Common use of Security Testing Clause in Contracts

Security Testing. 5.1 During the performance of services under the Agreement, Processor shall engage periodically a Third-Party (“Testing Company”) to perform penetration and vulnerability testing (“Security Tests”) with respect to Processor’s systems containing and/or storing Personal Data. 5.2 The objective of such Security Tests shall be to identify design and/or functionality issues in applications or infrastructure of the Processor systems containing and/or storing Personal Data, which could expose Controller’s assets to risks from malicious activities. Security Tests shall probe for weaknesses in applications, network perimeters or other infrastructure elements as well as weaknesses in process or technical countermeasures relating to the Processor systems containing and/or storing Personal Data that could be exploited by a malicious party. 5.3 Security Tests shall identify, at a minimum, the following security vulnerabilities: invalidated or un-sanitized input; broken or excessive access controls; broken authentication and session management; cross-site scripting (XSS) flaws; buffer overflows; injection flaws; improper error handling; insecure storage; common denial of service vulnerabilities; insecure or inconsistent configuration management; improper use of SSL/TLS; proper use of encryption; and anti-virus reliability and testing. 5.4 Within a reasonable period after the Security Test has been performed, Processor shall notify Controller in writing of any critical security issues that were revealed during such Security Test which have not been remediated. To the extent that critical security issues were revealed during a particular Security Test, Processor shall subsequently engage, at its own expense, the Testing Company to perform an additional Security Test to ensure resolution of identified security issues. Results thereof shall be made available to the Controller upon request.

Security Testing. 5.1 During the performance of services Services under the Agreement, Processor shall engage periodically engage, at its own expense and at least one time per year, a Third-Party third party vendor (“Testing Company”) to perform penetration and vulnerability testing (“Security Tests”) with respect to Processor’s systems containing and/or storing Personal Data. 5.2 The objective of such Security Tests shall be to identify design and/or functionality issues in applications or infrastructure of the Processor systems containing and/or storing Personal Data, which could expose Controller’s assets to risks from malicious activities. Security Tests shall probe for weaknesses in applications, network perimeters or other infrastructure elements as well as weaknesses in process or technical countermeasures relating to the Processor systems containing and/or storing Personal Data that could be exploited by a malicious party. 5.3 Security Tests shall identify, at a minimum, the following security vulnerabilities: invalidated or un-un- sanitized input; broken or excessive access controls; broken authentication and session management; cross-cross- site scripting (XSS) flaws; buffer overflows; injection flaws; improper error handling; insecure storage; common denial of service vulnerabilities; insecure or inconsistent configuration management; improper use of SSL/TLS; proper use of encryption; and anti-virus reliability and testing. 5.4 Within a reasonable period after the Security Test has been performed, Processor shall notify Controller in writing of any critical security remediate the issues that were revealed during such Security Test which have not been remediated. To the extent that critical security issues were revealed during a particular Security Test, Processor shall (if any) identified and subsequently engage, at its own expense, the Testing Company to perform an additional a revalidation Security Test to ensure resolution of identified security issues. Results thereof shall be made available to the Controller upon request.

Security Testing. 5.1 During the performance of services under the Agreement, Processor shall engage periodically a Third-Party (“Testing Company”) to perform penetration and vulnerability testing (“Security Tests”) with respect to Processor’s systems containing and/or storing Personal Data. 5.2 . The objective of such Security Tests shall be to identify design and/or functionality issues in applications or infrastructure of the Processor systems containing and/or storing Personal Data, which could expose Controller’s assets to risks from malicious activities. Security Tests shall probe for weaknesses in applications, network perimeters or other infrastructure elements as well as weaknesses in process or technical countermeasures relating to the Processor systems containing and/or storing Personal Data that could be exploited by a malicious party. 5.3 . Security Tests shall identify, at a minimum, the following security vulnerabilities: invalidated or un-sanitized input; broken or excessive access controls; broken authentication and session management; cross-site scripting (XSS) flaws; buffer overflows; injection flaws; improper error handling; insecure storage; common denial of service vulnerabilities; insecure or inconsistent configuration management; improper use of SSL/TLS; proper use of encryption; and anti-virus reliability and testing. 5.4 . Within a reasonable period after the Security Test has been performed, Processor shall notify Controller in writing of any critical security issues that were revealed during such Security Test which have not been remediated. To the extent that critical security issues were revealed during a particular Security Test, Processor shall subsequently engage, at its own expense, the Testing Company to perform an additional Security Test to ensure resolution of identified security issues. Results thereof shall be made available to the Controller upon request.