Safeguards

Capitalized terms that are used but not defined below are used as defined in Copper’s Terms of Service (https://www.copper.com/terms).

1) Physical Access. Copper will maintain physical access controls designed to secure relevant facilities, infrastructure, data centers, hard copy files, servers, backup systems and Copper-owned equipment (including mobile devices) used to access Customer Personal Information.

2) User Authentication. Copper will maintain user authentication and access controls within operating systems, applications and equipment.

3) Personnel Security. Copper will maintain policies and practices restricting access to Customer Personal Information, including requiring written confidentiality agreements and background checks consistent with Applicable Law for all Copper personnel who are authorized to Process Customer Personal Information or who maintain, implement, or administer Copper’s information security program and Safeguards.

4) Logging and Monitoring. Copper will log and monitor access to Customer Personal Information on networks, systems and devices operated by Copper.

5) Malware Controls. Copper will maintain Reasonable controls designed to protect all networks, systems and devices that access Customer Personal Information from malware and unauthorized software.

6) Security Patches. Copper will maintain controls and processes designed to update networks, systems and devices (including operating systems and applications) that access Customer Personal Information, including prompt implementation of identified high-severity security patches when issued and validated for Copper’s environment.

7) Access Controls. Copper will maintain controls designed to restrict access to Customer Personal Information to only personnel who have a legitimate need to Process Customer Personal Information under the Agreement.

8) Training and Supervision. Copper will provide reasonable ongoing privacy and information protection training and supervision for all Copper’s personnel who access Customer Personal Information.

9) Vulnerability Testing. Copper will periodically obtain third-party vulnerability testing of its systems and software used to access Customer Personal Information and will obtain penetration tests by an independent third-party expert at least annually. Copper’s security personnel will review and take steps to address vulnerabilities revealed by such tests in accordance with Copper’s security policies and practices.

10) Encryption. Customer Personal Information stored and/or transmitted by Copper will be encrypted by generally-accepted, non-proprietary encryption algorithms, such as AES-256, subject to applicable technological constraints and legal requirements.