These Technical and Organizational Security Measures (“Security Measures”) are incorporated into and form part of your applicable agreement with Lucio with respect to your use of the Lucio Products (the “Agreement”). The Security Measures set out the security features, processes, and controls applicable to Lucio Products, which employs industry standard information security best practices.

1. Definitions

The following terms have the following meanings when used in the Security Measures. Any capitalized terms that are not defined in the Security Measures have the meaning provided in your Agreement.

1. “Cloud Provider” means Amazon Web Services (AWS), Microsoft Azure (Azure), or Google Cloud Platform (GCP), or MongoDB.

2. “Customer Data” means any data you or your end users upload into the Lucio Products.

3. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

4. “Information Security Program” means Lucio’s written security program, policies, and procedures that set forth the administrative, technical, and physical safeguards designed to protect Customer Data.

5. “Privileged User” means a select Lucio employee or third-party contractor who has been granted unique authority to access Customer Data or Lucio Systems as required to perform their job function.

6. “Security Incident Response Plan” means Lucio’s documented protocols for evaluating suspected security threats and responding to confirmed Data Breaches and other security incidents.

2. Information Security Program Overview

   1. General. Lucio maintains a comprehensive written Information Security Program to establish effective administrative, technical, and physical safeguards for Customer Data, and to identify, detect, protect against, respond to, and recover from security incidents. Lucio’s Information Security Program complies with applicable Data Protection Law. Additionally, the Lucio Platform is certified against ISO 27001:2022, and SOC 2 Type II.

2. Maintenance and Compliance. Lucio’s Information Security Program is maintained by a dedicated security team, led by our Chief Information Security Officer. Lucio monitors compliance with its Information Security Program, and conducts ongoing education and training of personnel to ensure compliance. The Information Security Program is reviewed and updated at least annually to reflect changes in our
   
   

organization, business practices, technology, services, and applicable laws and regulations. We will not alter or modify the Information Security Program in a way that materially weakens or compromises the effectiveness of its security controls.

3. Lucio Personnel Controls.

1. Background Checks. Lucio performs background checks on all Lucio employees as well as any third-party contractor with access to Customer Data or Lucio Systems.

2. Personnel Obligations. Any Privileged User authorized to access Customer Data is required to commit in writing to information security and confidentiality obligations that survive termination and change of employment. Lucio maintains a formal disciplinary procedure for violations by Lucio personnel of its security policies and procedures.

3. Training. Upon hire and subsequently at least once per year, Privileged Users authorized to access Customer Data undergo required training on specific security topics, including phishing, secure coding, insider threats, and the secure handling of Customer Data and personally identifiable information. Further, Lucio implements mandatory, role-specific training for Privileged Users who are authorized to access Customer Data. Lucio maintains records of training occurrence and content. In addition to these mandatory trainings, Lucio offers employees additional training resources, such as internal security awareness and education groups and hackathons.

4. Third Parties. Lucio maintains and adheres to a documented process for the evaluation and approval of third-party service providers prior to onboarding, which includes appropriate due diligence regarding each third party’s security processes and controls. We require third parties to contractually commit to confidentiality, security responsibilities, security controls, and data reporting obligations, and we perform ongoing targeted due diligence on a quarterly basis.

3. Lucio Produccts Security Controls.

   1. Data Centers and Physical Storage. The Lucio Products runs on Azure, MongoDB and GCP. Each Cloud Provider is responsible for the security of its data centers, which are compliant with a number of physical security and information security standards detailed at the Cloud Provider’s respective websites:

• https://www.microsoft.com/en-us/trustcenter/security/azure-security

• https://cloud.google.com/security/

• https://www.mongodb.com/docs/manual/security/

At least once per year, each of our Cloud Providers is subject to due diligence performed by Lucio or third-party auditors, which includes obtaining and reviewing security compliance certifications. Enterprise clients have the option to control the region where their Lucio Products storage instances are deployed. This gives you the flexibility to decide where your Customer Data is physically stored, and you may choose to deploy

your Customer Data in a specific geographic region (for example, only within the European Union or only within the United States).

2. Encryption.

1. Encryption in Transit. All Lucio Products network traffic is protected by Transport Layer Security (TLS), which is enabled by default and cannot be disabled. Customer Data that you transmit to the Lucio Products, as well as Customer Data transmitted between nodes of the Lucio Products, is encrypted in transit using TLS.

2. Key Management Procedures for Encryption in Transit. We maintain documented cryptography and key management guidelines for the secure transmission of Customer Data, and we configure our TLS encryption key protocols and parameters accordingly. Lucio’s key management procedures include: (i) generation of keys with approved key length; (ii) secure distribution, activation and storage, recovery and replacement, and update of keys; (iii) recovery of keys that are lost, corrupted, or expired; (iv) backup/archive of keys;

(v) maintenance of key history; (vi) allocation of defined key activation and deactivation dates; (vii) restriction of key access to authorized individuals; and

(viii) compliance with legal and regulatory requirements. When a key is compromised, it is revoked, retired, and replaced to prevent further use (except for limited use of that compromised key to remove or verify protections). Keys are protected in storage by encryption and are stored separately from encrypted data. TLS certificates are obtained from a major, widely trusted third-party public certificate authority. In the course of standard TLS key negotiation for active sessions, ephemeral session keys are generated which are never persisted to disk, as per the design of the TLS protocol.

3. Encryption at Rest. Customer Data is encrypted at rest using AES-256 to secure all volume (disk) data.

4. Access Controls.

1. Customer Access. The Lucio Products supports multiple authentication and authorization options and methods to give you the flexibility to meet your individualized requirements and needs. You are responsible for understanding the security configuration options available to you and the impact of your selected configurations on your Lucio Products, which consists of a web application administrative interface.

1. Lucio Products Authentication and Authorization. User credentials for the Lucio Products are stored using industry standard and audited one-way hashes. The Lucio Products supports multi-factor authentication (MFA). The Lucio Products also supports federated authentication functionality for Single Sign-On (SSO).
   
   

2. Lucio Personnel Access to Customer Data.

1. Privileged User Access. As a general matter, Lucio personnel do not have authorization to access Customer Data. Only a small group of Privileged Users are authorized to access your Lucio Products in rare cases where required to investigate and restore critical services. Lucio adheres to the principle of “least privilege” with respect to those Privileged Users, and any access is limited to the minimum time and extent necessary to repair the critical issue.

2. Credential Requirements. Privileged User accounts may only be used for privileged activities, and Privileged Users must use a separate account to perform non-privileged activities. Privileged User accounts may not use shared credentials. The password requirements described in Section 4.3.3 also apply to Privileged User accounts.

3. Access Review and Auditing. Lucio reviews Privileged User access authorization on a quarterly basis. Additionally, we revoke a Privileged User’s access when it is no longer needed, including within 24 hours of that Privileged User changing roles or leaving the company. We also log any access by Lucio personnel to Customer Data.

3. Lucio Personnel Access to Lucio Systems.

1. General. Lucio’s policies and procedures regarding access to Lucio Systems adhere to the principles of role-based access control (RBAC), least privilege, and separation of duties. In accordance with these principles, with respect to the Lucio Products, Lucio developers are only granted access to our development environments, and access to our production environment is limited to Privileged Users with appropriate authorizations. We review access authorizations to Lucio Systems on a quarterly basis and we review any changes to authorizations for Privileged Users immediately. As part of the employee off-boarding process, access to Lucio Systems is revoked within 24 hours of an employee’s departure.

2. Access to Lucio Products Production Environment. Our backend production environment that runs the Lucio Products is only accessible by a dedicated group of Privileged Users whose privileges must be approved by senior management.

3. Credential Requirements. All Lucio personnel passwords must conform to industry-standard complexity rules. Additionally, MFA is mandatory for all Lucio personnel and cannot be disabled.

5. Physical Controls at Lucio Offices. As noted in Section 3.1, Customer Data is deployed at the data centers of Lucio’s Cloud Provider, and not at facilities owned or operated by Lucio.

6. Secure Deletion of Customer Data. If you terminate your account it will become unavailable to you immediately and any Cloud Backup associated with that Lucio account will also be deleted in accordance with Lucio’s Data Backup policies.
   
   

5. Lucio Systems Security.

   1. Separation of Production and Non-Production Environments. The Lucio Products has strict separation between production and non-production environments. Our Lucio Products production environment, your Lucio Products, and your Customer Data are never utilized for non-production purposes. Our non-production environments are utilized for development, testing, and staging. Lucio also maintains firewalls to achieve strict separation of our Lucio Products production environment and Lucio’s internal network.

   2. Software Development Lifecycle. Lucio has a dedicated security team, reporting to the Chief Information Security Officer, that leads security initiatives in the software development lifecycle (SDLC). We develop new products and features in a multistage process using industry standard methodologies that include defined security acceptance criteria and align with NIST and OWASP guidance. The SDLC includes regular code reviews, documented policies and procedures for tracking and managing all changes to our code, continuous integration of source code commits, code versioning, static and dynamic code analysis, vulnerability management, threat modeling, and bug hunts, as well as automated and manual source code analysis.

3. Monitoring and Alerting. Lucio monitors the health and performance of the Lucio Products without needing to access your Lucio Products. Lucio maintains a centralized log management system for the collection, storage, and analysis of log data for our Lucio Products production environment and your Lucio Products. We use this information for health monitoring, troubleshooting, and security purposes, including intrusion detection.

4. Vulnerability Management. Lucio maintains a documented vulnerability enumeration and management program that identifies internet-accessible company assets, scans for known vulnerabilities, evaluates risk, and tracks issue remediation. We conduct quarterly scans of both the underlying systems upon which the Lucio Products is deployed, as well as all third-party code integrated into our products. Lucio’s vulnerability management policy requires individual engineering teams to identify known vulnerabilities in system components, and develop remediation timeframes commensurate to the severity of an identified issue.

5. Penetration Testing and Internal Risk Assessments. The Lucio Products undergoes regular reviews from both internal and external security teams.

1. External Testing. Our Lucio Products production environment is subject to an external penetration test by a nationally recognized security firm at least once per calendar year. Upon request, we will provide you with a summary letter of engagement that includes the number of high, medium, and low issues identified, but due to the sensitivity of the information gathered during these tests, we cannot allow customers to perform testing of our production platform.

2. Internal Testing. Internally, the Lucio Products undergoes periodic risk assessments, including technical vulnerability discovery and analysis of business risks and concerns. The Lucio team also routinely performs source
   
   

code review, architecture review, code commit peer review, and threat modeling.

6. Contingency Planning.

   1. Backups. The Lucio Products uses Cloud Backups, which use the native snapshot functionality of our Cloud Provider to locally back up your Customer Data. Cloud Backup snapshots are stored with your selected Cloud Provider in the primary region of the Lucio Products instance. All Cloud Backups are encrypted at rest.

2. Business Continuity and Disaster Recovery. Lucio maintains a documented business continuity and disaster recovery (“BCDR”) plan that aligns with ISO 27001:2022 and SOC2 Type II. Our BCDR plan includes: (i) clearly defined roles and responsibilities;

(ii) availability requirements for customer services, including recovery point objectives (RPOs) and recovery time objectives (RTOs); and (iii) backup and restoration procedures. We review, update, and test our BCDR plan at least annually.

7. Incident Response and Communications.

   1. Security Incident Response Plan. As part of the Information Security Program, Lucio maintains an established Security Incident Response Plan that aligns with and ISO 27001:2022 and SOC2 Type II. In the event that Lucio becomes aware of a Data Breach or other security incident, Lucio will follow the Security Incident Response Plan, which includes: (i) clearly defined roles and responsibilities, including designation of a security incident task force; (ii) reporting mechanisms; (iii) procedures for assessing, classifying, containing, eradicating, and recovering from security incidents; (iv) procedures and timeframes for required notifications to relevant authorities and customers; (v) procedures for forensic investigation and preservation of event and system log data; and (vi) a process for post-incident and resolution analysis designed to prevent future similar incidents. The Security Incident Response Plan is reviewed, updated, and tested annually, including a security tabletop exercise at least once per year.

   2. Security Incident Tracking. Lucio maintains a comprehensive security incident tracking system that aligns with ISO 27001:2022 and SOC2 Type II and documents: (i) incident type and suspected cause; (ii) whether there has been unauthorized or unlawful access, disclosure, loss, alteration, or destruction of data; (iii) if so, the categories of data affected by the incident, including categories of personal information; (iv) the time when the incident occurred or is suspected to have occurred; and (v) the remediation actions taken.

3. Customer Communications. Lucio will notify you without undue delay if we become aware of any Data Breach. Taking into account the information available to us, such notice will include a description of the nature and cause of the Data Breach and the expected resolution time. To the extent possible, we will subsequently update you with information regarding evaluation of the root cause, potential impact, remediation actions taken, and actions planned to prevent a future similar event.
   
   

8. Audit Reporting.

   1. Third-Party Certifications and Audit Reports. Upon request, and subject to the confidentiality obligations set forth in the Agreement, we will make available to you (or your independent, third-party auditor) information regarding Lucio’s compliance with the security obligations set forth in these Security Measures in the form of third- party certifications and audit reports.

2. Security Questionnaires. No more than once per year, we will complete a written security questionnaire provided by you regarding the controls outlined in these Security Measures.

9. Security Contact.

If you have security concerns or questions, you may contact us via your respective Support channels.