CEO Message Overview Team Members Customers Community Environment Supply Chain Governance SASB Index 43 Tractor Supply 2021 Sustainability Report Political Contributions Our Political Contributions Policy prohibits political contributions to federal, state and local election campaigns from Tractor Supply funds. We pay membership dues to, and makes contributions to, certain trade and industry associations. Membership dues and contributions in excess of $1,000 must be approved by the CEO. We also prepare a semi-annual report on our dues and contributions to industry and trade associations. The report is presented to the Corporate Governance and Nominating Committee and is also posted on our website . Customer Privacy and Data Security Tractor Supply’s legendary customer service depends on technology, so we manage the technology risks arising from threats to our data and systems and vulnerabilities in technology. Following a modern standards-based framework, our Information Security team analyzes and addresses technology risk throughout the retail value chain, and residual risk is reviewed regularly. We evaluate the risk of service providers and suppliers to minimize business disruption so we can be a dependable supplier to our customers. Our IT governance procedures ensure our policies and procedures are accurate, up-to-date and consistent. We regularly train our Team Members, so they know their role in protecting our customers and our company. We conduct risk assessments for service engagement, including but not limited to third-party support, vendor connectivity and systems handling sensitive data. These risk assessments look at operational procedures, management processes, structure of products, Team Member training and use of technology. They are assessed, validated and tested using industry-standard toolsets. Risks identified during any of these processes are documented, reviewed and approved by senior leadership. Risks are catalogued and reviewed annually. Risks presenting a potential material impact to the company are reported as required by relevant laws and regulations. The Audit Committee maintains oversight of our cybersecurity risk through regular updates from management, including the status of ongoing projects to strengthen our efforts against cybersecurity events. The Audit Committee reviews risks relevant to cybersecurity and existing controls are in place to mitigate the risk of cybersecurity incidents. Additionally, in conjunction with our enterprise risk management process, management maintains an information and operation technology risk management program that analyzes emerging cybersecurity threats and the company’s plans and strategies to address the related risks. Each year, we engage third-party experts to assess compliance with the PCI-DSS standard, for which we most recently received an attestation of compliance in October 2021. We also conduct a biennial independent security program audit. The most recently completed audit, from May 2021, audited our program against the NIST Cybersecurity Framework. For the first time, this audit included an evaluation of our cloud security posture. We also have an established security awareness program that includes mandatory annual training for Team Members with access to company email as well as periodic testing to help ensure the training is effective. We provide phishing simulation training to Team Members throughout the year. We have a defined incident management and event monitoring program to continuously address threats to the environment and follow a structured plan to report issues of concern, ensure compliance with regulatory requirements and consider opportunities for improvement. With respect to internal reporting and escalation protocols, incident severity levels are defined with applicable reporting steps, including reporting to executive leadership and the Board. We also have a detailed Privacy Policy posted on our website that provides customers with information about what information we collect, why we collect it, how we use it and under which circumstances we share it with third parties, along with how we manage the personal information provided to us by customers.