This Security Policy was last revised on December 1, 2018.

Bloomboard, Inc.(“BBI”) will comply with the following security requirements for each customer deployment (“Client”):

1. Maintain an internal security process governing the protection of its own information resources and the resources of others under its control.

2. Ensure that all of BBI’s employees and representatives are covered by a binding nondisclosure agreement.

3. Ensure that only persons with an approved need to know are allowed to access information belonging to the Client, Client’s customer or customer proprietary information, including establishing and maintaining controls that allow a person to access only the specific customer information and information resources required to perform the work specified in the Terms and Conditions executed by BBI and the Client.

4. Secure and protect Client’s proprietary information, Client’s employee proprietary information, and other Client information resources from unauthorized or improper use, theft, accidental or unauthorized modification, disclosure or destruction.

5. Assure the reliability and integrity of all Client information and information resources under its control and of the information processing activities performed with or for the Client.

6. Maintain the proprietary nature and if necessary, the proprietary marking of any Client, Client employee, or Client’s customer proprietary information.

7. Comply with agreed upon arrangements for the movement of information and data between a Client and BBI and between BBI and Users. This also includes either the return of proprietary information to the Client or the complete destruction of proprietary information by shredding or burning or if no other mutually agreed upon means is specified.

8. Use secure web site technology at a level of at least 3-DES encryption or equivalent for collection of user registration information, including passwords.

9. Ensure computer storage devices, e.g., hard or floppy disks, magnetic tape, or optical disks, containing Client, or Client’s customer data are not disposed of or otherwise presented to others unless all Client and Client’s customer proprietary data has been completely obliterated. This includes media used to transmit data and to create backups.

10. Not use or transfer Client, or Client’s customer, information or data for any purpose not authorized in the Terms between the Parties.

11. Implement security changes, security patches and security upgrades in systems, applications and software in a timely manner and commensurate with the threat. However, security changes, security patches or security upgrades shall be implemented within ninety (90) days of their release unless the Client agrees to a delay in implementation within forty-five (45) days of their release.

12. Ensure that authentication mechanisms are complex and not easily overcome. There shall be no known way to bypass the authentication mechanism and obtain entry into the system.

13. Ensure that Internet and other public (including public switched telephone) network connections are designed, implemented and maintained so as to secure and protect information and data, and system operation during the life of the Terms. This includes, but is not limited to, non-repudiation, authentication, authorization, and monitoring issues. The Parties agree that no Internet or other public network connections shall be implemented unless agreed to in writing by the Client prior to implementation. Authentication for remote access, e.g., in-dial, ISDN, wireless or other public switched network access for maintenance or administrative purposes are to use individually identified and a secure access key.

14. Report to Client, within one working day of discovery, any known or suspected unauthorized access, use, misuse, disclosure, destruction, theft, vandalism, modification, or transfer of Client, or Client’s customer, proprietary information.