Governance. Written information security program aligned with SOC 2 Type II and/or ISO/IEC 27001 controls; security roles and management oversight.

1. Access Control. SSO/MFA for production access; least privilege; quarterly access reviews; secrets vaulting; hardened workstations and disk encryption.
   
   

2. Data Protection. Encryption in transit (TLS 1.2+) and at rest (e.g., AES-256); key management with restricted access; logical tenant segregation.
   
   

3. Secure Development. SDLC with peer review and security testing; SCA for open-source; vulnerability management with CVSS-based SLAs (Critical 15 days; High 30 days unless compensating controls).
   
   

4. Monitoring & Logging. Centralized logging and alerting; log retention at least 12 months.
   
   

5. Third Parties. Risk assessments prior to onboarding; contractual security obligations; change notice per Schedule 4.
   
   

6. Business Continuity & DR. Documented BCP/DR program with annual testing; RPO/RTO as set in Schedule 1; geo-redundant hosting where applicable.
   
   

7. Incident Response. 24×7 triage and escalation; Customer-impacting incidents notified per Schedule 4.
   
   

8. Data Location & Transfers. Primary hosting in Vendor's designated cloud infrastructure regions as documented; cross-border transfers under lawful mechanisms (e.g., SCCs, UK Addendum).