1.     Purpose. This Security Policy summarizes the technical and organizational measures that CiteRight presently has implemented to protect Customer Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. CiteRight may adapt such measures from time to time, for example, as a result of the development of regulations, technology and other industry considerations. In any event, the implemented technical and organizational measures shall ensure a level of security appropriate to the risks presented by the Processing and the nature of the Customer Data to be protected, taking also into account the state of technology and costs of implementation.

2.     Information Security Management System (the “ISMS”). CiteRight maintains a written information security management program designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The ISMS may be updated from time to time based on changes in applicable legal and regulatory requirements, best practices and industry standards related to privacy and data security.

3.     Standards. CiteRight uses commercially reasonable and appropriate methods and safeguards to protect the confidentiality, availability and integrity of Customer Data. CiteRight’s information security practices have been designed to leverage best practices for securing Customer Data as identified in ISO 27001 and ISO 27017 (or substantially equivalent or replacement standards) or other generally accepted authoritative standards (e.g., SSAE 16, SOC2).

4.     CiteRight Personnel. CiteRight maintains written policies and procedures that address the roles and responsibilities of CiteRight Personnel, including both technical and non-technical personnel, who have access to Customer Data in connection with providing the Cloud Services. All CiteRight Personnel with access to Customer Data receive annual training on the ISMS. CiteRight ensures that access rights are revoked for all CiteRight Personnel immediately upon the termination of their employment, contractual or other relationships with CiteRight.

5.     Information Security Infrastructure.

5.1. Asset Inventory. CiteRight maintains inventories of all computing equipment and media used in connection with the Processing of Customer Data. Access to such inventories is restricted to authorized CiteRight Personnel.

5.2. Access Controls for CiteRight Personnel.

(a)   Access Policy. CiteRight enforces an access control policy (physical, technical and administrative) based on least privileges principles.

(b)   Access Authorization.

(i)     CiteRight maintains an authorization management system designed to ensure that only authorized CiteRight Personnel (technical and non-technical) are granted access to systems containing Customer Data.

(ii)    All CiteRight Personnel accessing systems containing Customer Data have a separate, unique username. Deactivated and expired usernames are not recycled or otherwise granted to other individuals.

(iii)   CiteRight restricts access to Customer Data solely to CiteRight Personnel who have a need to access the Customer Data in connection with the CiteRight Services or as otherwise required by applicable Law.

5.3. Authentication.

(a)   CiteRight uses industry standard practices, including strong authentication, to identify and authenticate all CiteRight Personnel who attempt to access CiteRight network or information systems.

(i)     Where authentication credentials of CiteRight Personnel are based on passwords, CiteRight requires that such passwords meet minimum requirements for length and complexity. CiteRight maintains practices designed to ensure the confidentiality and integrity of passwords when assigned, distributed and stored.

(ii)    Accounts of CiteRight Personnel are locked out in case of repeated attempts to gain access to the information system using an invalid password.

5.4. Encryption. CiteRight encrypts Customer Data at rest within the CiteRight Services using ciphers at least as strong as 256-bit AES. Customer Data in transit to and from the CiteRight Services is transferred to/from the CiteRight Services across encrypted network connections and/or protocols (i.e., HTTPS and/or VPN). Backups of Customer Data are encrypted and stored in a secondary data center.

5.5. Network and Host Security.

(a)   Network Security. CiteRight utilizes an enterprise-class security information and event management (SIEM) system and maintains firewalls and other control measures (e.g., security appliances, network segmentation) to provide reasonable assurance that access from and to its networks is appropriately controlled.

(b)   Security Updates. CiteRight uses reasonable efforts to ensure that the CiteRight Services operating systems and applications that are associated with Customer Data are patched and otherwise secured to mitigate the likelihood and impact of security vulnerabilities in accordance with CiteRight patch management processes and within a reasonable time after CiteRight has actual or constructive knowledge of any critical or high-risk security vulnerabilities.

(c)   Malicious Software. CiteRight maintains anti-malware controls to help prevent malicious software from causing accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

5.6. Physical Security.

(a)   CiteRight maintains physical security safeguards at any facilities where CiteRight hosts Customer Data. Physical access to such facilities is only granted following a formal authorization procedure and access rights are reviewed periodically.

(b)   Such facilities are rated as Tier 3 data centers or greater, and access to such facilities must be limited to identified and authorized individuals. Such facilities use a variety of industry standard systems to protect against loss of data due to power supply failure, fire and other natural hazards.

5.7. Backups. CiteRight provides 24/7 managed backup services that include Customer Data stored in the primary site backed up on at least a daily basis to a secondary site. CiteRight provides backup services for all components of the solution included in the Cloud Services. Backups are maintained for a period of ninety (90) days in the primary data center, and ninety (90) days in the secondary data center.

(a)   Data Management. CiteRight maintains commercially reasonable controls for information governance and data management in connection with the Cloud Services. CiteRight destroys, deletes, or otherwise makes irrecoverable Customer Data upon the disposal or repurposing of storage media. Customer Data for each Customer is logically separated from the Customer Data of other CiteRight customers.

6.     Independent Assessments. On an annual basis and further subject to the Data Protection Addendum, CiteRight has an independent third-party organization conduct an independent assessment of the standards set forth in paragraph 3 of this Exhibit. Additionally, CiteRight undergoes penetration testing, conducted by an independent third-party organization, on an annual basis.

7.     Business Continuity and Disaster Recovery. CiteRight maintains a business continuity plan that is compliant with ISO 22301. CiteRight also maintains disaster recovery capabilities designed to minimize disruption to the Cloud Services. Included within these plans is disaster recovery incident management, procedures for the recovery of access to Customer Data in the secondary data center, as well as the periodic testing/exercising of the disaster recovery plan.

8.     RPO/RTO. The Recovery Point Objective (RPO) for the CiteRight Services is 4 hours and the Recovery Time Objective (RTO) for the CiteRight Services is 8 hours.

9.     Customer’s Responsibility. Notwithstanding anything contained in this Exhibit B, Customer understands and acknowledges that Customer is solely responsible for implementing and maintaining appropriate security measures for all systems within Customer’s control.

10.  Security Breach Management.

10.1.                Notice. CiteRight will notify Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Breach”) without undue delay after becoming aware of the Security Breach and, in any event, within 72 hours of becoming aware of such Security Breach. CiteRight will cooperate with Customer’s reasonable requests for information regarding any such Security Breach, and CiteRight will provide regular updates on the Security Breach and the investigative action and corrective action taken. CiteRight’s obligation to report or respond to a Security Breach is not an acknowledgement by CiteRight of any fault or liability with respect to the Security Breach.

10.2.                Remediation. In the event of a Security Breach, CiteRight will, at its own expense, (i) investigate the Security Breach, (ii) provide Customer with a remediation plan to address the Security Breach and to mitigate the incident and reasonably prevent any further incidents, (iii) remediate the effects of the Security Breach in accordance with such remediation plan, and (iv) reasonably cooperate with Customer (including, but not limited to, providing audit logs) and any law enforcement or regulatory official investigating such Security Breach.