Security Addendum

Effective Date: February 6, 2023

This Security Addendum (the “Addendum”) is incorporated into and made a part of the written agreement between Retail Zipline and Customer that references this document (the “Agreement”). All capitalized terms not defined in this Addendum have the meaning given to them in the Agreement. This Addendum shall apply to all Customer Data processed by Retail Zipline and may be updated by Retail Zipline from time to time.

1. Security Program

1.1 Retail Zipline has developed, implemented, and maintains a comprehensive documented security program that provides administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, availability and security of Retail Zipline’s Services and Customer Data (the “Security Program”).

1.2 Retail Zipline maintains policies and procedures that generally align with established information security industry standards, such as the standards published by International Organization for Standardization (ISO), or other substantially equivalent standards.

1.3 Retail Zipline regularly, and at least annually, assesses its Security Program and performs risk assessments to identify threats and risks and to test the effectiveness of the Security Program.

1.4 From time to time, Retail Zipline may update its Security Program in order to make enhancements to such Security Program.

2. Third Party Audits & Certifications

2.1 At least once per year, Retail Zipline’s systems and Security Program shall be assessed by independent third-party auditors (each such audit, a “Third-Party Audit”).

2.2 As of the Effective Date of this Addendum, Retail Zipline maintains the following Third-Party Audit certifications: SOC 2 Type II.

2.3 Customer may request Third-Party Audits as described in Section 11.1.

3. Systems & Network Security

3.1 Access Control and Device Management

3.1.1 Retail Zipline employees have access to Customer Data only when there is a legitimate business need; for example, to provide Customer support or to improve the functionality of the Services. All access to Customer Data is logged.

3.1.2 Shared accounts for any system are never allowed. All individuals must have their own account which uniquely identifies them by first and last name. Two-factor authentication and single sign-on is enforced for all user accounts, where supported by the tool or service. Retail Zipline’s employees and contractors (collectively, “Personnel”) are not authorized to move Customer Data out of security reviewed and approved systems.

3.1.3 Access to Customer Data is reviewed on an ongoing basis and immediately revoked if there is no longer a legitimate business need, or the individual has been terminated. Retail Zipline has documented onboarding and offboarding plans, ensuring that all access is revoked upon termination.

3.1.4 Apple laptops issued to company personnel are managed using the Fleetsmith device management solution to ensure they follow an automatic screen lock policy, employ full-disk encryption, are kept up-to-date with the latest operating system updates and security fixes from Apple, and critical applications are running at a minimum version number with secure settings.

3.2 Network and Infrastructure Security

3.2.1 All Customer Data is encrypted at rest using AES-256. All Customer Data is encrypted in transit using TLS1.2 and the latest and most secure cipher suite supported by the Customer.

3.2.2 Each customer has its own subdomain and database schema to separate data into logically separate databases. Tenancies are separated by routing requests for data based on the subdomain of the authenticated user.

3.2.3 Production and testing environments are logically separated and the cloud environment is logically and physically separated from Retail Zipline’s corporate offices and networks.

3.3 Monitoring and Logging. For the purposes of security monitoring, application performance monitoring and troubleshooting, Retail Zipline keeps the following internal audit reports, change logs, authentication logs, and event logs:

3.3.1 All application requests and events are logged, creating a record of system input and output activities.

3.3.2 All database changes and file uploads are logged, creating a record of system storage activities.

3.3.3 All changes to the application codebase and company infrastructure are logged to track and detect changes.

3.3.4 Access to any systems containing data input, output, or processed data is protected by role-based access control. All changes to users, roles, permissions, and access levels are logged to create a record of authorization changes.

3.4 Retail Zipline does not make each of these logs directly available to Customer for integration into its own SIEM. However, Retail Zipline is able to assist Customer with suspected Security Incidents and data breaches by performing historical log analysis.

3.5 Software Development Security.

3.5.1 The Retail Zipline platform is built using secure software development processes which ensure all code is peer reviewed by a senior member of the development team, and security fixes can be released with zero downtime.

3.5.2 Popular, well-tested libraries and frameworks are used. Retail Zipline subscribes to the notification systems and mailing lists of these frameworks to be alerted of any security vulnerabilities which are discovered.

3.5.3 Retail Zipline has technical controls and automation in place to catch security vulnerabilities, fix security issues, and ensure only secure code is deployed to production. This includes automated security testing using both static and dynamic analysis.

3.5.4 The security processes described in this subsection 3.5 apply to all open source that may be integrated or used in Retail Zipline’s platform. Third-party dependencies are regularly and automatically checked for vulnerabilities.

3.6 Vulnerability Detection and Management

3.6.1 Penetration Testing. A yearly structured penetration test is performed of the Retail Zipline application, network, and infrastructure by an independent third party.

3.6.2 Vulnerability Detection. Retail Zipline runs network vulnerability scans against information processing systems at least monthly, and uses reasonable efforts to remediate findings following industry standard timelines.

3.6.3 Vulnerability Management. Retail Zipline uses Common Vulnerability Scoring System to standardize how the severity of a vulnerability is determined. Vulnerabilities are classified as critical, high, medium, or low, based on their impact to confidentiality, integrity, and availability of Retail Zipline’s systems. Resolution times and implementation of patches, where applicable, shall be pursuant to Retail Zipline’s documented severity and risk assessment guidelines.

3.6.4 Malware. Retail Zipline performs real-time and regularly scheduled malware checks of its systems using industry standard detection and scanning programs.

3.6.5 Anti-Virus. Retail Zipline’s company laptops, the Zipline application, and its hosting infrastructure implement practices and software to limit the risk of exposure to software viruses. However, Retail Zipline does not scan customer file uploads. It is the responsibility of customers to implement their own corporate anti-virus solution, in addition to Retail Zipline and its hosting provider’s controls.

3.6.6 Firewall System. Retail Zipline’s application runs in its own isolated environment and cannot interact with other applications or areas of the hosting service. The restrictive operating environment is designed to prevent security and stability issues. The hosting instances are self-contained environments with host-based firewalls, restricting applications from establishing local network connections, and preventing inbound connections other than those required during normal application usage.

4. Physical & Environmental Controls

4.1 Data Centers. Retail Zipline reviews and assesses its cloud providers’ physical and environmental controls, including a review of their GDPR compliance programs, and industry certifications such as SOC 2 and ISO 27001. Such controls shall include, but are not limited to the following:

4.1.1 Climate control systems;

4.1.2 Physical access to the facility is controlled at ingress and egress points and is based on an approval process and visitors are required to present ID and sign-in is logged;

4.1.3 Facilities utilize monitor and alarm response procedures;

4.1.4 Facilities are monitored using CCTV;

4.1.5 Physical access to servers is managed by access control devices; and

4.1.6 Power back-up and redundancy systems.

5. Security Features for Customers, Employees, and Application Administrators

5.1 Anything posted by Customer to Retail Zipline is private to Customer’s organization.

5.2 Customers are provided with tools to protect the privacy of information within their organization by deciding how it is shared. These tools include, for example, role based access control, with multiple levels of permissions providing or restricting access to data and functionality.

5.3 SSO (single sign-on) can be enabled via SAML 2.0, ensuring Customer has complete control and visibility of user accounts.

6. Customer Data Storage & Access

6.1 All Customer Data shall be stored in the United States in Retail Zipline’s data centers. As of the Effective Date, these are AWS and Heroku.

6.2 No Customer Data shall be stored outside of the United States without first notifying Customer. Notwithstanding the foregoing, Customer agrees and acknowledges Retail Zipline’s Personnel may view and access Customer Data remotely and outside of the United States, solely for purposes of providing the Services.

7. Administrative Controls

7.1 Personnel Training. Retail Zipline maintains documented security awareness training program for its personnel, including, but not limited to, onboarding and on-going training.

7.2 Background Checks. Retail Zipline uses a third-party background checking service to perform criminal background checks on all U.S. and Canadian employees.

7.3 Agreements & Policies. All Retail Zipline Personnel are required to comply with confidentiality obligations to protect the confidentiality of all data and information received in the performance of their duties to Retail Zipline. In additional all Personnel are required to comply with Retail Zipline’s Information Security Policy, Acceptable Use Policy, and Network Security Policy.

7.4 Vendor Risk Management. Retail Zipline maintains a vendor risk management program that assesses all vendors that access, store, process, or transmit Customer Data for appropriate security and privacy controls.

8. Incident Detection & Response

8.1 Retail Zipline has incident response policies and procedures in place that include an escalation plan based on the nature and severity of the incident to senior management and the board of directors, as necessary.

8.2 If Retail Zipline becomes aware of a breach of Retail Zipline’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident”), Retail Zipline shall notify Customer without undue delay, and in any case, where feasible, within 72 hours after becoming aware of the Security Incident. Such notice shall be delivered to the email address provided by Customer during the onboarding process, or such other email address as notified by Customer to Retail Zipline from time to time. Customer is responsible for ensuring the email address provided for these purposes is accurate and up to date.

8.3 Security Incident severity levels are defined based on how Security Incidents impact Retail Zipline’s customers and their business objectives, and target response times are formally defined based on these severity levels. This ensures Security Incidents are investigated and resolved within suitable timeframes that minimize business impact. In the event of a Security Incident, Retail Zipline shall promptly take reasonable steps to mitigate and investigate the Security Incident.

8.4 Retail Zipline shall provide Customer with information regarding the Security Incident, including, to the extent known to Retail Zipline at such time, a summary of the event, the nature and consequences of the Security Incident, measures taken and or proposed to be taken to mitigate the Security Incident, and other related information available to Retail Zipline at such time. Retail Zipline shall cooperate with information reasonable requested by Customer regarding the Security Incident. Security Incidents will not include unsuccessful attempts to, or activities that do not, compromise the security of Customer Data including, without limitation, unsuccessful log in attempts, denial of service attacks, and other similar attacks on firewalls or network systems. Retail Zipline’s obligation to report or respond to a Security Incident will not be construed as an acknowledgement by Retail Zipline of any fault or liability with respect to the Security Incident.

8.5 Retail Zipline Personnel and Customer may communicate Security Incidents to [email protected].

8.6 Customer are given an emergency phone number to report serious incidents and outages.

8.7 Lessons learned from previous Security Incidents are incorporated into Retail Zipline’s incident response plan.

8.8 A root cause analysis is performed for all Security Incidents to understand how to prevent the same incident from happening again.

9. Retention & Deletion of Customer Data

9.1 Retail Zipline retains Customer Data for 2 years after termination, expiration, or non-renewal of the Agreement, solely for purposes of complying with legal obligations, including any security incidents following termination of the Agreement.

9.2 Should Customer wish to obtain a copy of the Customer Data upon termination, expiration, or non-renewal of the Agreement, Customer shall notify Retail Zipline in writing within thirty (30) days of the termination or expiration of the Agreement. Retail Zipline shall return to Customer a copy of the Customer Data in Retail Zipline’s then current machine-readable format. Should Customer require a special formatting or additional work to be performed by Retail Zipline in connection with such Customer Data return, Retail Zipline reserves the right to charge Customer an additional fee.

10. Service Continuity

10.1 Data Back-Up

10.1.1 All production Customer Data is included in Retail Zipline’s back and restore procedures. Retail Zipline uses a database as a service provider which allows the database to be quickly and easily restored from a historical back-up.

10.1.2 Full back-ups are taken daily and kept for 8 days.

10.1.3 Full back-ups are taken weekly and kept for 8 weeks.

10.1.4 Full back-ups are taken monthly and kept for 2 years.

10.2 Retail Zipline is able to restore data from a specific period of time, for a specific customer in the event that data is accidentally modified or deleted by a Customer employee.

10.3 Disaster Recovery. Retail Zipline (i) maintains a disaster recovery plan (the “DR Plan”) that is consistent with industry standards for the Services; (ii) tests the DR Plan at least once per year; (iii) upon request, shall make available summary test results to Customer; and (iv) document any action plans within the summary test results taken or to be taken to promptly address and resolve any material deficiencies in the DR Plan identified by such tests.

10.4 Business Continuity. Retail Zipline will maintain a business continuity plan (“Business Continuity Plan”) to minimize the impact to its provision and support of the Services from an event. The Business Continuity Plan (i) includes processes for protecting personnel and assets and restoring functionality in accordance with the time frames outlined in the Business Continuity Plan, including Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO); and (ii) shall be tested annually and updated based on any material deficiencies identified during such tests. Retail Zipline’s RTO is four (4) hours, and its RPO is twenty-four (24) hours.

11. Customer Audit Rights

11.1 Upon Customer’s written request, Retail Zipline shall provide to Customer or Customer’s third party auditor, access to reasonably requested documentation evidencing Retail Zipline’s compliance with its obligations under this Addendum, including summaries of its Third-Party Audit certification reports (collectively, the “Certification Reports”).

11.2 Should Customer reasonably consider such Certification Reports to be inadequate, Customer may request in writing to perform an audit of Retail Zipline’s applicable controls, including inspecting its facilities, provided Customer may not, without Retail Zipline’s express, prior written consent (in its sole and absolute discretion), conduct any penetration or vulnerability testing. The parties shall mutually agree in advance on the details of the audit, including reasonable start date, scope, and duration of the audit, as well as security and confidentiality controls applicable to any such audit. The purpose of such audit shall be strictly limited to verifying whether Retail Zipline is processing Customer Data in accordance with the obligations in the Agreement. Such audit shall be at Customer’s sole and exclusive cost, provided Retail Zipline reserves the right to charge a fee for any such audit, depending on the time and resources required under such audit. Customer shall reimburse Retail Zipline for all costs incurred by Retail Zipline and time spent by Retail Zipline in connection with any such audit. If an audit finds that Retail Zipline is not in compliance with its obligations under this Addendum or the Agreement, Retail Zipline will use commercially reasonable efforts to promptly take actions necessary to comply with such audit findings.

11.3 Any request for Certification Reports under Section 11.1 or to conduct an audit under Section 11.2 shall be made with no less than ten (10) business days prior written notice, and shall not be requested or performed, as applicable, more than once in a twelve (12) month period, unless (i) there has been a Security Incident and Customer reasonably considers such an audit necessary, or (ii) Customer is required to carry out such audit by Data Protection Law or a Supervisory Authority. All Certification Reports and any information disclosed pursuant to an audit hereunder shall be deemed Retail Zipline’s Confidential Information.

12. Shared Security Responsibilities. Customer agrees that:

12.1 It is responsible for managing and protecting its User roles and credentials, as more specifically set forth in the Agreement. Such obligations shall include: (i) ensuring all Users keep credential confidential and not share such information with unauthorized partis, (ii) promptly reporting to Retail Zipline any suspicious activities related to Customer’s account, and (iii) maintaining appropriate password uniqueness, length, complexity, and expiration.

12.2 It is responsible for properly and appropriately configuring User and role-based access controls, including scope and duration of User access and managing and protecting any Customer-managed encryption keys.

12.3 It is responsible for updating its software when Retail Zipline announces updates are required to continue to operate the Services.

13. Order of Precedence. In the event of any conflict between the terms of the Agreement, the DPA, and this Addendum with respect to the party’s security obligations, the Order of precedence shall be as follows: (i) this Addendum, (ii) the DPA, and (iii) the Agreement.