SEISMIC
INFORMATION SECURITY ADDENDUM

Last Updated: March 6, 2026

1. Covered Services and Customer Content

   This Information Security Addendum (“InfoSec Addendum”) describes the controls and measures that Seismic has established with respect to its online products and services (“Services”), which are designed to protect the integrity, confidentiality, and availability of Customer Content while using Services in accordance with the terms of the Seismic Main Services Agreement (“MSA”). For avoidance of doubt, this InfoSec Addendum and related commitments do not apply to (i) Professional Services, Non-Seismic Products, Trials, and Third-Party Content made available by Seismic, or used or provided by Customer, (ii) data in Customer’s VPN, own Customer Property, or a third-party network; (iii) any data processed by Customer or its Users in violation of the MSA and (iv) any financial data of individuals or companies, health data of individuals, and/or other sensitive data as described in any applicable Laws. If not defined separately in this InfoSec Addendum, capitalized terms used herein will have the specified meanings provided in the MSA.

2. Information Security Management System

   Seismic has established and maintains a documented information security management system (“ISMS”) that defines policies, procedures, and standards designed to safeguard information assets and establishes administrative, technical, and physical safeguards that are appropriate to (a) the size, scope and type of Seismic’s business and Services; (b) the amount of resources available to Seismic; (c) the type of Customer Content that Customer is permitted to use with the Services and that Seismic will process; and (d) the need for security and protection from unauthorized disclosure of such Customer Content. Seismic reviews its ISMS annually and may update it and the measures set forth in this InfoSec Addendum to address changes in legal and regulatory requirements, new and evolving security technologies, changes to industry standard practices, changes to Seismic Service offerings, and changing security threats, provided that no such update will materially reduce the overall level of commitments or protections provided to Customer as described herein.

3. Architecture and Data Segregation

   The Services are operated in a multitenant architecture that is designed to segregate and restrict Customer Content access based on business needs. The architecture provides a logical data separation for different Customers via Customer-specific “Tenant IDs” (each, a “Tenant”) and allows the Customer to define role-based access privileges within its Tenant. Additional data segregation may be provided by establishing separate environments for distinct functions (e.g., testing and production).

4. Access Control and User Authenticity

   Only authorized Seismic information security staff can grant, modify and revoke Seismic personnel access to its information systems that process or store Customer Content. Access rights are implemented adhering to the “least privilege” approach and using multi-factor authentication (“MFA”). Seismic administration procedures define user roles and their privileges, how access is granted, changed and terminated, address appropriate segregation of duties, and define the logging/monitoring requirements and mechanisms.

5. Current Audits Reports

   The following current Seismic security and privacy-related audits and certifications, as set forth at the Seismic Trust Center are applicable to one or more of the Services (“Audit Reports”):

   • SOC 2 Type 2
   • ISO 27001
   • ISO 27701
   • ISO 42001
   • EU-US Data Privacy Framework
   • APEC - Asia-Pacific Economic Cooperation's Cross-Border Privacy Rules

   Where Seismic has obtained an ISO 27001 certification or SSAE 18 Service Organization Control (SOC) Type 2 report for a particular Service, Seismic agrees to maintain this certification or audit report, or comparable alternatives or successors thereof, for the duration of the relevant Customer Order Form term for the same applicable Service. Seismic will provide evidence of its Audit Reports upon Customer’s written request no more frequently than once every twelve-month period.

6. Processing of Personal Data

   Seismic processes personal data on Customer’s behalf during a Service Term in accordance with the terms of this Data Processing Addendum here (“DPA”), unless the Parties have separately executed a DPA, in which case such terms will control.

7. Retrieval of Customer Content and Deletion
   
   1. Retrieval of Customer Content. During the relevant Service Term for a particular Service, and for a period of thirty (30) calendar days after the expiration or earlier termination ("Retrieval Period") of the applicable Order Form, a Customer may, at no additional cost, export Customer Content in its Services instance (other than personal confidential information such as User passwords ), on a self-service basis using the then-provided tools and in the then-standard export formats , except for Customer Content that: (i) has previously been deleted by Customer, (ii) has been deleted by Seismic in accordance with the MSA or Documentation; or (iii) is legally restricted.
   2. Deletion of Customer Content. After such Retrieval Period, Seismic will have no obligation to maintain Customer Content or provide any Customer Content to Customer, and will securely delete Customer Content in accordance with Seismic’s standard deletion procedures, applicable Laws and with applicable NIST 800-88 guidelines, such that Customer Content cannot be practically read or reconstructed. Upon Customer’s written request, Seismic will provide a certificate of deletion. Notwithstanding the foregoing, in compliance with applicable Laws and the MSA confidentiality terms, Seismic may retain Customer Content (I) where required by applicable Laws or by Customer in an Order Form or under separate written agreement with Customer, (ii) for archival, backup, audit, security incident, disaster recovery, indemnity obligations, legal or regulatory purposes, (iii) in documentation used to demonstrate the orderly processing of personal data under the DPA, and (iv) in a record of the deletion request and the minimum data necessary for the limited purpose of maintaining a record of compliance with the request.
8. Responsibilities. The parties acknowledge and agree that information security relating to Customer’s use of the Services and the Customer Content is a shared responsibility.
   1. Customer Responsibilities. Customer’s responsibilities include its obligations to utilize the controls and settings within the Services and related platforms to configure security of the Services for their own use, including Customer’s: (i) authentication of Users before accessing the Customer’s instance; (ii) Users’ management of their own passwords; (iii) management of each User’s access to and use of the Services by assigning to each User a credential and user type that controls the level of access to the applicable Services; (iv) securing its own systems, networks, and endpoints that connect to or interact with the Services; (v) ensuring that its authorized Users comply with Customer's own security policies and the Seismic AUP; and (vi) configuring all and any other security settings and controls made available by Services within the Services platform.
   2. Seismic Responsibilities. Seismic provides the Services in accordance with security measures that include:

      • User access log entries will be maintained, containing date, time, user ID, URL executed, or entity ID operated on, operation performed and source IP address.
      • Data center physical access logs, system infrastructure logs, and application logs with User activity will be securely kept by Seismic and its third-party providers in accordance with their respective procedures.
      • Authorization is granted through a roles-based authorization system. Seismic supports standards-based federated ID capability through SAML 2.0 and OAUTH.
      • MFA is available through single sign-on.
      • Seismic hardens all components to provide only necessary ports, protocols, and services to meet business needs and have supporting technical controls. Baseline configurations are reviewed quarterly.
      • A designated Seismic employee is responsible for overseeing and implementing the Seismic ISMS.

9. Vulnerability Management

   Seismic performs regular, and no less than quarterly, vulnerability scans on its applications and infrastructure components of its production and development environments. For applications, scans are also performed after any major feature changes or architectural modification to the Services. Vulnerabilities are ranked using the Common Vulnerability Scoring System and remediated on a risk basis that considers the types of applications and infrastructure systems on which they are found.

10. Incident Management
    1. Incident Response. Seismic maintains security incident management policies and procedures, in accordance with ISO 27001 and SOC 2, Type 2 controls, in the event of any security incident that causes the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content while processed by Seismic (“Security Incident”).
    2. Notification. Upon its confirmation of a Security Incident, Seismic will notify an impacted Customer, without undue delay, to the extent permitted by applicable Laws. As relevant information in relation to the Incident is collected or otherwise becomes available to Seismic, it will provide updates on any such Security Incident.
    3. Investigation and Remediation. In the event of a Security Incident, Seismic shall, at its own expense, (i) investigate the Security Incident, and (ii) take steps, as Seismic deems necessary and reasonable, to mitigate and remediate the effects of the Security Incident, to the extent mitigation and remediation is within Seismic's reasonable control, and (iii) reasonably cooperate with an impacted Customer and any law enforcement or regulatory official to assist Customer to comply with its notification obligations under applicable Laws. Seismic’s notifications to Customer or any legal or regulatory agency are informational only and do not constitute a Seismic acknowledgment of fault, liability, or violation of any Laws.
    4. Customer Notification. If a Customer becomes aware of an incident that could have an impact on Seismic’s ISMS, including a Security Incident, the Customer must promptly notify Seismic of the incident without undue delay.
    5. System Status. Seismic currently publishes system status information here.
11. Security Awareness Training

    All Seismic employees are required to undergo security and privacy awareness training, at the time of hiring, and annually thereafter. Seismic also requires additional role-based security training for those employees with access to Customer Content or the application that processes and stores Customer Content. All Seismic employees and contractors are contractually obligated to maintain the confidentiality of Customer Content, in accordance with applicable Laws, Customer agreement terms, and Seismic’s Privacy Policy.

12. Background Checks

    Seismic performs background checks on all employees who have access to Customer Content in accordance with its standard operating procedures, and subject to applicable Laws.

13. Third-Party Risk Management

    Seismic maintains a third-party risk management program designed to assess and manage security risks associated with its vendors that access or otherwise process Customer Content.

14. Data Encryption

    Seismic uses encryption to protect Customer Content in-transit (e.g., TLS 1.2 or greater) and at-rest (e.g., AES 256). Customer

15. Secure Development Practices

    Seismic maintains the following development controls:

    1. Development Policies. Seismic follows secure application development policies, procedures, and standards that are aligned to industry-standard practices, such as the OWASP Top 10 and SANS Top 20 / CIS Critical Security Controls; and
    2. Training. Seismic provides employees responsible for secure application design, development, configuration, testing, and deployment, annual and role-based technical training on secure application development practices.
16. Virus and Malware Control

    Seismic employs then-current industry-standard measures designed to detect and remediate Malicious Elements designed to negatively impact the operation or performance of the Services.

17. Penetration Testing

    Seismic engages third parties to conduct annual penetration tests of the Services and to issue a report of their findings (“Testing Report”). Evidence of Seismic’s then-current Testing Report, and summary reports of relevant remediation plans are available to a Customer upon its written request.

18. Device Management Program

    Seismic has implemented and will maintain a device management program for Seismic- owned, provided or managed devices, including laptops, tablets, and other endpoints that access or process Customer Content. Seismic reviews its device management program at least annually to address evolving threats and industry best practices for services and products similar to the Services.

19. Change and Configuration Management

    Seismic maintains policies and procedures for managing changes to production systems, applications, and databases. Such policies and procedures include: (i) a process for documenting, testing and approving the promotion of changes into production; (ii) security patching process that requires patching systems in a timely manner based on a risk analysis; and (iii) process for Seismic to perform security assessments of changes into production.

20. Physical and Environmental Security

    Seismic's production data centers used to provide the Services are equipped with industry-standard physical security measures, including access controls, surveillance systems, and environmental monitoring. These physical access controls are established and maintained by the applicable provider in accordance with their respective standard procedures. As examples, a summary of current physical access controls of (i) Microsoft Azure are here, (ii) AWS are found here, and (iii) OCI are found here.

21. Business Continuity and Disaster Recovery. Seismic has established and shall maintain a business continuity and disaster recovery plan (“BCP”) that implement appropriate disaster recovery and business resumption plans and procedures, and which is reviewed and tested at least annually. The scope of the BCP is to validate the ability to failover a production instance from a primary data center to a secondary data center utilizing developed Seismic operational and disaster recovery procedures and documentation.
22. Security Contact. Customer must identify to, and keep updated with, Seismic all appropriate security contact(s) information for Security Incident notification and security-related communication related to the Services.
23. Customer Responsibility. Customer bears sole responsibility for reviewing this Infosec Addendum, Seismic’s Audit Reports and its ISMS, and making an independent determination as to whether the security controls identified therein and supporting the Services meet Customer’s requirements.