‍a. General.  Findigs (“Company” “we” or “our”) believes that information is an extremely valuable asset that must be protected.  Therefore, we have created and implemented an Information Security Program (the “Program”), as further described in this Information Security Addendum (the “Addendum”). The objective of the Program is the effective protection of personally identifiable and other sensitive information relating to Company’s business, customers, and business partners (collectively, “Sensitive Information”). 

b. Definitions.  For the purposes of this Addendum, the terms below have the following meanings whenever capitalized:

1. “Data Incident” means any unauthorized access to or acquisition, disclosure, use, or loss of Sensitive Information resulting from breach or compromise of Company Systems.
2. “Privacy and Security Requirements” means, to the extent applicable: (i) legal requirements (federal, state, local, and international laws, rules and regulations, and governmental requirements) related to the storage and collection of Sensitive Information; and (ii) generally accepted industry standards concerning privacy, data protection, confidentiality, or security of Sensitive Information.
3. “Security Coordinator” means a manager-level employee who is responsible for implementing, coordinating, and maintaining the Program, including without limitation the training of personnel, regular testing of the Program’s safeguards, and evaluation of third party service providers.
4. “Company Systems” means Company’s information technology systems and devices that store, process, and/or transmit Sensitive Information, including without limitation Company’s network, databases, computers, and mobile devices, to the extent applicable.‍
   

c. Sensitive Information.  For clarity, Sensitive Information includes:

1. Any information that personally identifies an individual (including, but not limited to, name, postal address, email address, telephone number, date of birth, Social Security number, driver’s license number, other government-issued identification number, financial account number, or credit or debit card number).
2. All financial, business, legal, and technical information which is developed, collected, learned, or obtained by Company in the course of its business activities that would reasonably be understood to be confidential, including information belonging to or pertaining to Company’s customers.

d. Security Program.  Company shall create, implement, and maintain the Program to include reasonably appropriate administrative, technical, and physical safeguards to protect the confidentiality and security of Sensitive Information.  Company shall also periodically review and update the Program, paying attention to developments in technology, Privacy and Security Requirements, and industry standard practices.  Currently, protection for Company Systems includes:

1. Authorized User authentication controls, including secure methods of assigning, selecting, and storing access credentials, restricting access to Authorized Users, and blocking access after a reasonable number of failed authentication attempts.
2. Access controls and physical facility security measures,  including controls that limit access to Sensitive Information to individuals that have a demonstrable genuine business need-to-know, supported by appropriate policies, protocols, and controls to facilitate access authorization, establishment, modification, and termination. 
3. Regular monitoring of Company Systems to prevent loss or unauthorized access to, or acquisition, use, or disclosure of, Sensitive Information.
4. Technical security measures such as firewall protection, antivirus protection, security patch management, and intrusion detection.
5. Ongoing training and awareness programs designed to ensure workforce members and others acting on Company’s behalf are aware of and adhere to the Program’s policies, procedures, and protocols.
6. Ongoing adjustments to the Program based on periodic risk assessments, comprehensive evaluations (such as third-party assessments) of the Program, and monitoring and regular testing of the effectiveness of safeguards.  Such review shall occur at least annually with additional review occurring whenever there is a material change in Company’s technical environment or business practices that implicate the security of Company Systems.

e. Access Control.

1. Company management provides guidance in creating a secure access environment by establishing access management policies, approving roles and responsibilities, and providing consistent coordination of security efforts across the company.
2.  Rights to use and access Company Systems are based on each Authorized User’s access privileges.  Access privileges are granted on the basis of specific business need (i.e. a “need to know” basis) and are restricted to only those personnel who require such access to perform their job functions as determined by Company management.   
3.  All Company resources, systems, and applications have access controls unless specifically designated as a public access resource.
4.  Physical access to locations where Sensitive Information is stored is restricted to personnel and service providers who require access in order to perform their designated job functions or services.  Where possible, storage areas containing Sensitive Information are protected against potential destruction or damage from physical hazards such as fire or floods. 
5.  Company’s employees, temps, contractors, consultants, and other workers including all personnel affiliated with third parties, are responsible for participating in maintaining secure access to Company Systems and for ensuring that Company adheres to its posted Privacy Policy.

f. System Monitoring and Protection.

1. Company reasonably monitors Company Systems for unauthorized use of or access to Sensitive Information.
2. Company retains, either in-house or on a consultant basis, at least one technician to provide support and routine maintenance of Company Systems and to report any actual or attempted attacks or intrusions to Company.
3. Malware protection software is installed on all computers storing Sensitive Information. At least once per year, all operating systems and applications are upgraded with any currently available security patches or other security-related enhancements available from their providers. To the extent that any personnel use home computers or remote access devices to conduct business, malware protection software is installed on such home computers or remote access devices.
4. To the extent that personnel are supplied with remote access devices such as laptops and handheld wireless access devices, Company labels them and take inventory at least once per year. 
5. Sensitive Information stored on Company Systems is backed up on a regular basis.
   

g. Evaluation and Adjustment of the Program.

1. Company management shall periodically re-assess the reasonably foreseeable internal and external risks to the security and confidentiality of Sensitive Information. 
2. Company reserves the right to revise the conditions of this Program at any time.  Adequate notification of updates will be provided to all personnel.  Personnel are responsible for understanding or seeking clarification of any rules outlined in this document and for familiarizing themselves with the most current version of this Program.
3. Company management will periodically evaluate and adjust the Program as appropriate to address: (a) the current risk assessment, management and control activities; (b) new risks or vulnerabilities identified by Company top management using the standards set forth above; (c) technology changes that may affect the protection of Sensitive Information; (d) material changes to Company’s business, including to the size, scope and type of Company’s business; (v) the amount of resources available to Company; (vi) the amount of Sensitive Information stored or held by Company; (vii) any increased need for security and confidentiality of Sensitive Information; and (viii) any other circumstances that Company management believes may have a material impact on the Program.

h. Personnel and Service Providers. 

1. Company shall exercise necessary and reasonably appropriate supervision over its employees and others acting on its behalf to maintain confidentiality and security of Sensitive Information.
2. Prior to engaging any third-party service provider who may receive Sensitive Information, Company will take reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect the Sensitive Information.
3. Company shall terminate an individual’s access to Company Systems as soon as reasonably practicable after such individual is no longer employed or engaged by Company.  Terminated personnel are required to surrender all keys, IDs, access codes, badges, business cards and the like that permit access to Company’s premises and/or systems.

i. Data Incidents.

1. In the event of a Data Incident, the Security Coordinator will conduct a post-incident review of events and decide the appropriate actions to take to minimize the Data Incident and mitigate the consequences.
2. The Security Coordinator shall be in charge of assembling a qualified incident response team, which will be responsible for handling matters related to the Data Incident.
3. If necessary, the Security Coordinator shall make changes in business practices relating to protection of Sensitive Information following a Data Incident. 
4. The Security Coordinator shall document the foregoing and provide a report to management.

j. Secure Return or Dispositions. Company shall return or dispose of Sensitive Information, whether in paper or electronic form, in a secure manner.