Common use of Vendor Security Clause in Contracts

Vendor Security. Third party service providers whose services involve access to any confidential information must agree contractually to data privacy and security commitments commensurate with their access and handling of confidential information. The SharpSpring Privacy Policy includes provisions related to the sharing of data with third party service providers and their obligations to maintain the confidentiality of that data. Physical and Environmental Security Physical security controls in all data centers utilized by the SharpSpring SaaS infrastructure include protection of facility perimeters using various access control measures, including biometric identification, supervised entry, 24/7/365 on-premise security teams, CCTV systems. Access to data centers is limited to authorized employees or contractors only. Controls are in place to protect against environmental hazards at all data centers. All data center facilities have successfully been attested to SSAE 18, SOC 2 type 2, ISO 27001, or similar requirements. Communications and Operations Management The operation of systems and applications that support the Service is subject to documented operating procedures. The System Administration team maintains standard server configurations. Separate environments are maintained to allow for the testing of changes. Third-party access to SharpSpring systems is regularly audited. The organization maintains documented backup procedures. Full backups are performed regularly for all production databases. Data backups are transferred to an offsite location on a regular schedule and are stored encrypted. The physical disk arrays, which host the data, use a cipher of AES256 to store the data encrypted at rest. All systems and network devices are synchronized to a reliable and accurate time source via the “Network Time Protocol” (NTP). All high priority event-alerting tools escalate into notifications for SharpSpring’s 24x7 incident response team, providing the System Administration team with alerts, as needed. Access Controls SharpSpring maintains an “Acceptable Use” policy that outlines requirements for the use of user IDs and passwords. The organization publishes and maintains a password management standard. In general, users are asked to follow the strong password policies. Strong authentication practices (e.g., SSH keys, 2FA, IP-based restrictions) are used to control access to production and development environments. Direct access to the “root” account on all production servers is restricted to Software Engineering and System Administration personnel as deemed necessary. All access controls are based on “least privilege” and “need to know” principles. Different roles, including read-only, limited, and administrative access, are used in the environment. Upon notice of termination, all user access is removed in a timely fashion. All critical system access is removed immediately upon notification. Information Systems Acquisition, Development, and Maintenance Product features are managed through a formalized product management process. Security requirements are discussed and formulated during scoping and design discussions. Application source code is stored in a central repository. Access to source code is limited to authorized individuals. SharpSpring maintains a QA Department dedicated to reviewing and testing application functionality and stability. Changes to SharpSpring software are tested before production deployment. Deployment processes include unit testing at the source environment, as well as integration and functional testing within a test environment prior to implementation in production. Information Security Incident Management XxxxxXxxxxx maintains an incident response process. Internally, XxxxxXxxxxx maintains an incident response plan that is tested on a regular basis. The plan addresses specific incident response procedures, data backup procedures, roles and responsibilities, customer communication, contact strategies, and legal information flow. The incident response plan is exercised on a regular basis, at least annually. Business Continuity Management For redundancy, SharpSpring utilizes database replication architectures. Database backups are stored on local disks in data centers, as well as copied to remote storage locations. SharpSpring has implemented redundant data center infrastructure to better support high availability across the entire system. Each key service layer includes redundant components that mitigate the impact of predictable failures such as hardware problems, and also allows for capacity scaling as customer data and usage grows. SharpSpring Application Security Features Access to SharpSpring services requires access to a unique API key, and access to a customer’s account portal requires a login and password. SharpSpring supports and encourages the use of HTTPS for all communications with our website and services. DATA EXPORTER Authorised Signature ………………………………………………. Printed Name …………………………………………………………... DATA IMPORTER Name: SharpSpring Inc DBA Sharpspring Technologies Inc. Authorised Signature ………………………………………………..

Vendor Security. Third party service providers whose services involve access to any confidential information must agree contractually to data privacy and security commitments commensurate with their access and handling of confidential information. The SharpSpring Privacy Policy includes provisions related to the sharing of data with third party service providers and their obligations to maintain the confidentiality of that data. Physical and Environmental Security Physical security controls in all data centers utilized by the SharpSpring SaaS infrastructure include protection of facility perimeters using various access control measures, including biometric identification, supervised entry, 24/7/365 on-premise security teams, CCTV systems. Access to data centers is limited to authorized employees or contractors only. Controls are in place to protect against environmental hazards at all data centers. All data center facilities have successfully been attested to SSAE 18, SOC 2 type 2, ISO 27001, or similar requirements. Communications and Operations Management The operation of systems and applications that support the Service is subject to documented operating procedures. The System Administration team maintains standard server configurations. Separate environments are maintained to allow for the testing of changes. Third-party access to SharpSpring systems is regularly audited. The organization maintains documented backup procedures. Full backups are performed regularly for all production databases. Data backups are transferred to an offsite location on a regular schedule and are stored encrypted. The physical disk arrays, which host the data, use a cipher of AES256 to store the data encrypted at rest. All systems and network devices are synchronized to a reliable and accurate time source via the “Network Time Protocol” (NTP). All high priority event-alerting tools escalate into notifications for SharpSpring’s 24x7 incident response team, providing the System Administration team with alerts, as needed. Access Controls SharpSpring maintains an “Acceptable Use” policy that outlines requirements for the use of user IDs and passwords. The organization publishes and maintains a password management standard. In general, users are asked to follow the strong password policies. Strong authentication practices (e.g., SSH keys, 2FA, IP-based restrictions) are used to control access to production and development environments. Direct access to the “root” account on all production servers is restricted to Software Engineering and System Administration personnel as deemed necessary. All access controls are based on “least privilege” and “need to know” principles. Different roles, including read-only, limited, and administrative access, are used in the environment. Upon notice of termination, all user access is removed in a timely fashion. All critical system access is removed immediately upon notification. Information Systems Acquisition, Development, and Maintenance Product features are managed through a formalized product management process. Security requirements are discussed and formulated during scoping and design discussions. Application source code is stored in a central repository. Access to source code is limited to authorized individuals. SharpSpring maintains a QA Department dedicated to reviewing and testing application functionality and stability. Changes to SharpSpring software are tested before production deployment. Deployment processes include unit testing at the source environment, as well as integration and functional testing within a test environment prior to implementation in production. Information Security Incident Management XxxxxXxxxxx SharpSpring maintains an incident response process. Internally, XxxxxXxxxxx SharpSpring maintains an incident response plan that is tested on a regular basis. The plan addresses specific incident response procedures, data backup procedures, roles and responsibilities, customer communication, contact strategies, and legal information flow. The incident response plan is exercised on a regular basis, at least annually. Business Continuity Management For redundancy, SharpSpring utilizes database replication architectures. Database backups are stored on local disks in data centers, as well as copied to remote storage locations. SharpSpring has implemented redundant data center infrastructure to better support high availability across the entire system. Each key service layer includes redundant components that mitigate the impact of predictable failures such as hardware problems, and also allows for capacity scaling as customer data and usage grows. SharpSpring Application Security Features Access to SharpSpring services requires access to a unique API key, and access to a customer’s account portal requires a login and password. SharpSpring supports and encourages requires the use of HTTPS for all communications with our website and services. DATA EXPORTER Authorised Signature ………………………………………………ANNEX III LIST OF SUB-PROCESSORS Data importer has authorized the use of the subprocessors detailed at xxxxx://xxxxxxxxxxx.xxx/legal/subprocessors/ which are applicable to the services being provided to data importer. Printed Name …………………………………………………………... DATA IMPORTER Name: SharpSpring Inc DBA Sharpspring Technologies Inc. Authorised Signature ………………………………………………..International Data Transfer Addendum to the EU Commission Standard Contractual Clauses This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Vendor Security. Third party service providers whose services involve access to any confidential information must agree contractually to data privacy and security commitments commensurate with their access and handling of confidential information. The SharpSpring Privacy Policy includes provisions related to the sharing of data with third party service providers and their obligations to maintain the confidentiality of that data. Physical and Environmental Security Physical security controls in all data centers utilized by the SharpSpring SaaS infrastructure include protection of facility perimeters using various access control measures, including biometric identification, supervised entry, 24/7/365 on-premise security teams, CCTV systems. Access to data centers is limited to authorized employees or contractors only. Controls are in place to protect against environmental hazards at all data centers. All data center facilities have successfully been attested to SSAE 18, SOC 2 type 2, ISO 27001, or similar requirements. Communications and Operations Management The operation of systems and applications that support the Service is subject to documented operating procedures. The System Administration team maintains standard server configurations. Separate environments are maintained to allow for the testing of changes. Third-party access to SharpSpring systems is regularly audited. The organization maintains documented backup procedures. Full backups are performed regularly for all production databases. Data backups are transferred to an offsite location on a regular schedule and are stored encrypted. The physical disk arrays, which host the data, use a cipher of AES256 to store the data encrypted at rest. All systems and network devices are synchronized to a reliable and accurate time source via the “Network Time Protocol” (NTP). All high priority event-alerting tools escalate into notifications for SharpSpring’s 24x7 incident response team, providing the System Administration team with alerts, as needed. Access Controls SharpSpring maintains an “Acceptable Use” policy that outlines requirements for the use of user IDs and passwords. The organization publishes and maintains a password management standard. In general, users are asked to follow the strong password policies. Strong authentication practices (e.g., SSH keys, 2FA, IP-based restrictions) are used to control access to production and development environments. Direct access to the “root” account on all production servers is restricted to Software Engineering and System Administration personnel as deemed necessary. All access controls are based on “least privilege” and “need to know” principles. Different roles, including read-only, limited, and administrative access, are used in the environment. Upon notice of termination, all user access is removed in a timely fashion. All critical system access is removed immediately upon notification. Information Systems Acquisition, Development, and Maintenance Product features are managed through a formalized product management process. Security requirements are discussed and formulated during scoping and design discussions. Application source code is stored in a central repository. Access to source code is limited to authorized individuals. SharpSpring maintains a QA Department dedicated to reviewing and testing application functionality and stability. Changes to SharpSpring software are tested before production deployment. Deployment processes include unit testing at the source environment, as well as integration and functional testing within a test environment prior to implementation in production. Information Security Incident Management XxxxxXxxxxx maintains an incident response process. Internally, XxxxxXxxxxx maintains an incident response plan that is tested on a regular basis. The plan addresses specific incident response procedures, data backup procedures, roles and responsibilities, customer communication, contact strategies, and legal information flow. The incident response plan is exercised on a regular basis, at least annually. Business Continuity Management For redundancy, SharpSpring utilizes database replication architectures. Database backups are stored on local disks in data centers, as well as copied to remote storage locations. SharpSpring has implemented redundant data center infrastructure to better support high availability across the entire system. Each key service layer includes redundant components that mitigate the impact of predictable failures such as hardware problems, and also allows for capacity scaling as customer data and usage grows. SharpSpring Application Security Features Access to SharpSpring services requires access to a unique API key, and access to a customer’s account portal requires a login and password. SharpSpring supports and encourages requires the use of HTTPS for all communications with our website and services. DATA EXPORTER Authorised Signature ………………………………………………. Printed Name …………………………………………………………... DATA IMPORTER Name: SharpSpring Inc DBA Sharpspring Technologies Inc. Authorised Signature ………………………………………………..

Vendor Security. Third party service providers whose services involve access to any confidential information must agree contractually to data privacy and security commitments commensurate with their access and handling of confidential information. The SharpSpring Privacy Policy includes provisions related to the sharing of data with third party service providers and their obligations to maintain the confidentiality of that data. Physical and Environmental Security Physical security controls in all data centers utilized by the SharpSpring SaaS infrastructure include protection of facility perimeters using various access control measures, including biometric identification, supervised entry, 24/7/365 on-premise security teams, CCTV systems. Access to data centers is limited to authorized employees or contractors only. Controls are in place to protect against environmental hazards at all data centers. All data center facilities have successfully been attested to SSAE 18, SOC 2 type 2, ISO 27001, or similar requirements. Communications and Operations Management The operation of systems and applications that support the Service is subject to documented operating procedures. The System Administration team maintains standard server configurations. Separate environments are maintained to allow for the testing of changes. Third-party access to SharpSpring systems is regularly audited. The organization maintains documented backup procedures. Full backups are performed regularly for all production databases. Data backups are transferred to an offsite location on a regular schedule and are stored encrypted. The physical disk arrays, which host the data, use a cipher of AES256 to store the data encrypted at rest. All systems and network devices are synchronized to a reliable and accurate time source via the “Network Time Protocol” (NTP). All high priority event-alerting tools escalate into notifications for SharpSpringXxxxxXxxxxx’s 24x7 incident response team, providing the System Administration team with alerts, as needed. Access Controls SharpSpring maintains an “Acceptable Use” policy that outlines requirements for the use of user IDs and passwords. The organization publishes and maintains a password management standard. In general, users are asked to follow the strong password policies. Strong authentication practices (e.g., SSH keys, 2FA, IP-based restrictions) are used to control access to production and development environments. Direct access to the “root” account on all production servers is restricted to Software Engineering and System Administration personnel as deemed necessary. All access controls are based on “least privilege” and “need to know” principles. Different roles, including read-only, limited, and administrative access, are used in the environment. Upon notice of termination, all user access is removed in a timely fashion. All critical system access is removed immediately upon notification. Information Systems Acquisition, Development, and Maintenance Product features are managed through a formalized product management process. Security requirements are discussed and formulated during scoping and design discussions. Application source code is stored in a central repository. Access to source code is limited to authorized individuals. SharpSpring maintains a QA Department dedicated to reviewing and testing application functionality and stability. Changes to SharpSpring software are tested before production deployment. Deployment processes include unit testing at the source environment, as well as integration and functional testing within a test environment prior to implementation in production. Information Security Incident Management XxxxxXxxxxx maintains an incident response process. Internally, XxxxxXxxxxx maintains an incident response plan that is tested on a regular basis. The plan addresses specific incident response procedures, data backup procedures, roles and responsibilities, customer communication, contact strategies, and legal information flow. The incident response plan is exercised on a regular basis, at least annually. Business Continuity Management For redundancy, SharpSpring utilizes database replication architectures. Database backups are stored on local disks in data centers, as well as copied to remote storage locations. SharpSpring has implemented redundant data center infrastructure to better support high availability across the entire system. Each key service layer includes redundant components that mitigate the impact of predictable failures such as hardware problems, and also allows for capacity scaling as customer data and usage grows. SharpSpring Application Security Features Access to SharpSpring services requires access to a unique API key, and access to a customer’s account portal requires a login and password. SharpSpring supports and encourages requires the use of HTTPS for all communications with our website and services. DATA EXPORTER Authorised Signature ………………………………………………. Printed Name …………………………………………………………... DATA IMPORTER Name: SharpSpring Inc DBA Sharpspring Technologies Inc. Authorised Signature ………………………………………………..ANNEX III LIST OF SUB-PROCESSORS Data importer has authorized the use of the subprocessors detailed at xxxxx://xxxxxxxxxxx.xxx/legal/subprocessors/ which are applicable to the services being provided to data importer.

Vendor Security. Third party service providers whose services involve access to any confidential information must agree contractually to data privacy and security commitments commensurate with their access and handling of confidential information. The SharpSpring Privacy Policy includes provisions related to the sharing of data with third party service providers and their obligations to maintain the confidentiality of that data. Physical and Environmental Security Physical security controls in all data centers utilized by the SharpSpring SaaS infrastructure include protection of facility perimeters using various access control measures, including biometric identification, supervised entry, 24/7/365 on-premise security teams, CCTV systems. Access to data centers is limited to authorized employees or contractors only. Controls are in place to protect against environmental hazards at all data centers. All data center facilities have successfully been attested to SSAE 18, SOC 2 type 2, ISO 27001, or similar requirements. Communications and Operations Management The operation of systems and applications that support the Service is subject to documented operating procedures. The System Administration team maintains standard server configurations. Separate environments are maintained to allow for the testing of changes. Third-party access to SharpSpring systems is regularly audited. The organization maintains documented backup procedures. Full backups are performed regularly for all production databases. Data backups are transferred to an offsite location on a regular schedule and are stored encrypted. The physical disk arrays, which host the data, use a cipher of AES256 to store the data encrypted at rest. All systems and network devices are synchronized to a reliable and accurate time source via the “Network Time Protocol” (NTP). All high priority event-alerting tools escalate into notifications for SharpSpring’s 24x7 incident response team, providing the System Administration team with alerts, as needed. Access Controls SharpSpring maintains an “Acceptable Use” policy that outlines requirements for the use of user IDs and passwords. The organization publishes and maintains a password management standard. In general, users are asked to follow the strong password policies. Strong authentication practices (e.g., SSH keys, 2FA, IP-based restrictions) are used to control access to production and development environments. Direct access to the “root” account on all production servers is restricted to Software Engineering and System Administration personnel as deemed necessary. All access controls are based on “least privilege” and “need to know” principles. Different roles, including read-only, limited, and administrative access, are used in the environment. Upon notice of termination, all user access is removed in a timely fashion. All critical system access is removed immediately upon notification. Information Systems Acquisition, Development, and Maintenance Product features are managed through a formalized product management process. Security requirements are discussed and formulated during scoping and design discussions. Application source code is stored in a central repository. Access to source code is limited to authorized individuals. SharpSpring maintains a QA Department dedicated to reviewing and testing application functionality and stability. Changes to SharpSpring software are tested before production deployment. Deployment processes include unit testing at the source environment, as well as integration and functional testing within a test environment prior to implementation in production. Information Security Incident Management XxxxxXxxxxx maintains an incident response process. Internally, XxxxxXxxxxx maintains an incident response plan that is tested on a regular basis. The plan addresses specific incident response procedures, data backup procedures, roles and responsibilities, customer communication, contact strategies, and legal information flow. The incident response plan is exercised on a regular basis, at least annually. Business Continuity Management For redundancy, SharpSpring utilizes database replication architectures. Database backups are stored on local disks in data centers, as well as copied to remote storage locations. SharpSpring has implemented redundant data center infrastructure to better support high availability across the entire system. Each key service layer includes redundant components that mitigate the impact of predictable failures such as hardware problems, and also allows for capacity scaling as customer data and usage grows. SharpSpring Application Security Features Access to SharpSpring services requires access to a unique API key, and access to a customer’s account portal requires a login and password. SharpSpring supports and encourages the use of HTTPS for all communications with our website and services. DATA EXPORTER Authorised Signature ………………………………………………. Printed Name …………………………………………………………... DATA IMPORTER Name: SharpSpring Inc DBA Sharpspring Technologies Inc. Authorised Signature ……………………………………………….... Printed Name: Xxxxx Xxxxxxx Company/Organization Title: Chief Financial Officer 25230153.2 Signature Certificate Document Ref.: ZXUEO-SM5FF-WU6UN-DGBJB Document signed by: Document completed by all parties on: 17 May 2021 16:24:47 UTC Signed with XxxxxXxx.xxx PandaDoc is the document platform that boosts your company's revenue by accelerating the way it transacts. Xxxxx Xxxxxxx Verified E-mail: xxxxx.xxxxxxx@xxxxxxxxxxx.xxx IP: 209.251.145.20