FOS Hosting Security & Privacy Practices

Last Updated: April 15, 2024

1. Security Practices. FOS Hosting is responsible for the security measures set out in the Agreement and shall maintain and implement the following technical and organizational measures concerning the security of the Customer Configuration.
   • Physical Security – Data Centers. The following physical security controls apply to Customer Data residing in a data center or office premises either owned or leased by FOS Hosting LLC or its Affiliates for providing Services to Customer (and expressly excludes third-party hosting Services):
     • Servers and devices dedicated to Customer’s use as part of the Customer Configuration provided by FOS Hosting will be located in a controlled-access data center (or part of it) either operated by or dedicated to use by FOS Hosting or its Affiliate.
     • FOS Hosting operates or audits the use of an electronic access control system that logs access to physical facilities managed by a professional security guard force in line with its current processes.
     • Access to the raised production floor of the data halls will be restricted to FOS Hosting employees or its agents who need access to provide the Services. Access within data center facilities is in zones and provisioned based on physical access rights required by a given individual. Access to designated “meet me” rooms will be available to customers, subject to data center escort policies.
     • The data center will be staffed 24/7/365 and will be monitored by video surveillance, recording to a centralized location, and viewed by the onsite security force.
     • FOS Hosting limits access to physical facilities to authorized individuals by proximity-based access cards and biometric hand scanners or other approved security authentication methods.
     • Except as specifically stated in the Agreement, FOS Hosting will not relocate the Customer Configuration from a FOS Hosting data center to a data center in another country without Customer’s express written permission.
     • Aer the termination of the Agreement or a Customer Configuration, FOS Hosting will wipe data from those hard drives and storage devices dedicated to Customer use before re-use.
   • Security Controls Audits & Reporting. FOS Hosting shall engage qualified third-party auditors to perform examinations of its systems and services according to the best practice recommendations of ISO 27001 to audit FOS Hosting’s compliance with SSAE 18 compliance frameworks and the AT 101 compliance framework (based on select Trust Services Principles) or equivalent industry standards or both. FOS Hosting’s annual SOC report(s) or suitable equivalent standard(s) as specified by FOS Hosting is available to Customer on Customer’s request subject to FOS Hosting’s SOC distribution requirements. Not all FOS Hosting Services are included in the scope of the SOC report(s) or audits described in this section 1.2; for details, Customer should contact the FOS Hosting account manager.
   • Administrative Controls.
     • Screening. FOS Hosting will perform pre-employment background screening of its employees who have access to Customer’s account and is committed to employee supervision, training, and management.
     • FOS Hosting Access. FOS Hosting will restrict the use of administrative access codes for Customer’s account to its employees and other agents who need the access codes to provide the Services. FOS Hosting personnel who use access codes will be required to log on using an assigned username and password.
     • Customer Access. As the primary system administrator, Customer is responsible for managing their account, including creation, change management, termination, and enforcement of related remote working and password controls.
   • PCI-DSS. For the security of cardholder data, as that term is defined in the Payment Card Industry Data Security Standard, which FOS Hosting might possess or otherwise store, process, or transmit on Customer’s behalf, FOS Hosting will provide (a) those physical, technical, and administrative safeguards described in the Agreement and (b) the Services selected by Customer and described in the Agreement, except that Customer remains responsible for ensuring all PCI-DSS requirements are met for that cardholder data. FOS Hosting maintains PCI-DSS Service Provider, or equivalent, accreditation for dedicated hosting services (excluding managed virtualization services).
   • Reports of and Response to Security Breach. FOS Hosting will report to Customer as soon as reasonably practicable in wring and under law, of a material breach of the security of the Customer Configuration that results in unauthorized access to Customer Data resulting in the destruction, loss, unauthorized disclosure, or alteration of Customer Data of which FOS Hosting becomes aware. On request, FOS Hosting will promptly provide to Customer all relevant information and documentation that FOS Hosting has available to FOS Hosting regarding the Customer Configuration for any such event. FOS Hosting is not obligated to notify routine security alerts about the Customer Configuration (including pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful logon attempts, denial of service attacks, packet sniffing, or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers, or similar incidents) except as otherwise specifically set out in the Agreement.
   • Customer Data.
     • Customer remains the primary system and account administrator and is responsible for the integrity, security, maintenance, and protection of Customer Data, including Sensitive Data, by: (i) selecting, buying, and properly configuring appropriate Services; (ii) implementing adequate controls to maintain appropriate security, protection, and deletion of Customer Personal Data (which shall include encryption and logical access measures); (iii) ensuring that FOS Hosting is not provided with any access to Customer Data, except as otherwise explicitly set out in the Agreement; and (iv) using the data integrity controls to allow Customer to restore the availability of Customer Personal Data in a timely manner (which shall include routine backups and archiving of Customer Personal Data in an environment separate from the Customer Configuration). Customer Data is, and at all times will remain, Customer’s exclusive property. FOS Hosting will only back up data if stated on a Service Order, and FOS Hosting will not use or disclose Customer Data except as materially required to perform the Services or as required by law.
     • Unless otherwise specified in the Service Order, the Services enable Customer to retrieve, correct, and delete Customer Data. Customer’s access to the Customer Configuration or Customer Data may be restricted during a suspension or after the termination of the Services or the Agreement. Customer is responsible for retrieving a copy of Customer Data before the termination of the Agreement. FOS Hosting may delete Customer Data at any me after Agreement termination.

• • • Customer will cooperate with the investigation and resolution of outages and security incidents. FOS Hosting is not responsible to Customer or any nonparty for unauthorized access to Customer Data or for unauthorized use of the Services that is not solely caused by FOS Hosting’s failure to meet its security obligations under the Agreement.

2. Privacy Practices. Customer and FOS Hosting will comply with laws concerning their collection and processing of any Sensitive Data in providing and using the Services.
   • Data Processing Addendum. If Applicable Data Protection Law applies to the Processing of Personal Data (as each of those terms are defined in the Data Processing Addendum), the Data Processing Addendum will form part of this Agreement.
   • CCPA. If the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq. (“CCPA”) applies to the processing of Personal Information (as defined in the CCPA), the Consumer Privacy Protection Act Addendum will form part of this Agreement.