Data Protection Addendum

1. Security Program
   1. Overview
      1. 1. TeleMessage has implemented and will maintain appropriate technical, physical, and dministrative measures reasonably designed to prevent accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to confidential information (“Information Security Program”).
         2. TeleMessage’s Information Security Program oversees all areas of security applicable to Smarsh and information security, including physical access to Smarsh’s data centers that store data ingested by the applicable service (“Client Data”), system and data access, transmission of Client Data, as well as general supervision and enforcement. Smarsh’s Information Security Program generally aligns with the security standards published by International Organization for Standardization (ISO).
         3. TeleMessage undergoes annual independent third-party ISO 27001, ISO 27017 and is operating from SOC 2 Type II (or its equivalent or successor) datacenters. TeleMessage’s annual assessments cover all aspects of our Information Security Program. Post each assessment, TeleMessage assesses the severity of any issues identified and, in a timely manner, remediates or implements compensating controls based on their level of criticality and risk.
         4. See here for our active Data Privacy Framework certifications: SWISS-U.S., EU-U.S. and UK EXTENSION TO THE EU-U.S.
   2. Personnel Security
      TeleMessage performs background checks on all TeleMessage employees prior to commencement of employment. Smarsh requires each employee to maintain the confidentiality of Confidential Information, including written confidentiality agreements and annual security and data privacy awareness training. Smarsh also requires additional role-based security training for employees with access to Client Data or the application that processes and stores Client Data.
   3. Third Party Risk Management
      TeleMessage screens and enters into written confidentiality agreements with its vendors to maintain the security of Confidential Information. TeleMessage strives to select top leading vendors and conducts an initial risk assessment of each vendor. Strategic vendors must have ISO 27001 or SOC 2 certification (or equivalent). Thereafter, TeleMessage validates annually that such vendors maintain their ISO or SOC 2 certifications.
   4. Access Security
      1. Facilities Access: TeleMessage employs physical security procedures which require that only authorized individuals have access to corporate facilities. Such procedures include the use of CCTV, biometric access, processes to log and monitor visitors, and use of receptionists or security guards.
      2. Systems Access: TeleMessage follows the principle of “least privilege” when granting access to TeleMessage internal systems (“TeleMessage Systems”). TeleMessage uses complex password requirements across all TeleMessage Systems to minimize password-related access control risks. TeleMessage utilizes multi-factor authentication for any remote access, or production site access to the administration of TeleMessage’s Systems. TeleMessage’s information security policies prohibit TeleMessage employees from sharing, writing down, or storing passwords in an unencrypted manner on any TeleMessage System (including desktops).

1. 5. Application Security – Cloud-Based Solutions
      1. Applications: TeleMessage provides various software as a service solution that, as configured by Client, capture, ingest, store, and archive Client Data from various third-party service providers of Client (each, a “SaaS Application”).
      2. Code Review and Secure Design: TeleMessage uses a “security by design” approach that follows generally accepted industry standards for a secure software development life cycle. TeleMessage performs both static and dynamic web application security code analysis prior to deployment in a production environment. TeleMessage uses a formal change management process that includes the tracking and approval for all software product updates and changes. Any such changes are internally reviewed and tested within a staging environment before such changes are finalized and deployed to production environments.
      3. Monitoring & Security Scanning: TeleMessage, in accordance with generally accepted industry standards, monitors the SaaS Applications and the TeleMessage networks, servers, and service environments hosting the SaaS Applications for potential security vulnerabilities consistent with TeleMessage’s vulnerability management program. TeleMessage will promptly assess discovered security vulnerabilities talking into account the risk posed and prioritize them for remediation activities.
      4. Anti-Malware Initiatives: TeleMessage, using industry-standard measures, on a regular basis, tests and scans the SaaS Applications for (a) ‘back door,’ ‘time bomb,’ ‘Trojan Horse,’ ‘worm,’ ‘drop dead device,’ ‘virus’, ‘spyware’ or ‘malware;’ or (b) any computer code or software routine that disables, damages, erases, disrupts or impairs the normal operation of the SaaS Applications or any component thereof..
      5. Physical and Software Security: TeleMessage’s information security policy requires all network devices and servers that host or process Client Data to be secured to address reasonable threats through industry standard technical measures. TeleMessage physically or logically separates quality assurance and test environments from production environments. TeleMessage uses industry-standard firewalls, intrusion detection, and malware detection on its networks and hosted systems and requires the use of VPN or Zero Trust for access to its secured environments.
      6. Client Data: TeleMessage will not use Client Data for testing purposes or access Client Data, except as authorized by Client, or as required by the applicable services. TeleMessage will not use any data derived from Client Data for any purpose except to provide the Services.
      7. TeleMessage Physical Data Center Security: TeleMessage ensures that physical security controls are implemented to prevent unauthorized individuals from accessing TeleMessage data centers. TeleMessage uses data center security measures that align with industry standard practices for physical security and, at a minimum, require that TeleMessage data centers use: floor-to-ceiling external walls, locked cages or server rooms, multi-factor authentication for data center access, 24/7 security monitoring, alarmed exits, and onsite security personnel.
      8. Cloud Environment Data Center Security: TeleMessage may use infrastructure-as-a-service providers (“Cloud Providers”) to provide the services (as applicable). Before utilizing a Cloud Provider, TeleMessage evaluates the Cloud Provider’s security controls and processes to ensure that such security program meets the applicable obligations contained in TeleMessage’s own Information Security Program. On a regular basis thereafter, TeleMessage reviews each Cloud Provider’s security controls as audited by Cloud Provider’s third-party security audits and certifications to ensure that such Cloud Provider maintains its Security Program at a level consistent with TeleMessage’s Information Security Program. Such controls include the use, at a minimum, physical access controls, multi-factor authentication for data center access, 24/7 security monitoring, alarmed exits, and onsite security personnel
      9. Penetration Testing: TeleMessage performs annual penetration testing on the SaaS Applications using independent, third-party resources. Upon written request (and not more than once every 12 months), TeleMessage will provide a summary penetration testing report to Clients who’s service level includes access to such report results.
      10. Performance: TeleMessage uses industry-standard technology and tools to monitor the uptime status of its SaaS Applications and to send alerts when any warning conditions need to be reviewed.
      11. Data Management: Client Data is stored in a logically separated environment.
      12. Encryption: TeleMessage encrypts Client Data in transit and at rest using encryption techniques that comply with security industry standards published by NIST.
   6. Business Continuity/Disaster Recovery
      TeleMessage maintains a Business Continuity and Disaster Recovery Plan (“BCP”) and shall activate the BCP in the event of a disaster, as defined in the BCP. Upon written request, TeleMessage will make an executive summary of the BCP available to Clients who’s service level includes access to such report results. TeleMessage tests the BCP on a regular basis, and at least annually
      
   7. Incident Response
      1. Security Incident:
         TeleMessage’s Information Security Program includes incident response policies and procedures in the event that there is any actual, or reasonably suspected, unauthorized access to TeleMessage facilities, TeleMessage Systems, or the SaaS Applications (“Security Incident”), including processes to ensure that the Security Incident is contained and remediated in a timely fashion;
      2. if required, timely notice is provided to any affected parties
      3. the Security Incident is appropriately tracked;
      4. all related server logs are retained for at least ninety (90) days following the Security Incident;
      5. all related Security Incident reports are retained for at least three (3) years; and
      6. all related Security Incident logs are appropriately protected to ensure the integrity of such log. TeleMessage will promptly implement such procedures upon becoming aware of a Security Incident.

2. Client Data Incident: Upon becoming aware of any actual or reasonably suspected unauthorized third-party access to, or disclosure of, Client Data (“Client Data Incident”), Smarsh will:
   1. 1. investigate, and take reasonable measures to remediate, the cause of such Client Data Incident, and
      2. promptly, after discovery, provide written notice to the Incident Response Contact set forth in the Incident Contact Sheet.
3. Security Documentation; Audit Rights; Security Assessments
   1. 1. Security Documentation. Upon written request, and subject to the confidentiality obligations set forth in the Agreement, TeleMessage will make available to Client, at no cost to Client, a copy of TeleMessage’s most recent (i) annual independent ISO 27001 and SSAE 18 SOC 2 Type II report of its datacenters, and (ii) TeleMessage’s standard information gathering questionnaire (collectively, “Security Packet”) to demonstrate Smarsh’s compliance with the Information Security Program.
         Clients who’s service level includes access to such report results will also receive the (iii) executive summary of TeleMessage’s annual penetration test.
      2. Audit Rights Upon Client’s written request (and no more than once every 12 months), and subject to the confidentiality obligations set forth in the Agreement, TeleMessage will make available to Client, at no cost to Client, TeleMessage’s Security Packet to demonstrate its compliance with the Information Security Program. After reviewing the Security Packet, if Client identifies areas of concern that have not been covered and are areas that Client is lawfully able to audit under applicable laws, rules, or regulations, then Client may submit to TeleMessage additional reasonable requests for information regarding those areas of concern that are necessary to confirm TeleMessage’s compliance with its Security Program.
         And as long as such requests are included in the service level of the customer.
         If Client has additional requests for information outside the scope of this Section ii, TeleMessage, at Client’s sole expense, will respond to such additional requests for information about TeleMessage’s Security Program, including additional security questionnaires, subject to TeleMessage’s  standard hourly rate of $300/hr. Prior to completing such additional security questionnaire(s), TeleMessage will provide Client with an estimate of the cost associated with responding to such questionnaire, and may request a deposit, before beginning such work.
      3. Security Assessments of Cloud Providers: Client recognizes that TeleMessage utilizes Cloud Providers to process Client Data or provide the Services. Client agrees that TeleMessage does not have access to, or control over, the physical infrastructure or facilities used by such Cloud Providers or the manner in which such Cloud Providers allow third partiesto audit such Cloud Provider’s security controls and processes. If Client wishes to conduct an audit of any related Cloud Provider applicable to the Services, Client may elect to do so in the manner set forth in this Section ii. Upon Client’s written request (and no more than once every month), and subject to the confidentiality obligations set forth in this Agreement, TeleMessage agrees to use commercially reasonable efforts to obtain the applicable sub-processor’s or cloud provider’s internal or independent security audit reports or SIG on behalf of the Client, and TeleMessage shall provide such security documentation to the Client to the extent permitted and feasible. If TeleMessage cannot provide such security documentation to the Client, TeleMessage agrees to use commercially reasonable efforts to provide Client with sufficient information to obtain such security documentation on its own.

Incident Response Contact Sheet

In the event of a Security Incident or Client Data Incident, TeleMessage will notify the following contact:

Main Contact:

Name:

Title:

Contact Information:

Email:

Phone:

Backup Contact:

Name:

Title:

Contact Information:

Email:

Phone: