Nalpeiron Information Security Procedures

1. Security Certification Standards

Nalpeiron maintains SOC2 certification for the entire subscription period (from October 2025 onwards) and will provide certification reports to Customer upon request via the Nalpeiron Security portal.

2. Security Team

Nalpeiron maintains a dedicated information security team responsible for:

• Implementing security best practices

• Overseeing security for the Nalpeiron Growth Platform (Zentitle2, Zengain, and Zenmeter) and Services

• Creating and maintaining security policies

3. Security Incident Reporting and Response

Reporting Requirements

• Nalpeiron has procedures in place that require employees, representatives, and subcontractors to report security incidents as quickly as reasonably possible through the proper channels.

Incident Response

• Nalpeiron maintains procedures to respond quickly and effectively to security incidents.

• Nalpeiron utilizes a classification system to assess incident severity based on its impact and scope.

Customer Notification

• Nalpeiron will notify the Customer within 48 hours of confirming any Information Security Incident at the email address provided by the Customer.

Remediation

• If an incident reveals security deficiencies or weaknesses, Nalpeiron will promptly take reasonable steps to address material issues.

• Upon request, Nalpeiron will keep the Customer informed about remediation status, including timelines, and will confirm when corrective actions are complete.

Definition of "Information Security Incidents"

Any unmitigated security incident that Nalpeiron actually knows about and that either:

• Compromises or likely compromises of Customer data or system security/integrity, or

• Materially affects Nalpeiron's ability to meet its obligations under this Schedule

4. Independent Security Testing

Penetration Testing

• Nalpeiron arranges for independent third-party contractors to conduct penetration testing on its systems at least once every 12 months.

• If testing reveals vulnerabilities that would prevent Nalpeiron from materially complying with this Schedule, Nalpeiron will address and rectify those vulnerabilities and retest.

• Upon written request, Nalpeiron will provide the penetration testing executive summary to the Customer.

Performance Metrics

• Upon request, Nalpeiron will provide the Customer with mutually agreed-upon security testing metrics at an agreed-upon frequency.

5. Communication and Cooperation

Confidentiality

• Except as required by law or existing contractual obligations, Nalpeiron will not disclose any Information Security Incident involving Customer to third parties without Customer's prior written consent.

• If disclosure is legally required, Nalpeiron will coordinate with Customer regarding timing, content, and recipients.

Law Enforcement Cooperation

• Nalpeiron will fully cooperate with Customer and law enforcement regarding any unauthorized access to Customer's systems, networks, or data.

• This includes retaining all information related to any security incident.

Response Support

• Nalpeiron will respond promptly to reasonable Customer requests for information, cooperation, and assistance, including to the Customer's designated response center.

6. Access Controls

When Nalpeiron personnel access Customer systems or data:

• Nalpeiron is responsible for verifying personnel identity

• Personnel will have only the minimum system access needed to perform their duties

• Shared accounts or passwords are prohibited

• This Schedule's requirements govern access

7. Paid Security Audits

The customer may conduct a paid-for security audit ("Security Review") to assess Nalpeiron's compliance with this Schedule, subject to mutually agreed audit rights, an agreed SOW, a paid professional services contract, and the following conditions:

• Advance Notice: Customer must provide at least 28 days' written notice

• Frequency: Limited to once per 12-month period (unless otherwise required by law)

• Timing: Conducted during regular business hours in a manner that minimizes disruption to Nalpeiron's operations

• Customer's Costs: Customer bears its own audit costs

• Third-Party Auditors: Any third-party auditor must (i) be subject to confidentiality obligations at least as protective as those in the Agreement, and (ii) not be a Nalpeiron competitor

8. Business Continuity and Disaster Recovery

Nalpeiron maintains a documented Business Continuity and Disaster Recovery Plan ("BC DR Plan") throughout the Agreement term, including:

• Emergency and contingency plans for facilities that process Customer data

• Regular testing (results available to Customer upon request)