Enumerate Security Policy

CyberSecurity & Data Protection Addendum

TOPS Software of Florida, LLC dba Enumerate (“Enumerate”) shall apply commercially reasonable practices to protect Client Data. ISO/IEC 27002 and ISO/IEC 27018 will be used as best-practice recommendations for Enumerate’s security controls. Enumerate’s security practices will meet the following requirements:

1.0 GENERAL OBLIGATIONS TO SAFEGUARD CLIENT DATA

1.1 Enumerate shall implement and maintain commercially reasonable measures designed to: (1) ensure the security and confidentiality of Client Data, (2) protect against anticipated threats or hazards to the security or integrity of Client Data, and (3) protect against unauthorized access to or use of Client Data.

1.2 Enumerate shall maintain physical, electronic, and procedural controls and safeguards designed to protect Client Data from unwarranted disclosure, in compliance with applicable laws. These controls shall include limiting access to Client Data to those employees, agents, service providers of Enumerate, and subcontractors who have a legitimate need for such information to provide the Services. For information disclosed electronically, Enumerate shall maintain electronic barriers (such as firewalls or similar protections) and password-protected access to Client Data. Enumerate shall also encrypt Client Data in transit and at rest.

2.0 SECURITY ORGANIZATION

2.1 Enumerate shall maintain an information security function responsible for security initiatives within the organization, including creating, reviewing, and approving information security policies; reviewing the effectiveness of policy implementation; assigning specific security roles and responsibilities; developing and maintaining an overall strategic security plan; reviewing and monitoring security incidents or events; monitoring significant changes in the security exposure of information assets; and identifying and documenting instances of noncompliance with security policies.

3.0 PASSWORD STANDARDS

3.1 Enumerate shall enforce the following password requirements for employees: a minimum password length of eight (8) characters; minimum complexity requiring at least one alphabetic and one numeric character; account lockout after a maximum of three (3) failed authentication attempts; and prevention of reuse of any of the previous five (5) passwords for a period of two (2) years. Temporary passwords, including those created for new accounts, must be changed upon next login. Passwords must not contain any part of a user ID.

4.0 PHYSICAL SECURITY

4.1 All Enumerate applications used in connection with the Services shall be located in a secure SSAE18-certified data center. Enumerate shall utilize a data center with: (a) commercially reasonable access controls to prevent unauthorized access to the building and computer room; (b) commercially reasonable monitoring of the building twenty-four (24) hours a day, seven (7) days a week, including visitor access logs showing sign-in/sign-out times and host information; and (c) employee access logs and/or CCTV video monitoring.

5.0 ACCESS MANAGEMENT

5.1 Enumerate accounts will be managed by limiting access to necessary information and disabling or removing inactive accounts. Periodic reviews of access requirements will be performed.

6.0 AUDIT LOGS

6.1 Enumerate shall maintain system audit logs to provide accountability for actions that access, generate, modify, affect access to, or release Client Data. Audit logs shall be protected from unauthorized access, modification, or deletion. Audit log entries shall include at least the following data elements: date, time, user ID, user IP address, and event type. All audit logs must be retained and readily accessible for a minimum of three (3) months.

7.0 INTRUSION DETECTION AND SECURITY OPERATIONS CENTER

7.1 Enumerate shall maintain an intrusion detection service to monitor services for suspicious activity. Additionally, Enumerate shall maintain a Security Operations Center that utilizes human monitoring in conjunction with automated alerting twenty-four (24) hours a day, seven (7) days a week.

8.0 INCIDENT RESPONSE

8.1 Enumerate shall maintain incident response standards and guidelines. Enumerate agrees to promptly notify affected Clients in the event of reasonable suspicion that Client Data has been, or may have been, lost or subject to unauthorized internal or external access.

9.0 FIREWALL PROTECTION

9.1 Enumerate shall maintain commercially reasonable firewall protection, including administration and maintenance, to prevent unauthorized access. Administrative firewall access shall be kept to a minimum. Firewalls shall also be used to segment internal networks from one another. Enumerate shall review firewall rule sets to determine whether inactive, insecure, or inappropriate connections should be removed. Firewalls shall be configured to deny all access except when explicitly allowed.

10.0 ANTIVIRUS PROTECTION

10.1 Enumerate shall maintain antivirus software with updates as necessary to reasonably protect services from virus-related threats.

11.0 SECURITY TESTING

11.1 Enumerate performs multiple types of security testing annually. Vulnerability testing is completed on all systems. In addition, Enumerate utilizes a third-party security company to conduct application penetration testing.

12.0 SECURE SOCKET LAYER

12.1 Enumerate utilizes Secure Socket Layer (“SSL”) technology to encrypt all end-user transmission and authentication information transmitted between Enumerate services and the end user.

13.0 MEDIA SANITIZATION

13.1 Media containing Client Data must be rendered unreadable or undergo a secure destruction process based on commercially reasonable standards before Enumerate discards or otherwise discontinues its use.

14.0 DISASTER RECOVERY PLAN

14.1 Enumerate maintains a disaster recovery plan that describes in detail how services will be restored in the event of a catastrophic loss.

15.0 SERVICE PROVIDER

15.1 To the extent it receives or processes Client Data that includes personal information pertaining to consumers as defined by the California Consumer Privacy Act (“CCPA”), Enumerate shall be a service provider under the CCPA. As such, Enumerate will not retain, use, or disclose such personal information: (1) for any purpose other than performing the services specified in the Agreement, (2) outside the direct business relationship between Enumerate and the Client, or (3) as otherwise permitted by the CCPA. Enumerate will not sell such personal information or share it for cross-context behavioral advertising.

16.0 BACKUP

16.1 Enumerate completes data backups multiple times each day. Backups are used for system recovery or correction of data corruption. Backups are not removed from the secure data center or used for disaster recovery purposes.