RESPONSIBLE BUSINESS PRACTICES Customer Data Privacy and Protection Our Privacy Policy provides further detail on the types of customer Casey’s is committed to respecting the privacy of its guests. information that is collected, and how that information is collected, Everyone who works with PII on behalf of Casey’s has a responsibility used, transmitted, stored and shared. For more information, please to understand and honor our privacy obligations. see our Privacy Policy on our website. We utilize industry-standard security measures to safeguard the Security Incident Response information we collect, maintain and use. These measures include We invest heavily to fortify our enterprise technology infrastructure technical and procedural steps to protect data from misuse, through a combination of securitized in-house data centers and unauthorized access, disclosure, loss, alteration or destruction. third-party cloud systems to holistically ensure data protection, Highlights of our protocols on data privacy and protection include: resiliency and redundancy. Casey’s IT department is responsible Use of customer data. We collect, share and use for all processes and procedures for computer security incident information from and about the users and visitors to our prevention, detection and response. The Company’s Incident website to manage relationships, to comply with legal Response Governance Team (IRGT) — a cross-functional internal obligations and/or because we have a legitimate business team supported by leading outside technical, legal and other interest to do so. experts — is responsible for coordinating remediation and response efforts in the event of a significant data security event. Among other Data minimization. Access to any personal information things, the IRGT holds regular tabletop exercises designed to refine we collect and store is generally restricted to those team the response and prepare all involved participants. During FY 2022, members and/or contractors who require it to perform a we had no material breaches involving PII. job or other function. We require vendors and contractors we work with to use reasonable, industry-standard protocols to maintain the confidentiality, security and integrity of our information. LEARN MORE Data retention. We take steps to ensure that the personal Casey’s Privacy Policy information we hold is retained only as long as necessary for the purpose for which it was collected. We apply criteria to determine the appropriate retention period for different categories of personal information. After this period, it is deleted to the extent reasonably possible and in compliance with our data retention policies. 21 Casey’s 2022 ESG Report