Skip to main content

Security Exhibit


This Security Exhibit outlines essential confidentiality, privacy, and data security practices (“Practices”) pertaining to the Customer Data provided to Inc. ( in order for to fulfill its obligations under the Agreement. These Practices incorporate the actions necessary to adhere to’s policies and procedures defined by its Information Technology Security Policies and Procedures (“Security Program”). may update or modify these Practices from time to time provided such updates and modifications will not result in a degradation of the overall security of the Products and/or Support Services during the term of the Agreement. These Practices will not apply to Beta Versions.

Capitalized terms have the meaning defined herein or in the Agreement, and certain capitalized terms are defined at the end of this Exhibit.


Security Attestation and Risk Management

Security Attestation. will maintain SOC 2 Type II and CyberSecure Canada certifications or their equivalents during the Term of the Agreement. engages an independent third party to conduct annual security testing of its corporate IT network, datacenters, and F12 Connect.

Upon Customer’s reasonable written request at any time during the Term of the Agreement, will promptly provide Customer with information related to’s Practices, which may include one or more of the following as Customer may request: (i) responses to a reasonable information security-related questionnaire; (ii) copies of relevant third party audits, reviews, tests, or certifications of’s systems or processes, including an annual SOC 2 report; (iii) a summary of’s operational practices related to data protection and security; and (iv) making’s Personnel reasonably available for security-related discussions with Customer.

Risk Management. maintains a documented risk management program that includes a quarterly risk assessment approved by senior management.


Policies, Standards, and Procedures

Policies and Standards. maintains policies or standards addressing the following areas:

  • Risk Assessment
  • Information Security
  • Acceptable Use
  • Access Control
  • Software Development Lifecycle
  • Change Control Management
  • Vulnerability Management
  • Information Classification and Encryption
  • Data Retention
  • Incidence Response
  • Backup and Recovery
  • Business Continuity

Security Response. monitors for actual or reasonably suspected (a) unauthorized or unlawful access to or disclosure, loss, exposure or use of any Customer Data within corporate systems, or (b) unauthorized access to any facility, computer network or system within containing any Customer Data (collectively, “Security Incidents”).

Backup & Availability. Customer Data and the Products are replicated to hosted datacenters within the same geographic region. Backups are performed on a periodic basis, encrypted, and remotely stored.

Business Continuity Program. maintains a program designed to ensure that the necessary steps will be taken to develop and maintain viable recovery strategies and business continuity plans. will perform testing, conduct annual exercises, and provide training and enhancements to its business continuity program designed to ensure the continuity of’s services in the event of a disaster.


Data Handling and Protection

Data Regionalization. Upon subscribing to one or more of’s Services, Customer may select the data center region(s) in which Customer Data is stored. Customer Data may be transferred to and/or allowed to be accessed by Personnel located in the regions set forth at for Service operations and Support Services. Operational log files and files submitted for analysis by Support Services are stored in Canada.

Customer Data in Transit. Interactions between Personnel and any connections containing Customer Data are to be protected using a standard cryptographic protocol such as Transport Layer Security (“TLS”).

Customer Data at Rest. Customer Data stored within’s datacentres are encrypted at minimum with AES 256 bit encryption.

Encryption Algorithms. will utilize standard production ciphers capable of a minimum of AES256-SHA2 with 2048 bit key strength or equivalent.

Multi-tenancy and Data Segregation. will create, implement and maintain no less than industry standard logical data segregation in a multi-tenant environment designed to ensure Customer Data is not viewable by unauthorized users. logically isolates Customer Data, and the Customer controls the specific Customer Data stored in the Service.

Data Return and Deletion. provides its customers a mechanism that can be used to delete their user data. Customer Data may be deleted upon request, except for backups and monitoring data which will be deleted within 90 days.

Customer Data Handling. maintains appropriate data security controls addressing the following areas:

  • Logical access controls including user sign-on identification and multi-factor authentication
  • Data access controls (e.g., complex and hashed password protection)
  • Multiple authentication failures that result in the temporary lockout of accounts
    Inactivity timeout that logs the user out and require re-authentication to access the Service
  • Security awareness program for all F12 employees

Personnel are prohibited from copying Customer Data to removable media without written permission from the Customer.

All production servers are hardened, monitored, and updated as per industry practices (NIST SP 800-123).


Secure Application Development

Least Privilege. Only authorized Personnel with a specific business purpose shall be allowed access to production and development resources and all access shall be appropriately approved.

Manual Code Review. To prevent malicious code insertion, requires code review by a second peer F12 application developer or by an F12 application development manager for all’s internally developed software.

Automated testing. Personnel are required to test each build of software prior to deployment to the production environment.

Management of Vulnerabilities. conducts a software vulnerability scan on all internally developed software.  To the extent that scan identifies any critical or high-risk vulnerabilities as determined by, will remediate those vulnerabilities.

Change Management. All changes must contain documentation and relevant rollback plans. Each change is reviewed, approved, and tested prior to deployment or software release.


F12 Cloud Infrastructure Protection

Data Centers. The F12 Cloud is provided through secure data centers. maintains industry standard physical and environmental controls that are designed to protect the availability, confidentiality, and availability of the Product.

Data Center Controls. All data centers are SOC 2 or equivalent compliant facilities that provide redundant power, backup generators, and redundant cooling systems. Network connectivity is provided through multiple Tier 1 providers. Physical access to all data center floor space is secured according to industry standards, which measures may include security cameras, proximity cards, biometric scanners, and complete access logging, or equivalent measures.


Sub-processor Security conducts security assessments of its sub-processors that process Customer Data (“Sub-processors”). reviews Sub-processors’ security practices periodically to ensure effectiveness of their security operational practices.

Change of Sub-processors.’s current Sub-processors are listed at  In the event of the addition of a new Sub-processor, will provide notice to Customer (which notice may be provided through email, updates to, or such other reasonable means and updating that information at the foregoing link shall, upon Customer’s continued use of its Services thereafter, be deemed to constitute Customer’s receipt of that notice).



Agreement” means the Master F12 Subscription and Services Agreement, incorporating the Services Schedules and any other exhibits, addenda, or attachments hereto, and any fully executed Order Form(s).

“Authorized Parties” means Customer’s or an Affiliate’s Employees and third-party providers who are authorized by Customer in writing to access and use the Services including the Customer Data.

Beta Versions” mean beta, preview or other pre-release Products or features.

Customer” means the customer of that has entered into the Agreement with and to which these Practices apply.

Customer Data” means electronic data or information submitted to the Services by Customer or Authorized Parties, which may include Personal Information.

F12 Connect” means F12’s service enablement application that provides ticket creation and management, user identity management, product ordering, licensing management, and reporting within the Customer’s environment.

“Personnel” means an employee of F12, or contractors engaged by F12 (excluding Sub-processors).