Kyvos Security Addendum

This Security Policy [1] is incorporated into and made a part of the written agreement between Kyvos and Customer that references this document (the “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Addendum, this Security Addendum shall govern.

Kyvos utilizes infrastructure-as-a-service cloud providers as further described in the Agreement and (each, a “Cloud Provider“) and provides the Service to Customer using a VPC/VNET and storage hosted by the applicable Cloud Provider (the “Cloud Environment“).

Kyvos maintains a comprehensive documented security program based on and implemented by ISO27001 certified implementor, under which Kyvos implements and maintains physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Service and Customer Data (the “Security Program”), including, but not limited to, as set forth below.

[1] For clarity, where Customer’s Agreement refers to the defined term “Security Policy”, such reference shall be interpreted to refer to this exhibit.

1. Kyvos’ Audits & Certifications

1. 1.1 The information security controls, and infrastructure shall be assessed by independent third-party auditors as per SOC 2 Type 2 standard (“Third-Party Audits”), on at least an annual basis:
2. 1.2 To the extent Kyvos discontinues a Third-Party SOC 2 Audit, Kyvos will adopt or maintain an equivalent, industry-recognized standard.

2. Hosting Location of Customer Data

1. 2.1 Hosting Location – The hosting location of Customer Data is the production Cloud Environment in the Region offered by Kyvos and selected by Customer on an Order Form or as Customer otherwise configures via the services.

3. Encryption

1. 3.1 Encryption of Customer Data – Kyvos encrypts Customer Data at-rest using AES 128-bit (or better) encryption. Kyvos uses Transport Layer Security (TLS) 1.2 (or better) for Customer Data in-transit over untrusted networks.
2. 3.2 Encryption Key Management – for safeguarding customer Data both in transit, and at-rest.

4. System and Network Security

1. 4.1 Access Controls – Kyvos personnel access to the Cloud Environment is via a unique user ID and consistent with the principle of least privilege. All such access requires a VPN, with multi-factor authentication.
2. 4.2 Endpoint Controls – For access to the Cloud Environment, Kyvos personnel use Kyvos-issued laptops which utilize security controls that include, but are not limited to, (i) disk encryption, (ii) endpoint detection and response (EDR) tools to monitor and alert for suspicious activities and Malicious Code (as defined below).
3. 4.3 Separation of Environments – Kyvos logically separates production environments from development and testing environments. The Cloud Environment is both logically and physically separate from Kyvos’ corporate offices and networks.
4. 4.4 Firewalls / Security Groups – Kyvos shall protect the Cloud Environment using industry standard firewall or security groups technology with deny-all default policies to prevent egress and ingress network traffic protocols other than those that are business-required.

5. Monitoring & Logging

1. 5.1 Infrastructure Logs – Monitoring tools or services are utilized to log certain activities and changes within the Cloud Environment. These logs are further monitored, analysed for anomalies and are securely stored to prevent tampering.
2. 5.2 User Logs – As further described in the Documentation, Kyvos also captures logs of certain activities and changes within the Account and makes those logs available to Customer on demand.

6. Vulnerability Detection & Management

1. 6.1 Vulnerability Detection – The Cloud Environment leverages advanced threat detection tools, which are used to monitor and alert for suspicious activities, potential malware, viruses and/or malicious computer code (collectively, “Malicious Code”). Kyvos does not monitor Customer Data for Malicious Code.
2. 6.2 Penetration Testing – Kyvos regularly conducts penetration tests and engages independent third-party auditors to conduct penetration tests of the Service at least annually. Kyvos also runs vulnerability scans for every Cloud deployment using updated vulnerability databases. Additionally, Kyvos also runs the scan at the time of any change to the deployment or infrastructure. For upgrades, Kyvos can also run the vulnerability scan if requested by the customers.
3. 6.3 Vulnerability Management – Kyvos uses OWASP ZAP (Zed Attack Proxy) tool for scanning vulnerabilities in the product. ZAP is a dynamic application security testing (DAST) tool for finding security vulnerabilities in web applications. Kyvos team runs security scan with each new release of Kyvos. Kyvos will use commercially reasonable efforts to address critical and high vulnerabilities within 30 days, and medium vulnerabilities within 90 days.

7. Administrative Controls

1. 7.1 Personnel Security – Kyvos requires criminal background screening on its personnel as part of its hiring process, to the extent permitted by applicable law.
2. 7.2 Personnel Training – Kyvos maintains a documented security awareness and training program for its personnel, including, but not limited to, onboarding and on-going training.
3. 7.3 Personnel Agreements – Kyvos personnel are required to sign confidentiality agreements. Kyvos personnel are also required to sign Kyvos’ information security policy, which includes acknowledging responsibility for reporting security incidents.
4. 7.4 Personnel Access Reviews & Separation – Kyvos reviews the access privileges of its personnel to the Cloud Environment at least quarterly and removes access on a immediate basis for all separated personnel.

8. Kyvos Risk Management & Threat Assessment

Kyvos’ security committee meets regularly to review reports and material changes in the threat environment, and to identify potential control deficiencies in order to make recommendations for new or improved controls and threat mitigation strategies.

1. 8.1 External Threat Intelligence Monitoring – Kyvos uses OWASP ZAP (Zed Attack Proxy) tool for scanning external threats in the product. ZAP is a dynamic application security testing (DAST) tool for finding security vulnerabilities in web applications. Kyvos team runs security scan with each new release of Kyvos. Kyvos will use commercially reasonable efforts to address critical and high vulnerabilities within 30 days, and medium vulnerabilities within 90 days.
2. 8.2 Change Management – Kyvos maintains a documented change management program for the Service.
3. 8.3 Vendor Risk Management – Kyvos performs risk assessment for vendors that process Customer Data designed to ensure each vendor maintains security measures.

9. Physical & Environmental Controls

1. 9.1 Cloud Environment Data Centres – To ensure the Cloud Provider has appropriate physical and environmental controls for its data centres hosting the Cloud Environment, Kyvos regularly reviews those controls as audited under the Cloud Provider’s third-party audits and certifications. Each Cloud Provider shall have a SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks.
2. 9.2 Kyvos Corporate Offices – While Customer Data is not hosted at Kyvos’ corporate offices, Kyvos’ technical, administrative, and physical controls for its corporate offices, shall include, but are not limited to, the following:
   1. 9.2.1 Physical access to the corporate office is controlled at office ingress points;
   2. 9.2.2 Photo ID Badge access is required for all personnel and badge privileges are reviewed regularly;
   3. 9.2.3 Visitors are required to sign in;
   4. 9.2.4 Use of CCTV at building ingress points;
   5. 9.2.4 Tagging and inventory of Kyvos-issued laptops and network assets;
   6. 9.2.5 Fire detection and sprinkler systems; and
   7. 9.2.6 Climate control systems.

10. Incident Detection & Response

1. 10.1 Security Incident Reporting – If Kyvos becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident”), Kyvos shall notify Customer without undue delay, and in any case, where feasible [2].
2. 10.2 Investigation – In the event of a Security Incident as described above, Kyvos shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Any logs determined to be relevant to a Security Incident, shall be preserved.
3. 10.3 Communication and Cooperation – Kyvos shall provide Customer timely information about the Security Incident to the extent known to Kyvos, including, but not limited to, the nature and consequences of the Security Incident, the measures taken and/or proposed by Kyvos to mitigate or contain the Security Incident, the status of Kyvos’ investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Notwithstanding the foregoing, Customer acknowledges that because Kyvos personnel do not have visibility to the content of Customer Data, it will be unlikely that Kyvos can provide information as to the particular nature of the Customer Data, or where applicable, the identities, number, or categories of affected data subjects.
   Communications by or on behalf of Kyvos with Customer in connection with a Security Incident shall not be construed as an acknowledgment by Kyvos of any fault or liability with respect to the Security Incident

[2] For clarity, where Customer’s Agreement refers to the defined term “Security Breach”, such reference shall be interpreted to refer to Security Incident, as defined herein.

11. Deletion of Customer Data.

1. 11.1 By Customer – The Service provides the Customer with controls for the deletion of Customer Data at the time of cluster decommissioning as per the data disposal policy.
2. 11.2 By Kyvos – Subject to applicable provisions of the Agreement, upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement, Kyvos shall promptly delete any remaining Customer Data.

12. Customer Rights & Shared Security Responsibilities

1. 12.1 Customer Penetration Testing – Customer may provide a written request for a penetration test of its Account (“Pen Test”) by submitting such request via a support ticket. Following receipt by Kyvos of such request, Kyvos and Customer shall mutually agree in advance on details of such Pen Test, including the start date, scope and duration, as well as reasonable conditions designed to mitigate potential risks to confidentiality, security, or other potential disruption of the Service or Kyvos’ business. Pen Tests and any information arising therefrom are deemed Kyvos’ Confidential Information. If Customer discovers any actual or potential vulnerability in connection with a Pen Test, Customer must immediately disclose it to Kyvos and shall not disclose it to any third-party.
2. 12.2 Customer Audit Rights By Kyvos – Upon written request and at no additional cost to Customer, Kyvos shall provide Customer, or its appropriately qualified third-party representative (collectively, the “Auditor”), access to reasonably requested documentation evidencing Kyvos’ compliance with its obligations under this Security Addendum.
3. 12.3 Where the Auditor is a third-party (or Customer is using a third-party to conduct an approved Pen Test under Section 9.1), such third party may be required to execute a separate confidentiality agreement with Kyvos prior to any audit, Pen Test, or review of Audit Reports, and Kyvos may object in writing to such third party if in Kyvos’ reasonable opinion the third party is not suitably qualified or is a direct competitor of Kyvos. Any such objection by Kyvos will require Customer to appoint another third party or conduct such audit, Pen Test, or review itself. Expenses incurred by Customer or the third party in connection with such audit, Pen Test, or review, shall be borne exclusively by Customer or the third party.
4. 12.4 Shared Security Responsibilities – Without diminishing Kyvos’ commitments in this Security Addendum, Customer agrees:
   1. 12.4.1 Kyvos has no obligation to assess the content of Customer Data to identify information subject to any specific legal, regulatory or other requirement and Customer is responsible for making appropriate use of the Service to ensure a level of security appropriate to the particular content of Customer Data.
   2. 12.4.2 to be responsible for managing and protecting its User roles and credentials, including but not limited to (i) requiring that all Users keep credentials confidential and not share such information with unauthorized parties, (ii) reporting to Kyvos any suspicious activities in the Account or if a user credential has been compromised, (iii) appropriately configuring User and role-based access controls, including scope and duration of User access, taking into account the nature of its Customer Data, and (iv) maintaining appropriate password uniqueness, length, complexity, and expiration;
   3. 12.4.3 to appropriately manage and protect any Customer-managed encryption keys to ensure the integrity, availability, and confidentiality of the key and Customer Data encrypted with such key; and
   4. 12.4.4 to promptly update its Client Software whenever Kyvos announces an update.

*Last Updated: September 30, 2022