Security and Compliance – eMite

eMite Service Terms and Conditions for Security

This eMite Security Policy is incorporated by this reference into your eMite Service Terms and Conditions agreement with us and describes the contractual requirements for information security and data protection provided by us to you related to the provision of eMite Services that you have licensed from us. This eMite Security Policy is applicable to the extent that we have access and control over some Customer Data.

1 SECURITY PROGRAM

1.1 Security Standards. We have implemented and will maintain an information security program that follows generally accepted system security principles embodied in the ISO 27001 standard designed to protect Customer Data as appropriate to the nature and scope of the eMite Services provided.

1.2 Security Awareness and Training. We have developed and will maintain an information security and awareness program that is delivered to all employees and appropriate contractors at the time of hire or contract commencement and annually thereafter. The awareness program is delivered electronically and includes a testing aspect with minimum requirements to pass.

1.3 Policies and Procedures. We will maintain appropriate policies and procedures to support the information security program. Policies and procedures will be reviewed annually and updated as necessary.

1.4 Change Management. We will utilise a change management process based on industry standards to ensure that all changes to your environment are appropriately reviewed, tested, and approved.

1.5 Data Storage and Backup. We will create backups of critical Customer Data according to documented backup procedures. Customer Data will be stored and maintained solely on designated backup storage locations within the cloud services provided. Backup data will not be stored on portable media. Customer Data stored on backup media will be protected from unauthorized access

1.6 Anti-Virus and Anti-Malware Protection. We will utilise industry standard anti-virus and anti-malware protection solutions to ensure that all servers in Your Cloud Service environment are appropriately protected against malicious software such as trojan horses, viruses, and worms. We will use standard industry practice to ensure that the eMite Services as delivered to you does not include any program, routine, subroutine, or data (including malicious software or “malware,” viruses, worms, and Trojan Horses) that are designed to disrupt the proper operation of the eMite Services, or which, upon the occurrence of a certain event, the passage of time, or the taking of or failure to take any action, will cause the eMite Services to be destroyed,

damaged or rendered inoperable. You acknowledge that the use of license keys will not be a breach of this section.

1.7 Vulnerability and Patch Management. We will maintain a vulnerability management program that ensures compliance with the standards of our information security program.

1.8 Data Destruction. We and our subcontractors will follow industry standard processes to destroy obsolete data and retired equipment that formerly held Customer Data.

1.9 Penetration Testing. On at least an annual basis. We will conduct a vulnerability assessment and penetration testing engagement with an independent qualified vendor. Issues identified during the engagement will be appropriately addressed within a reasonable time-frame commensurate with the identified risk level of the issue. A cleansed version of the executive summary of the test results will be made available to you upon written request and will be subject to non-disclosure and confidentiality agreements.

2 NETWORK SECURITY

2.1 Network Controls. We will employ effective network security controls based on industry standards to ensure that Customer Data is segmented and isolated from other customer environments within the cloud or Data Center environments of the services offered. Controls include, but are not limited to:

(A) Firewall Services. We use firewall services to protect the eMite Services infrastructure. We maintain granular ingress and egress rules and changes must be approved through our change management system.

(B) Intrusion Detection/Protection System. We have implemented intrusion detection/protection systems across the eMite Services environments which may be either network based, host based or a combination of the two.

(C) No Wireless Networks. We will not use wireless networks within the Data Center environments.

(D) Data Connections between You and the eMite Services Environment. We use TLS, VPN and/or MPLS circuits to secure connections between browsers, client apps, and mobile apps to the eMite Services. Connections traversing an untrusted network (e.g. the Internet) will use TLS or IPSec protocols.

(E) Data Connections between eMite Services Environment and Third Parties. Transmission or exchange of Customer Data with you and any third parties authorized by you to receive the Customer Data will be conducted using secure methods (e.g. TLS, HTTPS, SFTP/SCP).

(F) Encryption Protection. We use industry standard methods to support encryption.

(G) Logging and Monitoring. We will log security events from the operating perspective for all servers providing the eMite Services to you. We will monitor and investigate events that may indicate a security incident or problem. Event records will be retained for at least three years.

3 USER ACCESS CONTROL

3.1 Access Control. We will implement appropriate access controls to ensure only authorized Users have access to Customer Data within the eMite Services environment.

3.2 Your User Access. You are responsible for managing User access controls within the application. You define the usernames, roles, and password characteristics (length, complexity, and expiration timeframe) for its users. You are entirely responsible for any failure by itself, its agents, contractors or employees (including without limitation all its users) to maintain the security of all usernames, passwords and other account information under its control. Except in the event of a security lapse caused by our gross negligence or wilful action or inaction, You are entirely responsible for all use of the eMite Services through your usernames and passwords whether or not authorized by you and all charges resulting from such use. You will immediately notify us if you become aware of any unauthorized use of the eMite Services.

3.3 Our User Access. We will create individual user accounts for each of our employees or contractors that have a business need to access Customer Data or your systems within the eMite Services environment. The following guidelines will be followed regarding our user account management:

(A) User accounts are requested and authorized by our management.

(B) Strong password controls are systematically enforced.

(C) Connections are required to be made via secure VPN using strong passwords that expire every three hundred and sixty five (365) days.

(D) Session time-outs are systematically enforced.

(E) User accounts are promptly disabled upon employee termination or role transfer, eliminating a valid business need for access.

4 BUSINESS CONTINUITY AND DISASTER RECOVERY

4.1 Disruption Protection. The eMite Services will be deployed and configured in a high-availability design and the eMite Services will be deployed across separate cloud based Data Centers to provide optimal availability of the eMite Services. The Data Center environment is physically separated from our corporate network environment so that a disruption event involving the corporate environment does not impact the availability of the eMite cloud Services.

4.2 Business Continuity. We will maintain a corporate business continuity plan designed to ensure that ongoing monitoring and support services will continue in the event of a disruption event involving the corporate environment.

4.3 Disaster Recovery. The eMite Services can be deployed in a high-availability, redundant design. For the eMite options using cloud based services and where high availability options have been requested and configured, a disruption event at a single Data Center will trigger a system fail-over to the back-up Data Center to minimize disruption to the eMite Services. For

these eMite Services, you are responsible for defining specific parameters regarding fail-over. With regard to the eMite Service, we employ an active-failover configuration but can do active-active options for additional costs.

5 SECURITY INCIDENT RESPONSE

5.1 Security Incident Response Program. We will maintain a Security Incident response program based on industry standards designed to identify and respond to suspected and actual Security Incidents involving Customer Data. The program will be reviewed, tested and, if necessary, updated on at least an annual basis. “Security Incident” means a confirmed event resulting in the unauthorized use, deletion, modification, disclosure, or access to Customer Data.

5.2 Notification. In the event of a Security Incident or other security event requiring notification under applicable law, We will notify You within thirty-six (36) hours and will reasonably cooperate so that you can make any required notifications relating to such event, unless We are specifically requested by law enforcement or a court order not to do so.

5.3 Notification Details. We will provide the following details regarding any Security Incidents to You: (i) date that the Security Incident was identified and confirmed; (ii) the nature and impact of the Security Incident; (iii) actions We have already taken; (iv) corrective measures to be taken; and (v) evaluation of alternatives and next steps.

5.4 Ongoing Communications. We will continue providing appropriate status reports to you regarding the resolution of the Security Incident, continually work in good faith to correct the Security Incident and to prevent future such Security Incidents. We will cooperate, as reasonably requested by you, to further investigate and resolve the Security Incident.

6 DATA CENTER PROTECTIONS

6.1 Data Center. We contract with third-party providers for Data Center space. Data Center providers and related services are reviewed on an annual basis to ensure that they continue to meet our needs and yours. Each Data Center provider maintains certification based on its independent business models. Security and compliance certifications and/or attestation reports for the Data Center(s) relevant to your eMite Services will be provided upon written request and may require additional non-disclosure agreements to be executed.

6.2 Physical Security. Each Data Center is housed within a secure and hardened facility with the following minimum physical security requirements: (a) secured and monitored points of entry; (b) surveillance cameras in facility; (c) on-site access validation with identity check; (d) access only to persons on an access list approved by us; (e) on-site network operations center staffed 24x7x365.

6.3 Environmental Controls. Each Data Center is equipped to provide redundant external electrical power sources, redundant uninterruptible power supplies, backup generator power and redundant temperature and humidity controls.

7 Use of the eMite Services

7.1 You will not, and will not permit or authorize others to, use the eMite Services for any of the following: (i) to violate applicable Law; (ii) to transmit Malicious Code; (iii) to transmit 911 or any emergency services (or reconfigure to support or provide such use); (iv) to interfere with, unreasonably burden, or disrupt the integrity or performance of the eMite Services or third-party data contained therein; (v) to attempt to gain unauthorized access to systems or networks; or (vi) to provide the eMite Services to non-User third parties, including, by resale, license, lend or lease.

7.2 You will use commercially reasonable efforts to prevent and/or block any prohibited use by Users.

7.3 You will maintain any reasonable, appropriate administrative, physical, and technical level of security regarding its account ID, password, antivirus and firewall protections, and connectivity with the eMite Services.

7.4 You shall maintain strict security over all VoIP Services lines. You acknowledge that we do not provide you the ability to reach 911 or other emergency services and you agree to inform any individuals who may be present where the eMite Services are used, or who use the eMite Services, of the non-availability of 911 or other emergency dialling.

7.5 If the eMite Services will be used to transmit or process Personal Data, You will ensure that all Personal Data is captured and used solely via the use of available Security Features.

7.6 Recordings. As between us and you, You acknowledge that use of Recordings is solely within your discretion and control. Without limiting the foregoing: (i) You accept sole responsibility for determining the method and manner of performing recording such that it is compliant with all applicable Laws and for instructing the services accordingly; and (ii) You shall ensure that Recordings shall be made only for diagnostic, quality assurance, archival, and/or Support purposes, and in any event only for purposes required and/or in compliance with, all applicable Laws. You will ensure that (a) Recordings will not knowingly include any bank account number, credit card number, authentication code, Social Security number or Personal Data, except as allowed or required by all applicable Laws; or (v) Recordings are encrypted at all times. To the extent Recordings are encrypted or where encryption is electable by you as part of the eMite Services, You shall elect such encryption. you shall not modify, disable, or circumvent the Recording encryption feature within the eMite Services and shall otherwise ensure that it will use the eMite Services in compliance with the encryption feature.

8. Audits.

Subject to our reasonable confidentiality and information security policies, you or a qualified third party chosen by you, shall have the right, not more than once a year and upon thirty (30) days’ written notice, to perform a security assessment of our compliance with the terms of this Schedule I, provided that you have demonstrated that you have a reasonable belief that we are not in compliance. During normal business hours, You or your authorized representatives may inspect our policies and practices implemented to comply with this Schedule I, which may include a site visit and a review of reasonable supporting documentation, provided that you agree that such right shall not include the right to on-site inspections or audits of our third-party hosting facilities and equipment. No such assessment shall violate our obligations of

confidentiality to customers or reveal our Intellectual Property. Any assessment performed pursuant to this section shall not interfere with the normal conduct of our business. We shall cooperate in a commercially reasonable manner with any such assessment and reserve the right to charge you for our reasonable costs incurred in connection with any such assessment.

9. PRIVACY

We have developed and will maintain a privacy program designed to respect and protect Customer Data under our control, and this is located at https://emite.com/privacy-policy/

10. CUSTOMER DATA

10.1 As between eMite and you, you retain ownership of and all intellectual property rights in Customer Data and grant us a non-exclusive, non-sublicensable (except to parties working on our behalf), non-transferable, royalty-free license to access, process, store, transmit, and otherwise make use of the Customer Data as necessary to provide the services and to otherwise fulfil our obligations under the Agreement.

10.2 You agree that the Customer Data may be transferred or stored outside the country where you and your customers are located in order to carry out the services and our other obligations under the Agreement and to support the customers application needs. In general we attempt to keep the customers systems and data in the same geolocation or country as the customers home operation.

10.3 You represent and warrant that you have obtained all consents necessary for us to collect, access, process, store, transmit, and otherwise use Customer Data in accordance with the Agreement.

10.4 You shall comply with all requirements of integrity, quality, legality and all other similar aspects in respect of Customer Data. We may, but are not obligated to, review or monitor any Customer Data. We expressly disclaim any duty to review or determine the legality, accuracy, or completeness of Customer Data.

10.5 We have developed and will maintain a privacy program designed to respect and protect Customer Data under our control. We will not rent or sell any Customer Data.

10.6 We may aggregate data and information related to the performance, operation and use of the Cloud Services to create statistical analyses, to perform benchmarking, to perform research and development and to perform other similar activities (“Service Improvements”). We will not incorporate Customer Data in Service Improvements in a form that could identify you or your customers and we will use industry standard techniques to anonymize Customer Data prior to performing service improvements. We retain all intellectual property rights in service improvements and may make them publicly available.