Topic SASB Code Requested Metric 2021 Response Data Security T C -T L-2 3 0 a .1 (1) Number of data breaches (2) Percentage involving personally identifiable information (PII) (3) Number of customers affected T-Mobile does not report these figures publicly, in part as the definition of “data breach” varies across laws and contract terms. We do provide public notice for those incidents where such notice is required by law. In unusual cases, we may provide additional information about an incident and our response. T C -T L-2 3 0 a . 2 Description of approach to identifying and addressing data security risks, including use of third-party cybersecurity standards We use administrative, technical, contractual, and physical safeguards designed to protect customer data while it is under our control. T-Mobile’s data security program also includes, among other items, a threat intelligence component, a supplier risk management component, a vulnerability and patch management component, and investigative tools such as digital loss prevention tools to identify and address data security risks. We utilize the National Institute of Standards and Technology (NIST) Cybersecurity Framework in designing that program and comply with applicable data security laws and standards in the context where they apply. Examples of such laws and standards include the Sarbanes-Oxley law on financial reports, FCC CPNI rules for certain telecommunications usage data, Payment Card Industry standards applicable to handling of payment card data, and the Cybersecurity Maturity Model Certification (CMMC) for certain federal service contracts. Product End-of-life Management T C -T L- 4 4 0 a .1 (1) Materials recovered through take- back programs Percentage of recovered materials that were (2) reused Percentage of recovered materials that were (3) recycled Percentage of recovered materials that were (4) landfilled T-Mobile is committed to giving customers a way to responsibly dispose of their devices and extend their product life. Through our Device Reuse and Recycling program, customers can trade in an eligible device for a credit toward a new one or they can bring in unused devices to our retail collection sites. Devices currently included in this program include phones, smartwatches, tablets, hotspots, and IoT items. Our Device Reuse and Recycling program complies with federal and state laws and gives consumers a way to properly and safely recycle these items. T-Mobile requires suppliers and partners that repair and recycle these devices to be certified to the industry-leading R2 standard which provides a common set of processes, safety measures, and documentation requirements. R2 is rigorously and independently audited, emphasizing quality, safety, and transparency, including any devices exported for refurbishment and recycling. In 2021, T-Mobile collected approximately 11.6 million devices (5,388 MT) through this take-back program. As of 12/31/21, approximately 90% were reused or resold to approved vendors for reuse, approximately 3% responsibly recycled by certified third-party facilities, and approximately 6% remained in inventory and are intended to be reused or recycled in 2022. SASB Index Continued 2021 CORPORATE RESPONSIBILITY REPORT OUR PEOPLE OUR GOVERNANCE OUR COMMUNITIES 90 OUR COMPANY THE ENVIRONMENT THE NUMBERS AND SMALL PRINT