1.     Backup, Disaster Recovery, Privacy and Data Security; Audit; Data Retention

1.1.          Backup. Unless otherwise set forth in the applicable Statement of Work, Company performs, or causes to be performed by its Subprocessor, an incremental backup of the Company System, including any Covered Data, on an hourly basis and full back up every twenty-four hours.

1.2.          Disaster Recovery. Company maintains a disaster recovery plan that provides for the restoration of the Software Services at an alternate location within 24 hours of a failure (“Disaster Recovery Plan”).

2.              Anti-Malware. Company employs industry-standard protection standards in respect of Malware and does not insert any Malware into any of Company’s products or services. “Malware” means any virus, Trojan horse, worm, logic bomb, drop-dead device, backdoor, shutdown mechanism or similar software, hardware, network or combination of any of the foregoing which is intended or designed to, is operable to, is likely to or has the effect of disabling, deleting, erasing, denying authorized access to, permitting unauthorized access to, repossessing, damaging, destroying, corrupting or otherwise affecting or interfering with the use of Company’s products or services, or Client’s systems, networks or software or any Information on or used in conjunction with any of the aforementioned. Notwithstanding the foregoing, in no event shall “Malware” include software used by or on behalf of Company for the purpose of managing, suspending, or terminating access to or use of the Software Services as permitted in the Agreement.


3.     Privacy and Data Security Program.

3.1.          Company implements and maintains security procedures and internal controls consistent with generally accepted industry practices designed to protect the confidentiality of Client Data and Client’s Confidential Information. Such procedures and controls include industry-standard encryption, such as the Transport Layer Security (“TLS”) protocol, to protect data transmissions to and from browsers/Company’s certification as compliant with the Standards for Attestation Engagements (SSAE) No. 16 SOC 2 Type II audits for controls at a service organization. Company does not, however, guarantee that unauthorized third parties will never be able to circumvent these measures or use such information for improper purposes.

3.2.          Company takes measures designed to protect the integrity, delivery, and security of any transmissions it initiates containing Client Data that identifies a natural person (“Personal Data”); however, Company assumes no liability for such information once transported onto a non-Company managed communication network, including, but not limited to, the Internet. The foregoing reasonable measures include the following:

3.2.1.             The maintenance of background check policies;

3.2.2.             Instituting a training and awareness program for the Company’s personnel; and

3.2.3.             Managing passwords used to access Company’s computing environment on which Personal Data is stored, including enforcing password complexity, requiring a password length of no less than 8 characters, utilizing expiring first-time log-in temporary passwords, instituting a ‘no less than 3 generation’ password reuse practice, requiring passwords to expire every 90 days, limiting failed attempts before account lockout, not allowing clear text on password entry, and a prohibition of password resets that are not subject to confirming credentials.


4.     Vulnerability, Penetration Tests and Code Scans.

4.1.          Company performs regular (no less than annually) vulnerability assessments and penetration testing of all critical application and network components that support Company’s provisioned Software Services or that access, transmit, hold, contain or store Personal Data.

4.2.          Upon request, Company provides written certification that such assessment and testing has been performed and provides an annual executive summary of the results of the assessment and testing to Client, including the methodology used to perform the assessment. Such summary or results constitute Company’s Confidential Information and may not be used for any purpose other than confirming Company’s compliance with this Annex II.

4.3.          Company provides confirmation that any high-risk findings (any findings designated other than medium, moderate, low or similar categories) have been remediated or a plan is in place to timely address such findings.

Company uses industry-recognized code scanning tools on its software code.