Common use of Party Software Clause in Contracts

Party Software. We have a third-party software and data sub-processor security review process that must be completed before using new services at our organization. We limit the amount of data shared with sub-processors to only what is necessary to perform their services. We identify all sub-processors (current list in Appendix) that will have access to user data and conduct due diligence to ensure that they have appropriate security measures in place. We also review sub-processor contracts to ensure that they contain appropriate data protection and security requirements. Background Checks All Epic employees undergo criminal background checks and sign agreements barring any use of confidential information outside of the scope of their work with the company. Other Security Practices External Security Assessment We conduct an annual external security assessment of our applications. We make the reports associated with these assessments available for our users, on request. Based on the assessment, the issues are resolved according to their severity level and overall security posture is evaluated. Incident Management and Response Epic has a standardized process for responding to security incidents. When a security incident is suspected, teams are notified through our alerting channels (pager-duty notifications, emails or instant messaging) and a central communication channel is established. After each incident, we conduct a post-mortem analysis to identify root causes and track any related follow-up work. If Epic believes that a customer’s personal information has been accessed or modified by an unauthorized third party, we designate such breach as a security incident. In the event of a security incident we will take all necessary steps to notify the affected customers within two business days following the incident, and recommend immediate corrective actions to mitigate the risks. We have established incident response procedures for security incidents that involve sub-processors, including notification requirements and escalation procedures.