Exhibit A: Security Standards

This document describes the technical and organizational measures and security controls (the “Standards”) that Customer’s Vendors and Partners (for purposes of this document, collectively referred to as “Suppliers”) are required to adopt when (a) accessing Customer or Customer Facilities, Networks and/or Information Systems, or (b) accessing, Processing, or storing Customer Confidential Information. Supplier is responsible for compliance with these Standards by its Personnel, including ensuring that all Personnel are bound by contractual terms consistent with the requirements of these Standards. Additional security compliance requirements may be specified in Supplier’s Agreement or individual statements of work.

Compliance

1. Supplier shall implement and maintain organizational security policies, frameworks, guidelines, and standards based-on industry security standards such as HITRUST CSF, ISO 27001, NIST 800-53, etc.

2. Supplier must inform Customer immediately if for any reason the Supplier has any conflicts affecting the Performance or fulfillment of Supplier’s Services that may impact Customer’s ability to maintain regulatory compliance at any time.

3. If Services involve Protected Health Information (PHI) subject to the U.S. Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated under that Act (collectively, “HIPAA”), the Supplier will be required to sign a Business Associates Agreement with Customer. On request, Supplier must provide Customer with reasonable assurance that Supplier (and any third‐parties used by the Supplier for handling PHI) maintains sufficient technical and organizational controls to comply with HIPAA requirements. This assurance may include audits and assessments from a qualified third‐party and/or completion of a questionnaire with sufficient evidence to support Supplier’s compliance.

Security Incident Management

1. Supplier will have established responsibilities and procedures to ensure a timely, effective and organized response to Security Incidents and to report and manage information Security Incidents and discovered vulnerabilities.

2. Supplier must have documented information Security Incident procedures, enabling effective and orderly management of Security Incidents. The procedures must cover the reporting, analysis, monitoring and resolution of Security Incidents.

4. Unless otherwise required by law or law enforcement, Supplier must not make any statements concerning a Security Incident identifying Customer without written authorization of Customer’s Legal Department.

5. Unless prohibited by law, Supplier must promptly notify Customer in the event the Supplier receives a request for access to Customer Information or Information Systems.

7. Supplier will report Security Incidents to Customer if there is any actual or suspected Security Incident which could impact Customer or Customer Data.

8. Supplier shall notify Customer without undue delay, but not later than twenty-four (24) hours after Security Incident was evidenced.

9. If Security Incident is confirmed, Supplier shall take appropriate actions to minimize further exposure of Customer Data in consultation with Customer without undue delay, but not later than in forty-eight (48) hours after Security Incident was confirmed

10. After above actions preventing repetition of Security Incident are implemented, Supplier shall provide a written report to Customer detailing actions performed and safeguards implemented.

Personnel Security

1. Supplier must screen their personnel before giving them access to Customer’s systems.

2. Supplier must have a disciplinary action policy in place for Personnel and Supplier must take appropriate 3. action against violations of the Supplier’s security policies.

3. Upon termination of Personnel employment, Supplier must promptly remove access to all Computers, Systems, Networks and Applications and confirm with exiting Personnel of any of their continued contractual agreements and obligations to Supplier and protection of Confidential Information.

4. Supplier is responsible for the compliance of the Supplier’s Subcontractors for the provision of the Services as contractually bound to comply with all of the security requirements of this Agreement.

5. When requested to do so by way of Agreement, Supplier must maintain and regularly update a list specifying its Subcontractors, the country of destination of the data, and provide that list to Customer upon reasonable notice. Customer reserves the right to reject the use of any Subcontractor based on justified reasons or require reasonable steps to address concerns.

6. Supplier shall keep track of and enforce requirements for all Personnel provided to Customer in this manner.

Access Control

1. Supplier shall establish and implement an access control policy to ensure authorized access to users and to prevent unauthorized access, in particular, to protect integrity of Confidential Information and Information Systems.

2. Supplier shall review user access rights to ensure that the allocation and use of privileges are controlled and restricted where necessary.

3. Supplier shall ensure that permissions for roles and accounts use the Principle of Least Privilege for all accounts.

Cryptographic Control

1. The Supplier shall have a policy supporting the use of cryptographic controls for protection of information that is implemented and followed.

2. The Supplier shall execute and enforce management of cryptographic keys according to secure industry best practices including:

a. Using only secure cryptography that has not been compromised.

b. Limiting access to keys to only authorized sources.

c. Immediately revoking any key that has been compromised or has been at-risk of compromise.

d. Ensuring proper records are kept recording key use, storage, and revocation.

3. Supplier shall use encryption solutions both for data at-rest and in-transit as appropriate to the data and information requiring the same.

4. Supplier shall utilize at least 256-bit AES (symmetric) or 4096-bit (asymmetric) RSA encryption or equivalent state of the art cryptographic techniques approved by Customer and TLS 1.2 as a minimum for the secure transmission of data.

Network Security

1. Supplier shall ensure that its Networks are adequately managed and controlled, in order to be protected from threats, and to maintain security for the Systems and Applications using the network, including information in transit.

2. Supplier shall ensure that its employees, contractors and Subcontractors that handle Protected Health Information or Personal Information (including encrypted Personal Information) are aware of the following definitions:

1. Protected Health Information as defined by the United States Department of Health and Human Services.

2. Personal Data and Sensitive Personal Data as defined by the European Commission and such other relevant authorities

3. Supplier will ensure that where relevant, all employees, contractors and Subcontractors receive appropriate awareness training adequate for the risks associated with their roles.

4. Supplier shall ensure that all employees, contractors and Subcontractors are aware of information security threats and risks, understand and accept their responsibilities, and are effectively equipped to support organizational security objectives associated with their work.

Business Continuity Management

1. The Supplier shall have appropriate business continuity plans, including disaster recovery, in place to ensure timely recovery of its Systems and Services that store or Process Customer Data.

2. The Supplier shall ensure that its continuity and recovery plans are tested regularly to ensure they are functional and effective.

3. Supplier shall maintain the confidentiality, integrity and availability of information and information Processing activities to ensure that security controls are in place, maintaining priority during compromised and affected Processing activities.