Common use of Measures for internal IT and IT security governance and management Clause in Contracts

Measures for internal IT and IT security governance and management. Maintenance of a written, proportionally comprehensive information security program consistent with applicable industry standards that includes: • Information security policies, • Access management, • Change management, • Secure System Development Lifecycle (SSDLC), • Physical and environmental security, • Incident response plans and procedures, • Vulnerability management, • Patch management, • Business continuity/Disaster Recovery plans, • Continuous monitoring, • Asset criticality and data classification, • Data retention and destruction policies, • Third party and software supply chain security, • Hiring policies, • Employment termination policies, • Security awareness, • Privacy policies, and • Data security procedures. • Implementation of a risk management program to help address security vulnerabilities, and deploy security patches within a commercially reasonable timeframe; • Identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Subscriber Data and evaluation and implementation of improvements, where necessary, of the effectiveness of the current safeguards for limiting such risks; • Annual employee security and privacy awareness training; • Written agreements with Domo sub-processors who have access to Subscriber Data;

Measures for internal IT and IT security governance and management. Maintenance of a written, proportionally comprehensive information security program consistent with applicable industry standards that includes: • Information security policies, • Access management, • Change management, • Secure System Development Lifecycle (SSDLC), • Physical and environmental security, • Incident response plans and procedures, • Vulnerability management, • Patch management, • Business continuity/Disaster Recovery plans, • Continuous monitoring, • Asset criticality and data classification, • Data retention and destruction policies, • Third party and software supply chain security, • Hiring policies, • Employment termination policies, • Security awareness, • Privacy policies, and • Data security procedures. • Implementation of a risk management program to help address security vulnerabilities, and deploy security patches within a commercially reasonable timeframe; • Identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing Subscriber Personal Data and evaluation and implementation of improvements, where necessary, of the effectiveness of the current safeguards for limiting such risks; • Annual employee security and privacy awareness training; • Written agreements with Domo sub-processors who have access to Subscriber Personal Data;