Demandbase Security Policy 1. Introduction This Demandbase Security Policy (“Security Policy”) outlines the organizational and technical measures that Demandbase undertakes to ensure secure business operations and to protect the company and data entrusted to us. 2. Personnel Organization Structure The Security team coordinates all security programs across Demandbase. The Security team reports to the CFO who reports directly to the CEO. There are additional security staff embedded within the engineering department. The Risk and Compliance team facilitates the internal audit and governance of the Security and Compliance programs. The Risk and Compliance team reports to the General Counsel who reports directly to the CFO. Background Checks All offers of employment at Demandbase are contingent on the completion of a background check. All third-party contractors who may have any exposure to data (including Customer Data) are subject to the completion of a background check prior to their commencing an engagement with Demandbase. Security and Data Privacy Training Employees and third-party contractors attend on-boarding orientation and must complete security awareness and data privacy training. System access is revoked for any employees and third-party contractors who do not complete their security awareness and data privacy training in a timely manner. Employees and third-party contractors must complete annual Security Awareness and Data Privacy training modules. Information Security Policies Employees and third-party contractors review and acknowledge Demandbase’s Information Security Policies and Procedures during on-boarding and annually thereafter. Physical and Logical Access Employees and third-party contractors are required to use their badges to access Demandbase offices. Guest access is logged and monitored using facility management software tools. Access to systems are authorized and provisioned according to role-based access controls (recorded as matrices) (RBACs). RBACs are reviewed and updated on a periodic basis in parallel with user access reviews to ensure access is restricted to reflect business requirements on a “least privileges necessary”. Access control systems are configured to “deny-all” as default. All access by employees and third-party contractors to Demandbase systems requires successful authentication using multi-factor authentication (MFA) using an identity provider (IdP). In addition, another layer of authentication mechanism is required to access the virtual private network (VPN)” and virtual private cloud (VPC) access to AWS. Upon termination of employment or contract, access to Demandbase systems and offices is immediately revoked. 3. Network and Application Security Architecture Demandbase uses Amazon Web Services (AWS) and Google Cloud Platform (GCP) as the primary cloud platforms. This infrastructure spans multiple regions and multiple availability zones within each region for redundancy, performance and disaster recovery purposes. Demandbase utilizes the shared security responsibility model, where the cloud provider is responsible for the security of the underlying cloud infrastructure (i.e. physical infrastructure, geographical regions, availability zones, operating, managing and controlling components from the host system, security of cloud native services, virtualization layer and storage) and Demandbase is responsible for securing the application platform and configuration deployed in the cloud provider’s infrastructure. Cloud Security Demandbase works within the security models provided by our cloud providers. The use of security groups enables the analysis of traffic and determines whether access is allowed based on the rules. Demandbase has adopted a role-based framework. Access is provisioned using Identity and Access Management (IAM) role-based access to resources. Furthermore, access is granted based on the role and context of the entity (grantee) and not just on the sources. Environments are physically and logically separated by function – e.g. development, staging and production. Demandbase’s corporate locations are insulated by firewall technologies, utilize active threat monitoring, and provide active traffic and log analysis on central security components and endpoints. Application cloud infrastructure is protected with cloud provider DDOS services and web application firewalls along with AI based threat detection, flow and event analytics and correlation with threat databases combine to provide a comprehensive layered defense. System Event Logging, Monitoring and Alerting Monitoring tools and services are used to monitor systems including network devices, security events, operating system events, resource utilization, user access audit records, cloud infrastructure and associated event logs, audit and security logs, application operations events and application account audit logs. Logs are analyzed for anomalies, outliers and patterns based on security event signatures. Alerting logic processes these events and actions are taken to initiate any applicable remediation. Logs of all production servers are stored and retrievable from a centralized repository. Application Security At Demandbase, security is integrated into the software development lifecycle (SDLC) process. Training: Demandbase uses a third-party vendor solution to make secure code training available on-demand for all engineers. Engineers are encouraged to undertake training on core concepts key to their development as needed and on the recommendation of their managers. Design: Security implications are considered as part of the application design process. Development: Peer review of source code is part of the SDLC process. Security checklists are included in the code review template to enable engineers to check for security flaws consistently as part of the review process. Testing: Security testing is performed at various stages of the development lifecycle: Automated tests: Security testing for business logic is automated as much as possible to catch any regressions to existing features. Manual tests: Manual security testing is conducted as part of release testing to flag any security issues. Security scans: Static and dynamic application security tests are run regularly in production and development environments to detect and flag any issues. Vulnerability management: Security issues are triaged regularly, prioritized based on severity, and tracked to remediation in accordance with published SLAs. Data Integrity Confidential and sensitive data is retained only as long as required for legal, regulatory and business requirements. Customer Data is retained during the relationship and with Demandbase and for up to 13 months following the expiration or termination of the relationship. However, upon request Demandbase will delete Customer Data within thirty days of written notification. Encryption During Transit Demandbase encrypts traffic during transit with Transport Layer Security “TLS” using Demandbase security standard cipher-suites when communicating across an untrusted network. This applies to external and internal communications. Symmetric keys are generated by the transport client and server uniquely for each transport session. High level of entropy for initialization and perfect forward secrecy must be used to ensure the keys are never the same. The high entropy and perfect forward secrecy negate the need for the storage of symmetric keys. Asymmetric keys are best stored in HashiCorp Vault or in cloud provider Key Management Systems Encryption for Data at Rest Encryption of data applies to the following use cases: Personal and Customer Data: Any data that identifies personal data through unique field values that would reveal personal identity information of a Demandbase customer. Example: customer email or phone number. Any Customer Data that is business transactional in nature such as a confidential marketing campaign budget and target list. Digital Advertising Metadata: Any data that is required to be shared with the digital advertising exchanges, participating websites, or partner that is abstracted from an individual identity but can be used as an identifying field for targeting. An example of such information is a cookie or first three octets of an IP address. Encryption for Storage/Backups Data storage: All Demandbase data stores are encrypted via Amazon S3 encryption via AWS Key Management Service (KMS) and Google Cloud Platform (GCP) through Google KMS regardless of data classification. Key management: Keys used for data encryption or key encryption are stored in the cloud KMS or by using the software vault secrets engine. Access management: Identity and Access Management (IAM) roles are used for encrypt/decrypt permissions based on policies of \ least privilege access to data. Cryptography details https://docs.aws.amazon.com/kms/latest/cryptographic-details/intro.html https://cloud.google.com/kms/docs/encrypt-decrypt 4. Assessments and Certifications SOC 2 Demandbase is happy to provide a copy of our current Type II SOC 2 Security TSC report under NDA for prospects and upon request from existing customers. Please see our Trust Site at trust.demandbase.com. Penetration Testing Penetration tests are conducted by an independent third-party assessor at least annually. All issues reported by the testing engagements are triaged, prioritized based on the issue severity, and remediated as applicable. In addition to external testing, the Demandbase Security team conducts tests on the application and infrastructure continuously through the year. Upon request and under NDA, Demandbase will share the latest Penetration Test Attestation Summary by an independent third-party assessor. Business Continuity and Disaster Recovery Plans Demandbase maintains a Disaster Recovery Plan in connection with our SaaS applications and a Business Continuity Plan. Both plans are reviewed, tested, and updated annually. 5. Risk Management Risk Management The Demandbase Risk Management process is designed to identify, assess, and prioritize security risks with the aim of minimizing, monitoring, and mitigating risks based on priority. Risk Management Process and Methodology: The Demandbase Security team conducts a risk review of all business assets, processes and services (external and internal) at least annually in a series of meetings with key stakeholders and business owners. We use the Open Threat Taxonomy standard to guide the risk assessment exercise. All risks are reviewed against the four threat categories: physical, resource, personnel, and technical. A risk register is produced as the outcome of the review process, consisting of a prioritized list of identified risks. The risk register is presented to Demandbase Executive Management along with recommendations for minimizing and controlling the risks. Mitigation plans are formulated and executed against. In addition to annual reviews, an exceptional risk review is conducted whenever a major physical, environmental, personnel-related, regulatory, or technological change is undertaken. Third-party Risk Management Demandbase requires all technology companies with integrations or access to customer or company confidential data to complete a security questionnaire, and execute a Data Processing Agreement as part of the onboarding and contract renewal process. Incident Response Policy The Demandbase Security team has an established incident management policy in place which defines the individuals responsible for responding to a security incident, the responsibilities of those individuals during each phase of the incident response process – detection, analysis, containment, eradication, recovery, and post-incident activities, communication channels, escalation procedures, and procedures to record and track evidence during the incident investigation process. Suspected security incidents must be reported immediately to the Demandbase Security team by email via email@example.com. In addition, Demandbase customers can report security issues directly to the customer success representative in charge of the account or by using the email link on our website to contact customer support.