INFORMATION SECURITY POLICY

1. We maintain a comprehensive set of security policies and standards designed to ensure comprehensive protection of information security.

We have adopted the International Standard ISO/IEC 27002:2013 as the basis of our security controls, and developed a comprehensive framework of security policies and standards encompassing all of the control areas identified by the standard.

This is the same standard followed by leading organizations globally – the standard used to protect all shared information.

2. ACCESS MANAGEMENTSecurity controls limit the disclosure of information to authorized individuals, entities, and systems only. All our internal users must use multi-factor authentication to access the 7Geese infrastructure and applications. Our application has the ability to integrate with leading industry standard Single Sign-On (SSO) platforms used by our clients.

3. DATA PROTECTIONSecurity controls will ensure that exchanged communications and shared documents are genuine. All user access to the 7Geese application is enabled only over TLS encrypted communications with verification of server certificates performed against a trusted third- party Certificate Authority (CA). We authenticate our Sites and enable TLS/SSL encryption to protect your sensitive data and transactions. All sensitive client data is encrypted at rest using industry accepted practices and algorithms.

4. PHYSICAL SECURITY & AVAILABILITYSecurity controls ensure that information remains available to authorized parties, by ensuring that the systems required to deliver the information remain operable and that the information itself remains accessible. 7Geese infrastructure and applications are hosted in secure datacenter facilities that are designed and managed in alignment with best practices for security and leading security standards, including: SOC 1 / SOC 2 PCI DSS Level 1 ISO/IEC 27001/2 FIPS 140-2 The datacenter controls are supplemented with our disaster recovery processes to maintain availability of our application as per our Service Level Agreements (SLA’s) with our stakeholders.

5. INTEGRITY OF DATASecurity controls maintain the accuracy and consistency of information; restrict the right to insert, modify, and delete information to authorized parties only; and ensure that information cannot be modified in an unauthorized or undetected manner.

6. MONITORING & RESPONSE Our existing security controls will ensure that the individuals and systems performing actions or sending communications cannot deny having done so. Our environment is continuously monitored by our technology teams. We have implemented various processes that incorporate security technologies such as IPS, next-generation firewalls, and other security controls to detect and respond to security threats. We keep and monitor detailed audit logs of all privileged accounts and administrative actions. Audit logs are also retained with respect to user logons and user activities.

7. VULNERABILITY MANAGEMENT We have implemented a comprehensive vulnerability management program that incorporates periodic scanning and appropriate patching of the environment. Any detected vulnerabilities are remediated in accordance with the Vulnerability Management process.

We also engage a well-recognized third-party security testing organization to carry out a comprehensive penetration test.

8. SECURE DEVELOPMENT LIFECYCLE The security of your data is top of mind throughout our entire development process. Automated analysis tools are used iteratively within the software development process to eliminate insecure code. Our development team is highly security aware and scrutinizes every release for security issues, including the OWASP Top 10 and CWE Top 25. We also conduct regular detailed internal code reviews and application security testing using an automated tool.

All application code is reviewed in detail for potential security vulnerabilities and for compliance with technical standards by senior members of the technology team prior to acceptance into the application. A suite of security tests is performed as an integral part of our QA process. Software releases are deployed to production servers over strongly encrypted, authenticated, and integrity-checked channels.

9. SECURITY INCIDENT MANAGEMENT We have a formal incident response plan that includes our internal processes and our crisis management and communication plan to our internal and external stakeholders.

Nevertheless, 7Geese cannot absolutely guarantee that unauthorized third parties will never be able to defeat our security measures or use your personal information for improper purposes. In the event that your personal information in our possession is compromised as a result of a security breach, we will take reasonable steps to investigate the situation and, where appropriate, notify you and take other steps in accordance with applicable laws or regulations.