1. Application Development
   1. Development first occurs within Development Environment
   2. Pull Request for QA to review and test new code
   3. New code pushed to UAT Environment for Stakeholder Approval
   4. Full Internal Vulnerability & Regression testing throughout the application
   5. Use Launch Darkly for Feature Flagging allowing only select clients to view new development features.
   6. Deployed to Production
2. Application Security
   1. Token based authentication using OAuth
   2. Password Strength
      1. Minimum Password Length of 12
      2. Password complexity required
         1. Uppercase
         2. Lowercase
         3. Special character
         4. Number
      3. No Repeat passwords
   3. Moving to Auth0 for password management/security
   4. Full Regression testing
   5. No Open Source code for 3rd parties to integrate into software
   6. No Direct API integrations/ 3rd party tooling allowed into the application or Database
3. Quarterly AWS Well Architected Review focused on the following items

Introduction

Sifted needs secure and accurate information to conduct our business. As the custodians of a large volume of information, Sifted has a fundamental responsibility to protect that information from unauthorized or accidental modification, loss, or release which could have an impact on individuals who are the subjects of the information. Sifted uses various Cloud-based SaaS vendors to conduct our business, including Amazon Web Services (AWS), JumpCloud, Perimeter81 VPN, Carbon Black EDR, and KnowBe4 Security Training. These vendors are fully certified and compliant with Security Industry standards, including SOC3.

Information plays a vital role in supporting business processes and client services, contributing to operational and strategic business decisions, and conforming to legal compliance requirements. Accordingly, information must be protected to a level commensurate with its value to the organization and the potential harm to customers which might be caused by unauthorized use or disclosure.

Purpose

The purpose of this policy is to provide a framework for the management of information security throughout our organization. It will help protect Sifted, our clients, and business partners from adverse impacts to their reputation and operations that could result from failures of:

• Confidentiality – in the context of access or disclosure of the information without authority;
• Integrity – in the context of completeness, accuracy, and resistance to unauthorized modification or destruction;
• Availability – in the context of continuity and the business processes and for recoverability in the event of a disruption.

Objectives

The objectives of this policy, and the guidelines and procedures which implement it, are to:

• Ensure the continuity of Sifted and its services to its customers and business partners;
• Define the main vendors Sifted uses and for what purpose;
• Minimize the possibility of a threat to information security causing loss or damage to Sifted, its customers, and business partners;
• Ensure that an effective information security program is in place;
• Inform all Sifted personnel, customers, and business partners who have access to Sifted information of their responsibilities and obligations with respect to security;
• Ensure the principles of information security are consistently and effectively applied during the planning, development, and execution of all Sifted activities.

Scope

This policy applies to:

• All “users” of Sifted information;
• All Sifted information assets containing data, intellectual property, software, and facilities.

Scope Definitions

Users of Sifted information include employees, contractors, consultants, and business partners that access Sifted’s information and data.

Data includes both raw and processed data:

• Electronic data files, regardless of their storage media and including hard copies and data otherwise in transit;
• Information derived from processed data, regardless of the storage or presentation media.
• We do not sell any customer data to any third party.
• The only personal information data stored in our Infrastructure is the delivery address provided by the carrier system.

Software includes locally developed programs and those acquired from external sources:

• Operating system software and associated utility and support programs;
• Application enabling software, including database management, telecommunication, and networking software;
• Hosted software from various vendors mentioned above.

Facilities include all equipment, as well as the physical and environmental infrastructure:

• Computer processors of all sizes, whether the general or special purpose and including personal computers;
• Peripheral, workstation, and terminal equipment;
• Telecommunications and data communications cabling and equipment;
• Local and wide area network equipment;
• Environmental control systems, including air conditioning and other cooling equipment;
• Alarms and safety equipment;
• Required utility services, including electricity, gas, and water;
• Building and building improvements accommodating personnel and equipment.

Approach

Sifted embraces a proactive approach to information security management and uses the standards on information security management and risk management as the framework.

Sifted follows the principle of “least privilege” for data and system access. Access is made available to associates only as needed to complete necessary work and tasks for our customers. Applying risk management techniques, information assets shall be evaluated for the purpose of determining their individual value to Sifted and for the selection of appropriate protection measures. The evaluation shall take into consideration the relevant legal compliance requirements.

SaaS Vendors

Sifted uses various SaaS vendors (Software as a Service) to conduct our business. SOC Reports for each vendor are located at the bottom of this document. Below are the explanations of each vendor’s service offering and how we use it:

• Amazon Web Services (AWS): AWS serves as Sifted’s complete Network and IT Infrastructure. All servers, databases, and other applications and processes reside in our Private Virtual Cloud (VPC), housed in the US West Region 2. We utilize IP Address Whitelisting along with VPN access to secure connections into our VPC.
• JumpCloud is used as our identity provider and systems manager. Jumpcloud takes the place of a traditional Active Directory Forest, traditionally used in Local Area Networks. Jumpcloud manages both User Identity and End Point Identity, tying the two together. Complex password policy and Multifactor Authentication (MFA) are used as well.
• Perimeter81 Virtual Private Network (VPN): Sifted uses this service to create a virtual private network between our employees’ endpoints to our AWS infrastructure. This connection is an encrypted data channel that ensures the security of the data transmitted is never compromised. This service utilizes Wireguard protocol, which differs from traditional protocols like IPSec and OpenVPN, in that it has a much smaller code base, just 4,000 lines, and this makes it extremely fast and easy to implement, and offers the best security with regards to encryption.
• Carbon Black Endpoint Detection & Response (EDR): Sifted secures all endpoints with Carbon Black Cloud EDR software. CB EDR is an advanced threat hunting and incident response solution that delivers continuous visibility for our Security Team. User system data is continuously collected and sent to VMWare Carbon Black Cloud and provides our Security Team with the most complete picture of an attack at all times, reducing lengthy investigations from days down to minutes. This empowers our Security Team to proactively hunt for threats, uncover suspicious activity, disrupt active attacks, and address gaps in defenses before attackers can. We require all systems that access our Infrastructure to be secured with the CB EDR agent.
• KnowBe4 Security Training: Sifted utilizes this training platform to test and educate our users to combat the ever-changing security vulnerability landscape. KnowBe4 uses intricate methods to test users in different ways to increase security awareness surrounding Phishing attacks, account takeovers, and other well-known means that cybercriminals may use. We require all users to go through a baseline of security awareness training, offered by KnowBe4, including Kevin Mitnick Security Awareness Training.

Responsibilities

The guiding principle is that physical, administrative, and technical controls shall be in place that is reasonably designed to assure the security of information maintained by Sifted. These controls shall be effectively measured against security standards and compliance requirements that are relevant to Sifted. These controls shall focus on the requirements outlined herein.

• Authenticity – Users of information assets shall be uniquely identified to the information being accessed.
• Integrity – There shall be adequate protective controls/safeguards to ensure completeness and accuracy during the capture, storage, processing, and presentation of information.
• Confidentiality – There shall be adequate protective controls/safeguards to ensure that confidential information is disclosed only to authorized users.
• Availability – There shall be adequate protective controls/safeguards to ensure that information can be delivered for Sifted business activities.
• Reliability – There shall be adequate protective controls/safeguards to ensure that complete and accurate information is available as needed.
• Accountability – There shall be adequate protective controls/safeguards to ensure that responsibility for the security of information is undertaken by providers and users of information.
• Conduct – Information assets owned or in the possession of Sifted shall be solely for the conduct of Sifted business; no private use, or use for other purposes shall be permitted.
• Education and Training – Users of Sifted information shall be adequately educated on security policies, guidelines, and procedures.

Responsibilities

The Manager responsible for Information Security will coordinate the development of guidelines and procedures for the implementation of this policy and will be responsible for an ongoing review of their effectiveness. The Manager must ensure that all personnel are fully informed of their obligations and responsibilities with respect to these guidelines and procedures.

The Team responsible for Information Security is responsible for the day-to-day administration of the information security procedures and guidelines. This team reports directly to the Manager responsible for Information Security on the performance of the information security procedures and guidelines.

Managers have a responsibility as custodians/owners of the data and other Information assets that support the business activity performed under their supervision to ensure those assets are adequately secured. They must also ensure the appropriate information security guidelines and procedures are observed in the performance of these activities.

All personnel, whether employees, contractors, or consultants, are required to comply with the information security guidelines and procedures and to play an active role in protecting the information assets of the organization. They must not access or operate these assets without authority and must report security breaches or exposures that come to their attention to the Manager responsible for Information Security.

Monitoring and Review

Compliance with the Policy will be monitored on a regular basis. Security logs and audit trails will be produced to monitor the activities of users in their usage of information assets. This policy, with its supporting guidelines and procedures, will be reviewed on a periodic basis to ensure completeness, effectiveness, and usability.

SOC Reports

Amazon Web Services
JumpCloud
Perimeter 81 VPN
Carbon Black
KnowBe4

Vendor agrees to comply with the terms of this Data Security and Privacy as outlined herein. Vendor will, and will ensure that all Vendor Parties, comply with the requirements of this Exhibit. In the event of a conflict between this Exhibit and the Agreement, this Exhibit will control.

1. Definitions.
   1. “Personal Data” means information provided to Vendor by or at the direction of Company, or to which access was provided to Vendor by or at the direction of Company, in the course of Vendor’s performance under the Agreement that: (i) identifies or can be used to identify an individual (including, without limitation, names, signatures, addresses, telephone numbers, e-mail addresses and other unique identifiers); (ii) can be used to authenticate an individual (including, without limitation, employee identification numbers, government-issued identification numbers, passwords or PINs, financial account numbers, credit report information, biometric or health data, answers to security questions and other personal identifiers); or (iii) is otherwise protected under the applicable Privacy & Data Security Laws, including any information and data that constitutes personally identifiable information or personal data under applicable Data Privacy Laws. Company’s business contact information is not by itself deemed to be Personal Data.
   2. “Privacy & Data Security Laws” mean all privacy and data protection laws, rules and regulations that are applicable to Vendor’s provision and Company’s receipt of services.
2. General Obligations.
   1. Vendor acknowledges and agrees that, in the course of its engagement by Company, Vendor may receive or have access to Company Confidential Information. Vendor shall comply with the terms and conditions set forth in the Agreement in its access, collection, receipt, transmission, storage, disposal, use, alteration, and processing (hereafter “Processing”, and the related “Process” or “Processed”) of such Company Confidential Information and be responsible for the unauthorized Processing of Company Confidential Information under its control or in its possession that results from Vendor’s failure to comply with this Agreement.
   2. Vendor shall comply with all applicable Privacy & Data Security Laws applicable to the Processing of Personal Data, if any, and because all Personal Data is Confidential Information, shall also treat all Personal Data as otherwise required for Confidential Information under the Agreement. Vendor shall be liable for its employees, agents, contractors, and third-party service providers who have access to Customer Confidential Information compliance with the terms of this Exhibit.
   3. In recognition of the foregoing, Vendor agrees that it shall:
      1. Implement and maintain administrative, physical and technical safeguards meeting good industry standards to prevent the unauthorized Processing, disclosure, destruction or loss of Company Confidential Information in Vendor’s possession, custody or control; and
      2. Process Personal Data solely and exclusively for the purposes for which the Personal Data, or access to it, is provided pursuant to the terms and conditions of the Agreement, and not use, sell, rent, transfer, distribute, make derivatives of or otherwise disclose or make available Personal Data for Vendor’s own purposes or for the benefit of anyone other than Company, in each case, without Company’s prior written consent.
   4. Prior to any Processing of Personal Data that would impose additional obligations under mandatory Privacy & Data Security Laws, including without limitation, the General Data Protection Regulation (“GDPR”) or the California Consumer Privacy Act (“CCPA”), Vendor and Company shall agree to and execute appropriate agreements containing applicable terms and conditions related to such Personal Data, and including any required model clauses.
3. Security Requirements.
   1. Security Measures. Vendor will implement at least the following security measures:
      1. Vendor will maintain an environment designed to ensure the secure receipt, storage and transmission of Company Confidential Information. Company Confidential Information shall be stored only in secure directories that require access authentication. Vendor agrees that any modification to the hosting environment shall not result in the degradation of services or functionality and shall meet or exceed the existing security features of the hosting environment as it currently exists.
      2. Vendor will implement and maintain a comprehensive written data security policy and reasonable security practices and procedures appropriate to the nature of the Confidential Information and/or data, which policies, practices and procedures will (a) comply with all applicable Privacy and Data Security Laws, (b) be designed to protect against any anticipated or actual threats or hazards to the security , integrity, or loss of such information, and (c) limit access with appropriate separation of duties.
      3. Vendor will: (a) proactively monitor reporting services for known security vulnerabilities and rectify any such vulnerabilities present in Vendor’s systems, (b) encrypt Company Confidential Information with industry standard encryption levels at all times while in transit over a public network and when stored on a laptop or portable storage media, (c) prohibit employees, other Vendor personnel, contractors and agents from bringing, transporting or transmitting Personal Data to their homes, personal computers, e-mail accounts, devices or media, (d) change default security settings (such as default passwords) and promptly install all security updates and patches made available by the suppliers of any of the third party products used in connection with the collection, processing, storage or distribution of Personal Data, and (e) provide intrusion detection, intrusion prevention, malware, and antivirus integrity monitoring, (f) notify Company in advance of any material changes to the hosting environment or the hosting provider, and (g) not make any change that may result in a material degradation of services or functionality, or which may expose Company or Company’s Confidential Information to additional risk.
      4. Vendor shall not knowingly introduce, and shall continuously reduce the risk of introducing, Malicious Code into the Vendor’s services, any materials or technology provided to Company or any Company system connected to the Hosted Services. If Vendor is aware of any Malicious Code introduced into the services, materials or technology provided to Company or any Company system, Vendor shall promptly notify Company, assist in reducing the effects of any Malicious Code found, and to the maximum extent possible, restore operational efficiency and data or, when applicable, mitigate losses. “Malicious Code” means any program routine, device or other feature or hidden file, including any time bomb, virus, software lock, Trojan horse, drop-dead device, worm, malicious logic or trap door that may delete, disable, deactivate, interfere with or otherwise harm hardware, software, data or other programs.
   2. Location of Data. Vendor will advise Company of the facility in which its data is stored and will not relocate, store or process Company Confidential Information outside the country in which the parties originally agreed to store such Confidential Information, except with advance consent in writing or with written instructions by Company.
   3. Loss Prevention. Vendor will use good industry practices designed to protect the operating environment of the services against unauthorized physical access and the threats of fire, power, temperature, humidity and other physical forces with the following capabilities: (i) co-location in a secure data center with physical access limited to authorized personnel and protected by multi-level security systems, (ii) continuous, conditioned power supplied by a redundant power infrastructure, including battery backup systems and diesel-powered generators, with regular system testing for continuous availability, and (iii) redundant HVAC climate control, fire suppression systems and locked cabinets.
   4. Backup; Recovery. Vendor is responsible for maintaining a backup of Company Confidential Information for an orderly and timely recovery of such data in the event that the services may be interrupted. Vendor will perform daily backups. Full system backups and server image backups will be performed on a monthly basis. Monthly system images and data will be securely uploaded and stored off-site at a data management facility. Daily backups will be retained for at least 30 days. Monthly backups will be retained for at least three months.
   5. Business Continuity; Disaster Recovery. Vendor agrees to execute a business continuity plan at least two times a year. Vendor will share the results of the plan execution. In the event of an unsuccessful execution, Vendor will document and advise Company of remediation for failed steps or processes involved in restoration of the workload.
4. Disclosure and Retention.
   1. Requests for Personal Data. If Vendor receives any legal request or process seeking disclosure of Personal Data or if Vendor is advised by counsel of any obligation to disclose Personal Data, Vendor will (to the maximum extent allowed by applicable law) provide Company with prompt prior notice of such request or obligation so that Company may seek a protective order or pursue other appropriate remedies to protect the confidentiality of such information. Vendor agrees to furnish only that portion of the information which is legally required to be furnished and, in consultation with Company, to use all reasonable efforts to assure that the information is maintained in confidence by the party to whom it is furnished.
   2. Destruction. Upon expiration or termination of the MHSA (or at any time upon Company’s request), Vendor will immediately cease any and all use of Company’s Confidential Information, and at no additional cost promptly return or, if requested by Company destroy (with certification of such return and/or destruction in writing), such Confidential Information and all copies thereof in Vendor’s possession, custody or control, provided that: (a) any back-up or archival files may be destroyed in the ordinary course of Vendor’s business, and (b) Vendor shall not retrieve or restore such files after Company requests destruction.
5. Security Incident Procedures.
   1. Security Incident. Vendor will advise Company as soon as possible, but no later than forty-eight (48) hours, after the time it learns or has reason to believe that there has been unauthorized access to or use of, or any security breach relating to or affecting, Company Confidential Information (“Security Incident”). Vendor shall provide Company with the name and contact information for an employee of Vendor who shall serve as Company’s primary security contact and shall be available to assist Company twenty-four (24) hours per day, seven (7) days per week in resolving obligations associated with a Security Incident. Vendor will, subject to the following section, mitigate promptly the Security Incident to prevent further access to or use of Company Confidential Information.
   2. Response. Subject to the limitations of liability set forth in the Agreement, Vendor will (i) at its own expense cooperate with Company to investigate, respond, and notify customers or other affected individuals as required by law, and seek injunctive or other equitable relief as may be appropriate to mitigate the Security Incident, (ii) reimburse Company for actual reasonable costs incurred by Company in responding to, and mitigating any damages caused by a Security Incident, including all costs of remediation and notices pursuant to Section 5(c).
   3. Vendor agrees that it shall not inform any third party (except its own legal counsel) of any Security Incident without first notifying Company, other to inform a complainant that the matter has been forwarded to Company’s legal counsel. Further, Vendor agrees that it shall reasonably cooperate with Company to jointly determine: (i) whether notice of the Security Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as a required by law or regulation, or otherwise, and (ii) the contents of such notice, whether any type of remediation may be offered to affected persons, such as credit monitoring services, and the nature and extent of such remediation. Subject to the limitations of liability set forth in the Agreement, Vendor shall reimburse Company for the costs of such notifications and any other associated costs that Company may incur in connection with responding to or managing the Security Incident, including without limitation, costs of print services, postage, obtaining contact information for affected individuals, credit monitoring services, call center services, forensics services, and any other losses for which Vendor would be liable under this Agreement. The remedies provided in this Exhibit will be in addition to any other remedies available to Company at law or in equity, including but not limited to Vendor’s indemnification obligations under the Agreement.
6. Compliance Review.
   1. Annual Assessment. Vendor shall at least once per year: (i) conduct site audits of the information technology and information security controls for all facilities used in complying with its obligations under the Agreement, including, without limitation, obtaining a network-level vulnerability assessment and penetration testing performed by a recognized third-party audit firm based on good industry standards, and (ii) perform formal industry common risk assessments to determine the likelihood and impact of potential privacy and security risks to Company Confidential Information, and provide such audit report to Company upon its request.
   2. Audit. Company or its authorized representative has the right to inspect Vendor’s and Vendor Parties’ respective systems and facilities annually to ensure compliance with this Exhibit and Privacy & Data Security Laws. Before the commencement of any such audit, the parties shall mutually agree upon the scope, timing, and duration of the audit. Company shall promptly notify Vendor of any non-compliance discovered during the course of an audit.
7. PCI Compliance. This Section 7 shall apply only if and to the extent that Vendor Processes payment card data for Company. Vendor agrees that it is responsible for and will maintain compliance with PCI DSS requirements, and any higher standards agreed to the by the Parties in writing. When such requirements are applicable to Vendor, Vendor agrees it is responsible for the security of cardholder data that Vendor Processes. Vendor will maintain an unexpired PCI DSS service provider certification for Processing subject to PCI DSS requirements, and will comply with the applicable PCI DSS requirements or higher standards agreed to the by Parties after termination of the Agreement with respect to any cardholder data remaining in Vendor’s possession or control.