INFORMATION SECURITY

1 Governance

Designated security ownership at the executive level.

Written information security and acceptable use policies, reviewed at least annually.

Risk assessments conducted at least annually and following material changes.

2 Personnel Security

Background checks on personnel with access to Client Data, where permitted by law.

Confidentiality obligations for all personnel and contractors with access to Client Data.

Security awareness training at hire and at least annually thereafter.

3 Access Control

Role-based access control with least-privilege principles.

Multi-factor authentication required for administrative access to production systems and code repositories.

Quarterly access reviews and prompt revocation of access upon role change or termination.

Strong password requirements and prohibition of credential sharing.

4 Encryption

Encryption in transit using TLS 1.2 or higher for data flowing between Client and the Services and between Cirra AI components.

Encryption at rest for Client Data stored in production databases and object stores using industry-standard algorithms (e.g., AES-256).

Secret and key management using a managed key store with restricted access.

5 Network and Infrastructure

Hosting on reputable cloud infrastructure providers (e.g., AWS, Google Cloud, Cloudflare) with their own SOC 2 and/or ISO 27001 attestations. Physical and environmental security of hosting facilities (including facility access control, power, cooling, and fire suppression) is managed by the underlying cloud provider and covered by such provider’s independent attestations, which Cirra AI reviews as part of its vendor management program.

Logical network segmentation between production, staging, and corporate environments.

Firewalls, security groups, and intrusion detection / monitoring on production environments.

Hardened, up-to-date base images for production workloads.

Data flow and storage characteristics for the Services, including the limited circumstances in which Client Data may appear in operational logs or short-lived caches, are described in Section A.3 of the Data Processing Addendum.

6 Software Development

Source code stored in access-controlled repositories with audit logging.

Code review required prior to merging changes to production branches.

Automated dependency scanning and timely remediation of known critical vulnerabilities.

Separation of development, staging, and production environments. Client Data is not used in non-production environments without de-identification or explicit permission.

7 Vulnerability and Patch Management

Regular vulnerability scanning of production infrastructure.

Timely patching of critical and high-severity vulnerabilities according to documented SLAs.

Periodic penetration testing of production environments by qualified internal or third-party testers, no less than annually.

8 Logging and Monitoring

Centralized logging of authentication, authorization, and security-relevant events in production systems.

Log retention consistent with operational and compliance needs.

Alerting on anomalous or suspicious activity, with on-call response.

9 Incident Response

Documented incident response plan covering detection, containment, eradication, recovery, and post-incident review.

Notification of confirmed Security Incidents affecting Client Data within the timelines set forth in Section 5.5 of the MSA.

Annual tabletop or functional exercise of the incident response plan.

10 Business Continuity and Backups

Regular automated backups of Client Data with documented restore procedures.

Documented business continuity and disaster recovery plans, reviewed at least annually.

11 Vendor Management

Risk-based review of third parties that process Client Data, including review of their security attestations or questionnaires. Where reasonably available for the type of vendor, Cirra AI prefers sub-processors with SOC 2, ISO 27001, or equivalent third-party attestation; where not available, Cirra AI relies on contractual security commitments and direct due diligence.

Written agreements with sub-processors imposing security obligations no less protective than those in this Exhibit.

12 Compliance Roadmap

Cirra AI is in the process of obtaining a SOC 2 Type 2 attestation covering, at a minimum, the Trust Services Criterion for Security. Until such attestation is issued, Cirra AI may provide its most recent SOC 2 Type 1 report, a formal letter of engagement from its compliance vendor, or a comparable written attestation, in satisfaction of Section 6.3 of the MSA.