ASAPP Security Addendum

1. Information Security Program

ASAPP has established and maintains an information security program (“SecurityProgram”) materially aligned with industry leading practices and applicable regulatory requirements, that is designed to. (i) ensure sufficient controls are implemented to protect against anticipated threats to the security or integrity of Customer Data; (ii) protect against unauthorized access to or use of Customer Data; (iii) ensure the secure storage and if applicable, disposal of Customer Data; and (iv) ensure that all subcontractors of ASAPP, if any, comply with all of the foregoing. ASAPP’s information security program is regularly reviewed by ASAPP management and updated as necessary. As part of its Information Security Program ASAPP shall maintain written policies and standards and ensure all Personnel with access to Customer Data maintain awareness of such policies and undergo security awareness training periodically. ASAPP may review and update its Security Program as well as this Security Addendum, provided, however, that such updates shall be designed to enhance and not materially diminish the Security Program.

2. Data Protection

ASAPP maintains written policies defining data handling practices and classifies, protects, stores and securely disposes of Customer Data in line with the requirements defined within such policies. ASAPP uses industry standard encryption techniques to protect sensitive data in storage and transport.

3. Access Control

ASAPP ensures that access to Customer Data is restricted to authorized Personnel and that such access is only granted for purposes of fulfilling ASAPP’s obligations under the Agreement. Accessing Customer Data is only permitted upon successful authentication using mechanisms meeting industry standards and minimum requirements as defined within ASAPP policies. All remote access to Customer Data is obtained through a secure connection. ASAPP periodically reviews user access to verify that access remains restricted to authorized Personnel. Access by ASAPP personnel to Customer Data is removed upon termination of employment or a change in job status that results in personnel no longer requiring access to Customer Data. ASAPP uses industry standard methods to maintain logs of all user access.

4. Secure Software Development

ASAPP maintains written policies defining requirements for developing and implementing the systems provided for purposes of fulfilling ASAPP’s obligations under this Agreement. Newly developed systems undergo review, including a security review for significant functionality, testing and approval prior to production implementation and use for storage and processing of Customer Data.

5. Logging and Monitoring

ASAPP monitors production systems provided under the Agreement to detect and respond to potential threats to the security, confidentiality, and integrity of Customer Data. Event logs are protected from unauthorized access or modification and are retained in line with ASAPP’s retention policy.

6. Vulnerability Scanning

ASAPP conducts vulnerability scans on a regular basis and evaluates any identified vulnerabilities. ASAPP remediates identified vulnerabilities in line with their criticality, including timely implementation of necessary patches, if applicable.

7. Security Incident Response

ASAPP maintains a documented Security Incident Response Plan. ASAPP continuously monitors its systems provided for purposes of fulfilling ASAPP’s obligations under this Agreement and potential security incidents are identified, evaluated, resolved and recovered from in line with the plan.

8. Security Breach

If ASAPP becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Breach“), ASAPP shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 72 hours after becoming aware. In the event of a Security Breach, ASAPP shall promptly take reasonable steps to contain, investigate, and mitigate any Security Breach. ASAPP shall provide Customer timely information about the Security Breach to the extent known to ASAPP, including, but not limited to, the nature and consequences of the Security Breach, the measures taken and/or proposed by ASAPP to mitigate or contain the Security Breach, the status of ASAPP’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because ASAPP’s personnel may not have visibility to the content of Customer Data, it may be unlikely that ASAPP can provide information as to the particular nature of the Customer Data, or where applicable, the identities, number, or categories of affected data subjects. Communications by or on behalf of ASAPP with Customer in connection with a Security Breach shall not be construed as an acknowledgment by ASAPP of any fault or liability with respect to the Security Breach.

9. Due Diligence by Customer

Upon request by Customer, ASAPP agrees to complete, within forty-five (45) days of receipt, a due diligence questionnaire provided by Customer or Customer’s designee regarding ASAPP’s information security program.

10. Penetration Testing

Annually, ASAPP shall have a penetration test (“Pen Test”)of its systems conducted by an independent qualified third party at its sole expense. ASAPP will evaluate the severity of any findings, should they be identified, and will implement mitigation strategies to address such findings in line with their severity. ASAPP will share an executive summary of the test with the Customer upon reasonable request.

11. Customer Penetration Testing

Customer may provide a written request for a PenTest of its account by submitting such request via a support ticket. Following receipt by ASAPP of such request, ASAPP and Customer shall mutually agree in advance on details of such Pen Test, including the start date, scope and duration, as well as reasonable conditions designed to mitigate potential risks to confidentiality, security, or other potential disruption of the Services orASAPP’s business. Pen Tests and any information arising therefrom are deemed ASAPP’s Confidential Information. If Customer discovers any actual or potential vulnerability in connection with a Pen Test, Customer must immediately disclose it to ASAPP and shall not disclose it to any third-party.

12. Audits