CyberSecurity & Data Protection Addendum

TOPS Software of Florida, LLC dba Enumerate (“Enumerate”) shall apply commercially reasonable practices in the protection of Client Data. “ISO/IEC 27002” and “ISO/IEC 27018” will be utilized as the best practice recommendations for Enumerate’s security controls. Enumerate’s security practices will meet the following requirements:

1.0 GENERAL OBLIGATIONS TO SAFEGUARD CLIENT DATA

1.1 Enumerate shall implement and maintain commercially reasonable measures designed to (1) ensure the security and confidentiality of Client Data, (2) protect against any anticipated threats or hazards to the security or integrity of Client Data, and (3) protect against unauthorized access to or use of Client Data.

1.2 Enumerate shall maintain physical, electronic, and procedural controls and safeguards designed to protect the Client Data from unwarranted disclosure, in compliance with any applicable laws. These controls shall include limiting access to Client Data to those employees, agents, or service providers of Enumerate and its subcontractor(s) who have a legitimate need such information to carry out the purpose of providing the Services. For information disclosed in electronic form, Enumerate shall include electronic barriers (e.g., “firewalls” or similar barriers) and password-protected access to the Client Data. Enumerate shall also encrypt Client Data in-transit and at-rest.

2.0 SECURITY ORGANIZATION

2.1 Enumerate shall maintain an information security function responsible for security initiatives within the organization, including: creating, reviewing, and approving information security policies; reviewing the effectiveness of information security policy implementation; managing assignment of specific roles and responsibilities for information security; developing and maintaining an overall strategic security plan; reviewing and monitoring information security incidents or events; monitoring significant changes in the security exposure of information assets; and identifying and documenting instances of non-compliance with security policies.

3.0 PASSWORD STANDARDS

3.1 Enumerate shall enforce the following password requirements for its employees: a minimum password length of eight (8) characters; a minimum password complexity consisting of at least one alphabetic and one numeric character, the system must lock an account after a maximum of three (3) failed authentication attempts; the system must prevent the use of any of the five (5) previous passwords or a period of two (2) years. Temporary passwords including those created for new accounts must be forced to change on the next login. In addition, passwords must not contain any part of a user ID.

4.0 PHYSICAL SECURITY

4.1 All Enumerate applications used in connection with the Services shall be located in a secure SSAE18 certified Data Center. Enumerate shall utilize a Data Center that has (a) commercially reasonable access controls to prevent unauthorized access to the building and computer room and (b) commercially reasonable monitoring of the building twenty-four (24) hours a day, seven (7) days a week, which shall include at a minimum access logs for visitors that demonstrate when they signed in/out, and who they were visiting; and (c) employee access logs and/or CCTV video.

5.0 ACCESS MANAGEMENT

5.1 Enumerate accounts will be managed by limiting access to necessary information and disabling or removing inactive accounts. Periodic reviews of access requirements will be performed.

6.0 AUDIT LOGS

6.1 Enumerate shall maintain system audit logs for accountability for any action to access, generate, modify or affect access or release of Client Data. Audit logs shall be protected from unauthorized access, modification or deletion. Enumerate audit log entries shall include at least the following data elements: date, time, user ID, User IP address and event type. All audit logs must be retained and readily accessible for a minimum of three (3) months.

7.0 INTRUSION DETECTION AND SECURITY OPERATIONS CENTER

7.1 Enumerate shall maintain an intrusion detection service to monitor services for suspicious activity. Additionally, Enumerate shall maintain a Security Operations Center that utilizes human manned monitoring in conjunction with automated alerting twenty-four (24) hours a day, seven (7) days a week.

8.0 INCIDENT RESPONSE

8.1 Enumerate shall maintain incident response standards and guidelines. Enumerate agrees to promptly notify affected Clients in the event of reasonable suspicion that Client Data has been, or may have been, lost or subject to unauthorized internal or external access.

9.0 FIREWALL PROTECTION

9.1 Enumerate provides commercially reasonable firewall protection including administration and maintenance to prevent unauthorized access. The administrative firewall access shall be kept to a minimum. The firewall shall also be used to segment different internal networks from one another. Enumerate shall review the firewall rule sets to determine whether there are inactive connections which should then be deleted and whether there are insecure or inappropriate connections open. Enumerate firewalls shall be configured to deny all access except when explicitly allowed.

10.0 ANTIVIRUS PROTECTION

10.1 Enumerate shall maintain antivirus software with frequent updates as necessary to reasonably protect services from virus-related threats.

11.0 SECURITY TESTING

11.1 Enumerate implements multiple types of security testing on an annual basis. Vulnerability testing is completed by Enumerate on all systems. Additionally, Enumerate utilizes a 3rd party security company to complete Application Penetration testing.

12.0 SECURE SOCKET LAYER

12.1 Enumerate utilizes Secure Socket Layer (“SSL”) to encrypt all End User transmission and authentication Information transmitted between Enumerate services and the End User.

13.0 MEDIA SANITIZATION

13.1 Media containing Client Data must be rendered unreadable or undergo a secure destruction process based on commercially reasonable standards before Enumerate discards or otherwise discontinues its use.

14.0 DISASTER RECOVERY PLAN

14.1 Enumerate utilizes a disaster recovery plan that describes in detail how Enumerate will restore service functionality in the event of a catastrophic loss of our services.

15.0 SERVICE PROVIDER

15.1 To the extent it receives or processes Client Data that includes personal information pertaining to “consumers” as defined by the California Consumer Privacy Act (“CCPA”), Enumerate shall be a “service provider” under the CCPA. As such, Enumerate will not retain, use, or disclose personal information relating to California “consumers” (1) for any purpose other than the specific purpose of performing the services specified in the Agreement, (2) outside the direct business relationship between the Enumerate and the Client, or (3) as otherwise permitted by the CCPA. Likewise, as defined in the CCPA, Enumerate will not “sell” such personal information or “share” it for cross-context behavioral advertising.

16.0 BACKUP

16.1 Enumerate completes backups of data multiple times a day. Enumerate utilizes backups for system recovery or corruption of data. Backups are not moved from the secure data center or utilized for Disaster Recovery purposes.