This Data Management and Security Policy (this “Policy”) describes the controls Oversight has implemented and maintains to protect information or data provided to Oversight directly or indirectly by a customer or a third party, or that Oversight directly or indirectly collects on behalf of a customer, or that Oversight otherwise has access to in connection with the provision of the services under the applicable arrangement (“Data”). This Policy may be updated by Oversight from time to time but only in a manner that retains or increases the stringency of Oversight’s security obligations; such updates will be posted at http://www.oversightsystems.com/exhibit-2.
Oversight complies with applicable privacy, data security, encryption, and other laws and rules, regulations, directives and requirements of government or regulatory agencies, as may be applicable to the use, unauthorized access, confidentiality, protection and security of any Data (collectively, “Data Laws”). The Parties acknowledge that in relation to any Data controlled and owned by a customer and Processed by Oversight in connection with the Services Agreement: (a) each customer owns and retains all right, title, and interest in and to its Data; (b) Oversight is acting solely as a Data Processor and has no discretion regarding the purpose(s) for which such Data is Processed; and (c) Oversight will only access, use, disclose, retain or otherwise Process such Data in accordance with the provisions of the applicable agreement to provide the applicable services. Oversight will provide cooperation and assistance to its customers as may be reasonably required for purposes of compliance with the applicable Data Laws.
Oversight will not disclose Data to any person or entity except as required by law, applicable Data Laws or permitted by the applicable agreement, this Policy or with the affected customer’s written consent. Furthermore, Oversight will not sell, assign, lease, or otherwise make Data available to third parties except as necessary to provide the Service.
If Oversight is required to disclose Data by law, including Data Laws, or by mandatory order of a governmental authority having jurisdiction over Oversight, Oversight will notify the affected customer(s) in advance of such disclosure where permissible and reasonably cooperate with the affected customer(s)’ effort to minimize the extent of such disclosure and maintain the confidentiality of such Data.
Oversight complies with:
 The terms “Process” and “Processing” mean means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Oversight complies with applicable portions of the following standards:
Oversight’s primary and DR colocation data facilities are:
2 CROSS-BORDER DATA TRANSFERS AND PROCESSING
Personal Data means Data that, alone or in combination with other information, is about, related to, or can be used to identify an identifiable natural person. For clarity purposes, hashed, truncated, or encrypted versions of the foregoing that are unusable to uniquely identify an individual are not “Personal Data” for purposes of this Policy. Oversight will not transfer Personal Data outside the U.S. without first requesting approval from our affected customers.
In connection with the provision of Services under the applicable Agreement, if Oversight will Process Personal Data from either the European Economic Area (EEA) or Switzerland, Oversight will enter into applicable data transfer contractual clauses as part of the Agreement on request.
If Oversight is required to access and Process Personal Data from jurisdictions outside of the U.S. and the European Economic Area that are subject to Data Laws restricting, regulating, or otherwise controlling the transfer of Personal Data outside of such jurisdiction, Oversight will take the actions reasonably necessary for compliance with such Data Laws as further specified in the applicable Agreement.
3 SECURITY MEASURES
Oversight has implemented physical, technical, and organizational measures and safeguards with respect to Data and the Processing of the same against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosures or access, and against all other unlawful forms of Processing, consistent with this Policy and with the Data Laws. Oversight will provide Client with information regarding Oversight’s security measures upon request. Oversight limits access to Data to those personnel who have a business need to access the Data in the provision of services under the applicable services agreement.
Oversight follows industry standards and this Policy which include the following minimum controls:
4 DATA BREACH
Oversight will notify the affected customer(s) in writing promptly and without undue delay after any actual or reasonably suspected loss of or unauthorized access to Data (“Data Breach”). In the event of a Data Breach, Oversight shall (a) promptly take all reasonable measures to remediate any such Data Breach; (b) provide the affected customers with a written report of what Oversight did to remediate; (c) provide all necessary cooperation to the affected customers with respect to the notification, investigation, and prosecution of such Data Breach; (d) provide the affected customers with a written plan identifying the measures Oversight will implement to avoid any subsequent Data Breach of similar nature; and (e) comply with all Data Laws. Oversight’s written notice will include all known details of the Data Breach as of the time it is provided, and the notice will be supplemented as new information becomes available. Oversight will provide the foregoing notices only if a Data Breach directly arises from Oversight’s Processing of Data.
5 AUDIT AND VERIFICATION
At least once each calendar year, Oversight will retain a third-party auditor of national reputation (a) to perform audits of the Oversight’s Information Security Management System that include Oversight’s Data management systems and (b) to produce audit reports. Oversight will provide a summary copy of such reports to its customers upon request.
Oversight performs internal scans, audits, and compliance checks and will provide an Executive Summary upon request.
Oversight will make available a simulated, sample customer scan target upon request.
Customers who require audits of Oversight’s colocation facilities must pay any costs or fees those vendors charge for participating in customer-requested security evaluations, scans, or security evaluations.
6 VULNERABILITY MANAGEMENT
Oversight maintains a Vulnerability Management Program, as part of the greater Risk Management program. Vulnerability Management includes systems hardening, patching, internal scanning, external scanning, and penetration testing.
7 DATA AND RECORD RETENTION
Oversight will retain Data as required to comply with applicable data protection laws and the Agreement. Upon termination or expiration of the Agreement with respect to particular Data not required by Oversight to perform its obligations under the Agreement, Oversight shall securely remove, erase and destroy the Data from its applications, databases and computer systems in accordance with the Agreement, such that no copy of the Data remains or can be accessed in any way. Oversight shall certify such removal, erasure and destruction of Data in writing to Client upon request.
8 SUPPLIER AND SUBCONTRACTOR SECURITY
Oversight maintains a comprehensive Vendor Management Program that includes evaluating the security posture of suppliers and subcontractors before work is performed and then annually based on risk assessment by Oversight.
9 SYSTEMS DEVELOPMENT LIFECYCLE
Oversight’s “Systems Development Lifecycle” process utilizes control standards related to various aspects of the development process such as securing the development environment, source code control, as well as standards around requirements definition, release and deployment, testing and training according to SSAE-18 requirements. Oversight uses test systems that exactly duplicate production for the most efficient problem resolution and highest quality testing.
 The terms “Process” and “Processing” mean any activity performed on or using Data including but not limited to collection, transfer, disclosure, handling, storage, access, or any other use.