Minimum Information Security Requirements for the Lamina Platform

1. Information Security Management. Lamina will maintain appropriate cybersecurity measures to safeguard the security of any data that is owned, licensed, stored, or managed by Client on the Lamina Platform (“Client Data”), including but not limited to personal information. In no event shall Lamina take precautions any less stringent than those employed to protect its own proprietary and confidential information. In addition, Lamina will develop and maintain any additional information measures as may be required by laws applicable to it, including, without limitation, federal, state and local privacy and data protection laws and regulations for all jurisdictions applicable to Lamina’s processing of Client Data. In addition, Lamina will maintain an information security and risk management program based on commercial best practices to preserve the confidentiality, integrity, and accessibility of Client Data with comprehensive administrative, technical, procedural, and physical measures conforming to generally recognized industry standards and best practices that include the following:

i. Information Security Program. Lamina must keep Client Data secure from accidental, unauthorized, or unlawful access, use, disclosure, alteration, destruction and/or loss by using administrative, technical, procedural, and physical safeguards that are reasonable and appropriate to the circumstances, taking into account the nature of Client Data and the scope, context, and purposes of the processing (individually, a “Safeguard”; all Safeguards collectively, the “Information Security Program”).

ii. Documentation. Lamina will maintain documentation sufficient to describe its Information Security Program and the specific Safeguards it employs (“Written Security Policy, Procedure, and Standards, Technical implementation details”).

iii. Changes. Lamina will refrain from making any changes to their Information Security Program or specific Safeguards that reduce the level of security provided to Client Data.

iv. Network Security. Lamina agrees to protect Client Data from unauthorized access, use, disclosure, alteration, or destruction with network security that include industry-standard firewall protection, intrusion detection system, and/or intrusion prevention system, as well as periodic vulnerability scans, for all information systems that Lamina uses to process Client Data (the “Computing Systems”).

v. Server and Endpoint Security. Lamina agrees to ensure that its Computing Systems are patched and up-to-date with all appropriate security updates as designated by the relevant manufacturer or authority and are free of known viruses, spyware, adware, malware, and other malicious and unwanted software and programs.

vii. Independent Security Assessments. Lamina agrees to use appropriately qualified, independent third parties to perform annual penetration tests and security audits covering the systems, environments, and networks where Client Data is stored, processed, and accessed. Lamina agrees to remediate all medium and higher severity findings and observations from such assessments.

viii. Strong Authentication. Lamina will use SAML 2.0, OAuth2, OpenID Connect, or equivalent methods (“Strong Authentication”) for any remote access to Client Data. Additionally, Lamina will enforce Strong Authentication for any administrative and/or management access to Lamina security infrastructure and Client log data, including but not limited to firewalls, Identity and Access Management systems, security monitoring infrastructure, and computing logs such as firewall logs, server logs, and DNS logs.

ix. Physical and Environmental Security. Lamina will have in place physical and environmental Safeguards for its Computing Systems.

x. Data Transparency: Upon request from Client, Lamina agrees to provide Client with an inventory or data map of Client Data that Lamina processes on behalf of Client (including by use of subprocessors) including locations of such data, and control measures that are in place for the protection of Client Data.

xi. Personnel confidentiality: Lamina will ensure that any person that Lamina authorizes to process Client Data (including its employees, agents, and subcontractors) will be subject to a strict duty of confidentiality (whether contractual or statutory).

xii. Information Security Awareness and Training: Lamina will maintain an information security awareness and training program in place that includes how to implement and comply with the Information Security Program and promote a culture of security awareness through periodic communications from the organization's senior leadership.

xiii. Contingency Planning: Lamina will maintain policies and procedures for responding to emergencies, security incidents, and other events (such as a pandemic or natural disaster) that could interfere with or disrupt authorized access to Client Data.

xiv. Storage and Transmission Security: Lamina will maintain Safeguards against unauthorized access to or unauthorized use, alteration, or destruction of Client Data that is being transmitted over a public electronic communications network or stored in Computing Systems. Such measures include using Strong Encryption (as defined below) of any non-public Client Data stored on desktops, laptops, smartphones, tablets, and other mobile devices and removable storage media.

xv. Secure Disposal:  Lamina will maintain and follow policies and procedures regarding the secure deletion or destruction of Computing Systems or data stored on Computing Systems, so that Client Data cannot be practicably read or reconstructed after deletion or destruction. Lamina shall securely delete, destroy, or permanently remove access to Client Data using such methods within thirty (30) days following any request made by Client, unless Lamina is under a legal or contractual obligation to preserve the data.

xvi. Monitoring and Logging. Lamina will maintain intrusion detection systems, audit trail logging, and security event detection and monitoring in place for networks, servers, and applications where Client Data is stored, processed, or transmitted. Lamina maintain logs of all physical and logical access to the Computing Systems, including command history logging of all logical access for at least 12 months.

xvii. Passwords: When passwords are used to access Client Data, Lamina will enforce Strong Authentication in all instances. Where practicable, Lamina will use a second authentication factor before granting access to Client Data with a password. Lamina will maintain password complexity requirements that are consistent with applicable industry best practices.

xviii. Encryption: Lamina will use minimum encryption key lengths of 256-bits for symmetric encryption and 2048-bits for asymmetric encryption (“Strong Encryption”) to protect Client Data (a) when transmitted over any external network; (b) when stored (at rest); or (c) whenever authentication credentials are stored.

xix. Least privilege: Lamina agrees to enforce the rule of least privilege by requiring application, database, network, and system administrators to restrict user access to only the commands, data, and Information Resources necessary for them to perform authorized functions.

xx. Access Management: Lamina agrees to have formal processes in place to grant, prevent, and terminate access to Client Data. The access should be limited to users who require this access to render services under the Agreement.

2. Adequate Security Measures and Procedures. Lamina shall (a) maintain a SOC 2, Type I, report that covers the Computing Systems that is no more than one (1) year old, and (b) upon request, provide Client with a true and complete copy of the most recent SOC 2, Type I report, which may be subject to separate confidentiality terms.