UPDATED Jan 31st 2025
1. Definitions. For purposes of this Exhibit, the following terms apply
1.1 “Agreement” means the agreement between OTee and Customer governing Customer’s use of the OTee Platform
1.2. “Customer Data” means Customer Materials and Customer Personal Data
1.3. “Customer Materials” means any application(s) and/or material(s) that are developed by Customer on the OTee Platform or uploaded to the OTee Platform by Customer.
1.4. “Customer Personal Data” means Personal Data pertaining to Customer’s Authorized Users of the OTee Platform Processed by OTee on behalf of Customer under the Agreement.
1.5. “Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Customer Personal Data are subject. “Data Protection Laws” shall include, but not be limited to, the California Consumer Privacy Act of 2018 (“CCPA”) and the EU General Data Protection Regulation 2016/679 (“GDPR”).
1.6. “OTee Platform” has the meaning provided in the Agreement.
1.7. “Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
1.8. “Process” or “Processing” means any operation or set of operations which is performed on Customer Data or sets of Customer Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.9. “Security Incident(s)” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data attributable to OTee.
1.10. “Subcontractors” means OTee’s third party service providers who Process Customer Data.
1.11. “Systems” means the applications, databases, infrastructure, and platforms under OTee’s control that are utilized to Process Customer Data.
2. Policies and Codes of Conduct
2.1. OTee maintains an Information Security Policy and reviews it at least annually, including after any major changes occur in applicable law or regulatory guidance or are otherwise made to the Systems.
2.2. OTee maintains codes of conduct and other policies covering anti-bribery and corruption, whistle-blowing and other ethics policies (such as anti-money laundering and anti-slavery) and communicates these policies to all relevant staff. OTee’s codes of conduct are available upon request.
2.3. OTee implements processes designed to ensure the ongoing compliance with these policies and to identify and enable OTee to take action against any areas of non-compliance. Failure to comply with policies are addressed through appropriate disciplinary actions.
3. Information Security Program
​​3.1. OTee will assign responsibility for information security management to senior personnel.
3.2. OTee will implement technical and organizational measures designed to protect against unauthorized or unlawful processing of Customer Data and against accidental loss or destruction of, or damage to, Customer Data, including a written information security program, which includes policies, procedures, and technical and physical controls designed to ensure the security, availability, integrity and confidentiality of Customer Data. 
4. Background Checks and Confidentiality
4.1. OTee conducts pre-employment background screening on employees and contractors who will access Customer Data in the ordinary course of performing their job responsibilities, to the extent legally permissible and practicable in the applicable jurisdiction.
4.2. OTee requires all OTee employees and Subcontractors to execute a confidentiality agreement as a condition of employment or engagement and to follow policies on the protection of Customer Data.
5. Access Control
5.1. OTee assigns unique User IDs to authorized individual users to access Systems. All access to Systems must be authorized and authenticated.
5.2. OTee access rights to Customer Data are based on the principle of least privilege and designed to ensure that persons entitled to use a System have access only to the Customer Data for which they have a business need.
5.3. OTee maintains an accurate and up to date list of all personnel who have access to Systems and has a process to promptly disable within one business day of transfer or termination access by any individual personnel.
5.4. OTee periodically reviews and revokes Systems access rights, as needed, and logs and monitors such access.
5.5. Non-privileged users are prohibited from executing privileged functions, including, but not limited to, disabling, circumventing, or altering implemented security safeguards/countermeasures.
5.6. OTee maintains a password management policy designed to ensure strong passwords consistent with industry standard practices and requires the use of multi-factor authentication to access Systems. Passwords are promptly changed if OTee becomes aware that an account has been compromised.
5.7. OTee implements controls designed to ensure that Systems access is subject to appropriate authentication and user access controls:

• User IDs are unique and authorized;

• User accounts are granted the minimum required privileges to enable a user to perform their designated function;

• Access to audit trails is restricted and logged;

• Default accounts are deleted or disabled where possible and suitably authorized and controlled where this is not possible;

• Privileged accounts (e.g., administrator, root) are only used when technically required under change control procedures and not for day-to-day system operation;

• Where privileged account access is used, this access is logged and reviewed and access can be attributed to a named individual.

6. Logging, Audit, and Accountability
6.1. OTee will create, protect, and retain Systems audit records to maintain integrity and enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate Systems activity.
6.2. OTee performs regular reviews and analyses of Systems audit records on a regular basis to detect significant unauthorized activity with respect to Systems.
 
 
7. System Change Control
​​7.1. OTee establishes a configuration baseline for Systems using applicable information security standards, manufacturer recommendations, or industry standard practices. Monitoring is intended to validate that Systems are configured according to the established configuration baseline.
7.2. The introduction of new systems are controlled, documented, and enforced by the use of formal change control procedures including documentation, specifications, testing, quality control, recovery, and managed implementation.
7.3. OTee employs controls designed to secure source code, including version control, segregation of source code repositories, and least privilege access principles.
7.4. OTee follows a structured secure development methodology and adheres to secure coding standards. OTee conducts dynamic and static security scans and vulnerability assessments before releasing to production, with the goal of identifying and remediating security vulnerabilities prior to production release.
7.5. OTee employs reasonable controls designed to remove or disable unnecessary ports and services from Systems in accordance with the vendors’ recommendations and settings.
8. Vulnerability Management
8.1. OTee maintains up-to-date anti-malware software and a vulnerability management program to remediate critical vulnerabilities promptly, within commercially reasonable timeframes that reflect the level of risk.
8.2. Once a patch is released, and the associated security vulnerability has been reviewed and assessed for its applicability and importance, the patch is applied and verified in a timeframe which is commensurate with the risk posed to Systems.
8.3. Internal vulnerability assessment is conducted on the Systems on a regular basis, following subsequent development of components of Systems. Any remediation items identified as a result of the assessment are resolved as soon as possible on a timetable commensurate with the risk. OTee communicates the tests performed, findings and resolution stages on an ongoing basis.
8.4. OTee uses commercially reasonable efforts to regularly identify software vulnerabilities and, in the case of known software vulnerabilities, to provide relevant updates, upgrades, and bug fixes.
8.5. OTee deploys intrusion detection processes to monitor and respond to alerts which could indicate potential compromise of Customer Data.
9. Capacity Planning
9.1. OTee maintains a capacity management program that continuously and iteratively monitors, analyses, and evaluates the performance and capacity of the Systems.
10. Physical and Environmental Security
10.1. OTee implements physical access control measures at OTee facilities and data centers designed to prevent unauthorized access to Systems (e.g., access ID cards, card readers, front desk officers, alarm systems, video surveillance, and exterior security).
11. Security Incidents
11.1. OTee will maintain an information security incident management program that addresses management of Security Incidents, including an Incident Response Plan that specifies actions to be taken in the event of a Security Incident.
11.2. Upon becoming aware of a Security Incident, OTee agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Customer. Where possible, such notice will include all available details required under Data Protection Laws for Customer to comply with its own notification obligations to regulatory authorities or individuals  affected by the Security Incident.
11.3. OTee will take reasonable measures to mitigate the risks of further Security Incidents.
12. Subcontractors
12.1. OTee will conduct a risk-based review of all Subcontractors designed to ensure that they are taking appropriate technical and organizational measures.
12.2. OTee will enter into agreements with its Subcontractors that require such Subcontractors to secure and protect Customer Data by using at least the same degree of care outlined in this Standard.
13. Data Encryption
13.1. OTee encrypts Customer Data in OTee’s possession or control so that it cannot be read, copied, changed, or deleted by unauthorized personnel while in transit and storage, including when saved on removable media.
13.2. Keys are protected from unauthorized use, disclosure, alteration, and destruction, and have a backup and recovery process.
13.3 If a private key is compromised, all associated certificates will be revoked.
14. Data Retention
14.1. At the expiry or termination of the Agreement, OTee will, at Customer’s option, delete or return all Customer Data (excluding any back-up or archival copies which shall be deleted in accordance with OTee’s data retention schedule), except where OTee is required to retain copies under applicable laws, in which case OTee will isolate and protect that Customer Data from any further Processing except to the extent required by applicable laws.
15. Secure Disposal
15.1. OTee implements controls designed to ensure the secure disposal of Customer Data in accordance with applicable law taking into account available technology so that Customer Data cannot be read or reconstructed.
15.2. Media will be securely erased electronically before disposal by overwriting or degaussing, or physically destroyed prior to disposal or reassignment to another system. Media cleansing/wipe products and processes prior to disposal comply with NIST SP 800-88 standard, “Guidelines for Media Sanitization” (or its successor) or equivalent industry standards.
16. Risk Assessments
16.1. OTee will maintain a risk assessment program that includes regular risk assessments and controls for risk identification, analysis, monitoring, reporting and corrective action.
16.2. At least annually, OTee will perform risk assessments (either internally or with contracted, independent resources) to identify risks to Customer Data, risks to OTee’s business assets (e.g., technical infrastructure), threats against those elements (both internal and external), the likelihood of those threats occurring, and the impact upon the organization.
17. Asset Management
17.1. OTee will have an asset management program that classifies and controls hardware and software assets throughout their life cycle.
18. Business Continuity and Disaster Recovery
18.1. OTee will use industry standard practices for redundancy, robustness, and scalability designed to maintain the availability of the OTee Platform.
18.2. OTee implements and maintains contingency plans to address emergencies or other occurrences (for example, fire, vandalism, system failure, and natural disaster) that could damage or destroy Systems or Customer Data, including a data backup plan and a disaster recovery plan with at least annual testing of such plans. OTee may not modify such plans to provide materially less protection to the Customer without the Customer’s prior written consent, which may not be unreasonably conditioned or withheld.
18.3. Backups are taken and recovery is tested on a regular basis.
19. Security and Privacy Training
19.1. OTee conducts mandatory training for OTee employees and relevant Subcontractors, at least annually, on ethics, privacy, and information security awareness. These trainings are reviewed for relevance and updated as needed, annually.
19.2. Teams associated with development efforts impacting Customer Data, undergo specific training focused on well-defined and secured coding practices.
20. Security Control Testing
20.1. At least annually, OTee will engage a qualified, independent external auditor to conduct periodic reviews of OTee’s security practices against recognized audit standards, such as SOC 2 Type II and ISO 27001 certification audits (including surveillance and recertifications), as applicable. Upon request, OTee agrees to make such reports available to the Customer.
21. Verification Rights
21.1. No more than once per calendar year, OTee will use commercially reasonable efforts to respond to appropriately scoped questionnaires from Customer that are designed to verify OTee’s security practices. Questionnaire responses are provided for informational purposes only, and OTee may charge a reasonable fee for its costs in responding to such questionnaires.
22. Data Protection Governance
22.1. OTee assigns accountability for data protection to a designated individual or other body with appropriate seniority.