Personal Data Breaches?

CGI Federal has a mature, standards-based security incident response and management process designed to handle all phases of a security incident, including incidents with privacy impacts. Federal CGI Partners' responsibilities are clearly defined at all levels. Incident assessment and prioritization standards are followed to ensure appropriate engagement levels and timely resolution.

Incident records are maintained and reported to CGI Federal’s senior management as required. All incidents are managed through CGI Federal’s 24x7 Security Operations Center (SOC), where highly trained, full-time incident response professionals coordinate response efforts. CGI Federal’s Privacy organization is immediately engaged in the incident management process whenever personal data is suspected or known to be involved.

If CGI Federal reasonably believes that a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed has occurred, CGI Federal notifies the data controller (e.g., the client) and takes the appropriate remedial measures.

Similarly, in the event a personal data breach is identified by a third-party supplier engaged by CGI Federal, the third-party supplier must inform CGI Federal as agreed upon in the relevant agreement and in accordance with applicable data protection legislation.

Communication and Training

CGI Federal continually promotes a data protection culture within its organization. CGI Federal provides an annual data privacy learning program, regularly updated to reflect technological and legislative changes. All CGI Federal leaders must ensure that the Federal CGI Partners reporting to them are aware of and adhere to this Data Privacy Policy.

Additional information may also be provided to Federal CGI Partners through several channels, including targeted Privacy briefings, webinars, and individual meetings.

*Trainings and communications provide Federal CGI Partners' awareness of the core principles in this Data Privacy Policy and associated best practices to help protect CGI Federal and its stakeholders against unauthorized access and improper handling of personal data.*

Audit

CGI Federal integrates into its business-wide internal audit program a review of its compliance with this Data Privacy Policy. The internal audit program defines:

A schedule under which audits will be carried out,
The expected scope of the audit, and
The team responsible for the audit.

The business-wide internal audit program includes verification at delivery, functional, and corporate levels. The audit programs may be revised on a regular basis. However, CGI Federal will perform internal audits on a regular basis through qualified audit teams. Such programs will be initiated by the relevant CGI Federal audit departments for each level.

The results of the audit will be communicated to the CGI Federal Privacy organization and resulting actions will be defined and prioritized, enabling the CGI Federal Privacy organization to determine a schedule for the implementation of corrective and preventive measures.

Clients may request access to the audit results subject to contractual obligations. Such communication is subject to a confidentiality agreement and audit results do not include any confidential information of other CGI Federal clients or CGI Federal internal business areas. Release of such results are subject to the approval of the CGI Federal Privacy organization and the CGI Federal Legal organization.

CGI and CGI Federal Privacy Organization

CGI has designated a Chief Privacy Officer (CPO) and a network of privacy business partners and records management specialists. The CGI Federal privacy business partner and records management specialists are members of the CGI Privacy organization, but for operational reasons, CGI Federal maintains separate data privacy and records management teams and adheres to the limited sharing and access requirements.

Updates to the CGI Federal Data Privacy Policy

This Data Privacy Policy is reviewed annually and may be amended, as necessary, and CGI Federal will issue relevant communications relating to such changes in due time.

Questions, Requests, and Recourses

Questions and Requests

In case of questions related to the interpretation or operation of this policy or requests related to your personal data processed by CGI, please send an email to privacy@cgifederal.com.

Independent Recourse Mechanism

If you are aware of any violation of this policy or misconduct related to Data Privacy, you should report your concerns to the CGI Federal’s Ethics Office or its Hotline. You can reach the CGI Federal Ethics Office at 703-227-4555 or by email at ethicsofficer@cgifederal.com.

You can reach the CGI Federal Ethics Hotline at 1-866-594-7369 or by visiting www.cgifederal.ethicspoint.com.

CGI Federal seeks to maintain strong relationships with data protection authorities and cooperate with them in any relevant matter, including any audit requests. CGI Federal will also carefully consider recommendations issued by competent data protection authorities in relation to personal data processing carried out by CGI Federal as part of its operations.

Policy Owner

CGI Federal Privacy Business Partner

Approving Authority

CGI Federal Legal

Policy Revisions

Policy Version: 1.0

Policy’s original effective date: February 1, 2025

Last revision effective date: February 1, 2025

Appendix 1. Privacy Glossary

For the purposes of this Data Privacy Policy, the following terms with associated definitions are used.

Applicable Data Protection Legislation: All laws that are applicable to the processing of personal data, including any applicable U.S. federal, state, or local legislation..
CGI Federal Legal Entities: All legal entities controlled directly or indirectly by CGI Federal, Inc. and its wholly owned subsidiaries.
Federal CGI Partner(s): Employee(s) of CGI Federal legal entities.
CPO: Chief Privacy Officer as detailed in the CGI and CGI Federal Privacy Organization section.
Data Controller: Any entity that determines the purposes and means of processing personal data. The client is the data controller when CGI Federal processes personal data on its behalf as part of a client project. CGI Federal may act as data controller when implementing for its own needs, a new internal solution processing personal data.
Data Processor: Any entity acting on behalf of and under instructions from a data controller. CGI Federal is a data processor when processing personal data on its clients’ behalf.
Local Legislation: All laws applicable in geographies where CGI Federal operates, including without limitation: data protection, security, employment, industry sectors, and consumers legislation.
Personal Data: Any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal data includes Sensitive personal data.
Process, Processing, or Processed: Any operation or set of operations performed on personal data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting (including remote access), using, disclosing by transmitting, disseminating, or otherwise making available, aligning, or combining, restricting, erasing, or destroying.
Sensitive Personal Data: Specific categories of personal data revealing racial or ethnic origin, political opinion, religious or philosophical beliefs, and the processing of genetic data and/or biometric data for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person’s sex life or sexual orientation, as well as criminal records.
Third-Party Supplier: Any third party engaged by CGI Federal or providing goods and/or services to CGI Federal, including suppliers, contractors, subcontractors, and freelancers.
Transfer: Sending of personal data to another CGI legal entity or any other party or making the personal data accessible by it, where the other CGI legal entity or party is not located in the same country, province, or geographical area, as detailed in Appendix 2 Transfer of Personal Data.

Appendix 2. Transfer of Personal Data

Any Transfer of personal data must take place in accordance with applicable data protection legislation and the provisions of this Appendix 2.

Transfer Within CGI

A CGI Federal legal entity involved in a transfer must ensure that appropriate technical and organizational measures commensurate with any processing risks are implemented in accordance with this Data Privacy Policy and CGI Federal’s security policies, processes, and standards. These appropriate technical and organizational measures must be agreed and set out in a data processing agreement or any equivalent.

Transfer to Third Parties

On a regular basis, CGI Federal conducts due diligence and third-party privacy and security risks assessments with third-party suppliers engaged by CGI Federal, to establish their corporate capabilities and maturity with respect to security and data protection.

Whenever CGI Federal relies on third-party suppliers to process personal data, CGI Federal ensures that such third-party suppliers provide an adequate level of protection to the personal data they process as per applicable data protection legislation.

AI without fear or favor

CGI Advantage® financial modernization platform launched by State of Iowa

CGI Advantage® financial modernization platform launched by State of Iowa

AI without fear or favor

Purpose

Principles

Scope and Compliance

Which Personal Data Categories Does CGI Federal Process as Part of Its Operations?

With Whom Does CGI Federal Share Your Personal Data?

How Does CGI Federal Protect Personal Data Processed for Its Own Needs?

On Which Legal Basis Does CGI Federal Process Personal Data for Its Own Needs?

Sensitive Personal Data Processed for CGI’s Own Needs

How Does CGI Federal Protect Clients’ Personal Data?

Privacy by Design and Privacy by Default

What Are the Rights of Individuals and How Can They Be Exercised?

How Does CGI Federal Manage Personal Data Breaches?

Communication and Training

Audit

CGI and CGI Federal Privacy Organization

Updates to the CGI Federal Data Privacy Policy

Questions, Requests, and Recourses

Questions and Requests

Independent Recourse Mechanism

Policy Owner

Approving Authority

Policy Revisions

Appendix 1. Privacy Glossary

Appendix 2. Transfer of Personal Data

Transfer Within CGI

Transfer to Third Parties

Insights you can act on

Company

Resource center

Support

Follow us

AI without fear or favor

CGI Advantage® financial modernization platform launched by State of Iowa

CGI Advantage® financial modernization platform launched by State of Iowa

AI without fear or favor

Purpose

Principles

Scope and Compliance

Which Personal Data Categories Does CGI Federal Process as Part of Its Operations?

With Whom Does CGI Federal Share Your Personal Data?

How Does CGI Federal Protect Personal Data Processed for Its Own Needs?

On Which Legal Basis Does CGI Federal Process Personal Data for Its Own Needs?

Sensitive Personal Data Processed for CGI’s Own Needs

How Does CGI Federal Protect Clients’ Personal Data?

Privacy by Design and Privacy by Default

What Are the Rights of Individuals and How Can They Be Exercised?

How Does CGI Federal Manage Personal Data Breaches?

Communication and Training

Audit

CGI and CGI Federal Privacy Organization

Updates to the CGI Federal Data Privacy Policy

Questions, Requests, and Recourses

Questions and Requests

Independent Recourse Mechanism

Policy Owner

Approving Authority

Policy Revisions

Appendix 1. Privacy Glossary

Appendix 2. Transfer of Personal Data

Transfer Within CGI

Transfer to Third Parties

Discover more about CGI

Keeping you informed