Assurified, Inc. Data Security Fact Sheet

The technical and organizational measures designed to ensure the security of client data include the following:

i. Prevent Unauthorized Product Access

Outsourced processing: Assurified hosts its Service with outsourced cloud infrastructure providers. Assurified relies on contractual agreements, privacy policies, and vendor compliance programs to protect data processed or stored by these vendors.

Physical and environmental security: Assurified hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls of these providers are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.

Authentication: Assurified implemented a uniform password policy for its client products. Clients who interact with the product via the user interface must authenticate before accessing non-public client data.

Authorization: Client data is stored in a multi-tenant storage system accessible to clients via only application user interfaces and application programming interfaces. Clients are not allowed direct access to the underlying application infrastructure. The authorization model in each of Assurified’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using an API key.

ii. Preventing Unauthorized Product Use

Access control: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Intrusion detection and prevention: Assurified implemented a Web Application Firewall (WAF) solution to protect hosted client websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.

Static code analysis: Security reviews of code stored in Assurified’s source code repositories is performed, checking for coding best practices and identifiable software flaws.

Penetration testing: Assurified maintains relationships with industry recognized penetration testing service providers for regular penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.

iii. Limitations of Privilege & Authorization Requirements

Product access: A subset of Assurified’s employees have access to the products and to client data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective client support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated regularly. Employee roles are reviewed at least once every six months.

Background checks: All Assurified employees undergo a third-party background check prior to the start of employment, in accordance with and as permitted by applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

In-transit: Assurified makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every client site hosted on the Assurified products. Assurified’s HTTPS implementation uses industry standard algorithms and certificates.

At-rest: Assurified stores user passwords following policies that follow industry standard practices for security. Assurified has implemented technologies to ensure that stored data is encrypted at rest.

3. Input Control

Detection: Assurified designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Assurified personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: Assurified maintains a record of known security incidents that include description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For and confirmed incidents, Assurified will take appropriate steps to minimize product and client damages or unauthorized disclosure.

Communication: If Assurified becomes aware of unlawful access to client data stored within its products, Assurified will: 1) notify the affected clients of the incident; 2) provide a description of the steps Assurified is taking to resolve the incident; and 3) provide status updates to the client contact, as Assurified deems necessary. Notification(s) of incidents, if any, will be delivered to one or more of the client’s contacts in a form Assurified selects, which may include via email or telephone.

4. Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Client data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using industry standard methods.

Assurified’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists Assurified operations in maintaining and updating the product applications and backend while limiting downtime.