Common use of Specific Measures Clause in Contracts

Specific Measures. Measure Description Measures of pseudonymisation and encryption of personal data • Data at rest encrypted using AES-256 algorithm. • Employee laptops are encrypted using full disk AES-256 encryption. • HTTPS encryption on every web login interface, using industry standard algorithms and certificates. • Secure transmission of credentials using by default TLS 1.2. • Access to operational environments requires use of secure protocols such as HTTPS. • Data that resides in Amazon Web Services (AWS) encrypted at rest as stated in AWS' documentation and whitepapers. In particular, AWS instances and volumes are encrypted using AES-256. Encryption keys via AWS Key Management Service (KMS) are IAM role protected, and protected by AWS-provided HSM certified under FIPS 140-2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services • Lattice is and shall continue to be annually audited against the SOC 2 Type II standard. The audit shall be completed by an independent third-party. Upon Customer’s written request, Lattice will provide a summary copy (on a confidential basis) of the most recent resulting annual audit report, so that Customer can verify Lattice’s compliance with the audit standards against which it has been assessed and this DPA. Although that report provides an independently audited confirmation of Lattice’s security posture annually, the most common points of interest are further detailed below. Lattice shall provide Customer with this initial evidence of compliance within thirty (30) days of written request and annually upon written request. • Lattice shall continue to annually engage an independent, third-party to perform a web application penetration test. Upon Customer’s written request, ▇▇▇▇▇▇▇ shall provide the executive summary of the report to Customer. Lattice shall address all medium, critical and severe vulnerabilities in the findings of the report within a reasonable, risk-based timeframe. Lattice shall provide Customer with this initial evidence of compliance within thirty (30) days of written request. o Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident • Virtual Private Network (VPN) • Strong access controls based on the use of the 'Principle of Least Privilege'. • Differentiated rights system based on security groups and access control lists. • Employee is granted only amount of access necessary to perform job functions. • Unique accounts and role-based access within operational and corporate environments. • Access to systems restricted by security groups and access-control lists. • Authorization requests are tracked, logged and audited on regular basis. • Removal of access for employee upon termination or change of employment. • Enforcement of Multi-factor Authentication (MFA) for access to critical and production resources. • Strong and complex passwords required. Initial passwords must be changed after the first login. • Passwords are never stored in clear-text and are encrypted in transit and at rest. • Account provisioning and de-provisioning processes. • Segregation of responsibilities and duties to reduce opportunities for unauthorized or unintentional modification or misuse. • Confidentiality requirements imposed on employees. • Mandatory security trainings for employees, which covers data privacy and governance, data protection, confidentiality, social engineering, password policies, and overall security responsibilities inside and outside of Lattice. • Non-disclosure agreements with third parties. • Separation of networks based on trust levels. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing • Event reports are enabled and available to customers in their Lattice instance. These reports can be periodically downloaded. • User activity including logins, configuration changes, deletions and updates are written automatically to audit logs in operational systems. • Certain activities on Lattice systems are not available directly to customers such as timestamps, IPs, login/logouts, and errors. These logs are available only to authorized employees, stored off-system, and available for security investigations. • All logs can be accessed only by authorized Lattice employees and access controls are in place to prevent unauthorized access. • Write access to logging data is strictly prohibited. Logging facilities and log information are protected against tampering and unauthorized access through use of access controls and security measures. • Network segmentation and interconnections protected by firewalls. • Annual penetration testing for all components of the Lattice SaaS, including web and mobile applications. • Lattice has in place a public Vulnerability Disclosure Program and a private Bug Bounty program.

Specific Measures. Measure Description Measures of pseudonymisation and encryption of personal data • Data at rest encrypted using AES-256 algorithm. • Employee laptops are encrypted using full disk AES-256 encryption. • HTTPS encryption on every web login interface, using industry standard algorithms and certificates. • Secure transmission of credentials using by default TLS 1.2. • Access to operational environments requires use of secure protocols such as HTTPS. • Data that resides in Amazon Web Services (AWS) is encrypted at rest as stated in AWS' documentation and whitepapers. In particular, AWS instances and volumes are encrypted using AES-256. Encryption keys via AWS Key Management Service (KMS) are IAM role protected, and protected by AWS-provided HSM certified under FIPS 140-2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services • Lattice is and shall continue to be annually audited against the SOC 2 Type II standard. The audit shall be completed by an independent third-party. Upon Customer’s written request, Lattice will provide a summary copy (on a confidential basis) of the most recent resulting annual audit report, so that Customer can verify Lattice’s compliance with the audit standards against which it has been assessed and this DPA. Although that report provides an independently audited confirmation of Lattice’s security posture annually, the most common points of interest are further detailed below. Lattice shall provide Customer with this initial evidence of compliance within thirty (30) days of written request and annually upon written request. • Lattice shall continue to annually engage an independent, third-party to perform a web application penetration test. Upon Customer’s written request, ▇▇▇▇▇▇▇ shall provide the executive summary of the report to Customer. Lattice shall address all medium, critical and severe vulnerabilities in the findings of the report within a reasonable, risk-based timeframe. Lattice shall provide Customer with this initial evidence of compliance within thirty (30) days of written request. o Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident • Virtual Private Network (VPN) • Strong access controls based on the use of the 'Principle of Least Privilege'. • Differentiated rights system based on security groups and access control lists. • Employee is granted only amount of access necessary to perform job functions. • Unique accounts and role-based access within operational and corporate environments. • Access to systems restricted by security groups and access-control lists. • Authorization requests are tracked, logged and audited on regular basis. • Removal of access for employee upon termination or change of employment. • Enforcement of Multi-factor Authentication (MFA) for access to critical and production resources. • Strong and complex passwords required. Initial passwords must be changed after the first login. • Passwords are never stored in clear-text and are encrypted in transit and at rest. • Account provisioning and de-provisioning processes. • Segregation of responsibilities and duties to reduce opportunities for unauthorized or unintentional modification or misuse. • Confidentiality requirements imposed on employees. • Mandatory security trainings for employees, which covers data privacy and governance, data protection, confidentiality, social engineering, password policies, and overall security responsibilities inside and outside of Lattice. • Non-disclosure agreements with third parties. • Separation of networks based on trust levels. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing • Event reports are enabled and available to customers in their Lattice instance. These reports can be periodically downloaded. • User activity including logins, configuration changes, deletions and updates are written automatically to audit logs in operational systems. • Certain activities on Lattice systems are not available directly to customers such as timestamps, IPs, login/logouts, and errors. These logs are available only to authorized employees, stored off-system, and available for security investigations. • All logs can be accessed only by authorized Lattice employees and access controls are in place to prevent unauthorized access. • Write access to logging data is strictly prohibited. Logging facilities and log information are protected against tampering and unauthorized access through use of access controls and security measures. • Network segmentation and interconnections protected by firewalls. • Annual penetration testing for all components of the Lattice SaaS, including web and mobile applications. • Lattice has in place a public Vulnerability Disclosure Program and a private Bug Bounty program.