Security Addendum

This Security Addendum forms part of the agreement with Lead Intelligence, Inc. dba InfutorData (“Infutor”) that incorporates this addendum by reference (the “Agreement”). The Agreement may be either the Master Agreement terms available at master-agreement or a signed agreement between the parties that references this addendum. References to “Licensee” in this addendum refer to the counterparty to the applicable Agreement.

1. UPDATES TO THIS ADDENDUM

The current version of this addendum is located at https://infutor.com/master-agreement. In the event of any inconsistency between this addendum and the version provided on Infutor’s website, the website version will control.

2. DEFINITIONS

Capitalized terms used but not defined within this addendum will have the meaning set forth in the Agreement. The definitions below apply only to this addendum.

“Infutor Security Breach” means any confirmed unauthorized or improper use of or access to Infutor Systems resulting in confirmed use or disclosure of Licensee Data under the control of Infutor during the term of the agreement. Any attempts or activities of a routine nature that, based on a reasonable determination by Infutor, do not pose a material risk to the security, confidentiality, or integrity of Licensee Data are not a Infutor Security Breach. Such activities include ping or broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing, or other unauthorized access to traffic data that does not result in access beyond headers

“Infutor Systems” means Infutor’s systems, networks, and facilities that host, receive, or transmit Licensee Data.

3. INFUTOR INFORMATION SECURITY PROGRAM

Infutor has implemented an information security program to protect Data and Confidential Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and to maintain the integrity and availability of the Infutor Systems (the “Infutor ISP”). The Infutor ISP aligns to best practices such as those identified by the International Organization for Standardization (ISO/IEC 27001), the National Institute of Standards and Technology (NIST) “Framework for Improving Critical Infrastructure Cybersecurity”, or any successor or equivalent standard.

Infutor shall maintain compliance with the Infutor ISP during the term of this agreement. Infutor may update the Infutor ISP if such updates do not result in a material reduction of the security of the Infutor Systems.

4. INFUTOR ISP SUMMARY

A) Access Controls

The Infutor ISP includes policies to 1) secure physical access to Infutor Systems and data centers, 2) restrict access to Data and the Infutor Systems to authorized persons; 3) regularly evaluate and adjust user permissions; 4) ensure that Data cannot be read, copied, altered or removed without authorization, 5) provide for “least privilege” access, 6) require strong passwords and multi-factor authentication where applicable, and 7) provide an audit trail of access to Data and the Infutor Systems.

B) Logical Separation and Encryption

The Infutor ISP includes logical controls and instancing policies to segregate each Licensee’s Licensee Data from that of other customers of Infutor, and requirements for encryption of Data (at rest and in motion) that comply with the standards outlined in the Federal Information Processing Standard (FIPS) Publication 140-2.

C) Updates, Monitoring, and Vulnerability Assessment

The Infutor ISP includes procedures for ongoing monitoring of the current threat environment and both first-party and third-party security evaluations on an ongoing basis, including vulnerability scanning, prompt application of software and firmware updates, logging of access attempts, and external threat surface configuration and monitoring.

D) Training and Employee Confidentiality

All Infutor employees are required to complete security awareness and training programs that address the confidentiality and protection of Data and Confidential Information, and are bound to confidentiality requirements substantially similar to the requirements in this agreement.

E) Third-Party Risk Management

Infutor has a third-party service risk management oversight program that controls and manages activities associated with external parties where security risks could lead to losses or produce adverse effects. The program identifies security risks and remediations for third-party providers utilized by Infutor in the performance of its obligations under the Agreement.

F) Disaster Recovery

The Infutor ISP includes disaster recovery, business continuity, and contingency plan policies and procedures providing for continued operation without a substantial reduction of functionality or security during a significant event affecting Infutor's business operations.

G) Licensee Review of Infutor ISP

Infutor will provide summaries of a) the Infutor ISP, b) summaries of security audits, and c) other documentation such as certifications as reasonably requested by Licensee. Infutor will provide responses to Licensee security questionnaires no more than once per year, and only as can be provided without undue disruption of Infutor’s business activities. All such documentation and information provided to Licensee is Infutor’s Confidential Information.

5. SECURITY BREACH NOTIFICATION AND RESPONSE

Infutor shall notify Licensee of a confirmed Infutor Security Breach no more than 72 hours after Infutor’s confirmation of such breach.

Infutor shall take commercially reasonable action to remediate and mitigate the effects of any Infutor Security Breach. Infutor shall cooperate with reasonable requests for information from Licensee or its representatives regarding the Infutor Security Breach.

Unless otherwise required by Applicable Law, Infutor will notify Licensee before providing any notification to any other person or entity, except where required by law to any data protection agency or law enforcement agency. Such notification shall not reference Licensee in connection with the Infutor Security Breach without Licensee’s prior written consent.

6. SUBCONTRACTING

Any third-party subcontractors selected by Infutor that are used to fulfill Infutor’s obligations to Licensee under the Agreement shall be subject to substantially similar contractual terms and conditions as Infutor regarding the security and privacy of Licensee Data.