<p>How hc1 Makes Security and Privacy Our Top Priority</p>

hc1 highly values customer data security and treats all customer data as confidential. We do not use any information collected on behalf of a customer except as may be allowed in a contract with
that customer.

The ability to secure PHI was built into the hc1 platform from the start, not tacked on as an afterthought. The need to protect this information while maintaining high availability and fast system response informs every architecture and design decision.
Unlike many companies that claim to offer cloud solutions, hc1 is committed to providing a complete platform from one source. For example, hc1 not only monitors what’s going on inside of the data center, but also monitors the accessibility of the system from external sources to understand the user experience.
hc1 achieves industry-leading performance by providing:

• Contracted service level agreements for uptime and availability
• 24x7x365 real-time internal and external monitoring
• Layered monitoring from the application through the data center
• Redundancy built into all layers of the environment, from the application through the data center
• System and data backups, data restores, and disaster recovery

hc1’s corporate security governance is HIPAA-compliant and aligns with IT, industry, and cloud security best practices, ISO27001 in particular.
hc1.com Inc. is also Privacy Shield certified. To view our corporate information, go to the Privacy Shield site at www.privacyshield.gov, open the Privacy Shield List page, and search for hc1.com.

The hc1 solution is a cloud-based, multitenant, Software as a Service solution that was designed to run exclusively at AWS. AWS operates under a shared security model, wherein it supplies security “of the cloud” while hc1 (and other AWS-based systems) supplies security “in the cloud”. In other words, AWS secures the data center and servers where the software is running and makes sure the software is secure for hc1 customer data. AWS has more information here: aws.amazon.com/compliance/shared-responsibility-model/
Multiple programs certify AWS data centers. Information about AWS compliance is here: aws.amazon.com/compliance/
A current version of the SSAE 16 SOC 2 report for AWS is available upon request from hc1.

Access to the hc1 platform requires authentication with username and password, and passwords are encrypted. Federated sign on (i.e. Single Sign On) based on the SAML 2.0 or OpenID Connect
standard is supported.

As described in the hc1 Use of Cryptographic Controls Policy, the hc1 platform provides full encryption of all data in motion and all data at rest, not just data designated as sensitive (such as PHI). All data in transit is encrypted using SSL-TLS version 1.2. To encrypt all data at rest, hc1 employs FIPS 140-2 compliant Amazon EBS encryption.

hc1 uses Splunk for log management and is implementing Security Information and Event Management functionality in this system. A SIEM concentrates and correlates logging, event notification, and forensic analysis information from critical infrastructure and other security tools.

hc1 is committed to leveraging as much of the standard AWS infrastructure as possible in the architecture of our system. We use AWS’ Network Access Control Lists (NACLs) and Security Groups
for firewall and web application firewall functionality and AWS Elastic Load Balancers for load balancing.

The hc1 Operations Team monitors servers, routers, switches, load balancers, and other critical network equipment on the network 24x7x365. It also utilizes external services to assure hc1 users
can reach the hc1 system. The hc1 Service Level Agreements guarantee that the hc1 system is available for customer use—not simply that the system is “up” or that the infrastructure is functional.

The hc1 platform utilizes near-real-time data replication to ensure hc1 can meet our Recovery Point Commitment in the event of a disaster at our primary AWS data center. In accordance with the hc1 Backup Policy, hc1 also performs full backups periodically in case a customer’s system should ever need to be restored.

In accordance with the hc1 Change Management Policy, hc1 uses JIRA to document and track changes in order to increase communication between teams that share resource dependencies and inform relevant parties of pending changes. A Change Advisory Board consisting of engineering, management, and security employees reviews all changes.

hc1 takes patching seriously because known vulnerabilities are often the pathway into systems for hackers. In accordance with the hc1 Patching Standard, hc1 employees monitor both industry-standard notification lists for announced vulnerabilities and associated fixes. They also perform external vulnerability scans and internal credentialed scans at least once a week on hc1 systems. The goal is to patch all systems at least once per calendar month. hc1 generally delivers new software releases to production at about the same frequency and tests hc1 systems throughout the development cycle (test to stage to production). This process also allows hc1 employees to test systems with the patch version that the software will go live with. In the event of a zero-day threat, confirming whether hc1 has systems affected and delivering the appropriate patch as soon as possible would be the top priority.

Only authorized users with proper credentials can access and administer hc1 infrastructure.

As a HIPAA-regulated business, hc1 is subject to a rigorous set of requirements designed to ensure the highest level of security for the PHI stored in our systems. Since hc1 customers are also HIPAA regulated, each is required to perform a reasonable level of due diligence when deciding to acquire a new service we provide. As a result, hc1 is subject to frequent security evaluations.

In addition to the frequent automated vulnerability testing we do, hc1 also performs security, vulnerability, and penetration testing in conjunction with a third-party vendor to uncover potential
security vulnerabilities in the hc1 software and systems. Industry best practices are used to complete the tests.

hc1 uses a combination of Nessus Cloud and Nessus Pro to perform internal and external system scans.

hc1 leverages software, tools, and processes to ensure data is not lost, misused, or accessed by unauthorized users. For example, hc1 monitors all incoming and outgoing hc1 email for potentially
sensitive data. Likewise, all employees must log on to the corporate VPN when using their laptops to allow for network monitoring.

As per HIPAA regulations and in accordance with the hc1 Incident Management Policy, in the event of a security incident, hc1 will take immediate steps to address the situation and will then contact our customer (the Covered Entity) about the event.

Good policies are important because they help establish principles, which guide decisions and actions across the entire organization. Like most HIPAA-regulated organizations, hc1 has created, published, and provided training on a set of Information Security Policies and Information Protection Standards. All of hc1’s policies apply to all employees of the company, whether or not they have access to PHI. If department-level policies become necessary, they would be required to align with these corporate policies and would be subject to the same oversight.

These documents are a few of the official guidelines that all hc1 employees must follow. These documents are reviewed annually or more frequently as needed.

• hc1 Accounting of PHI Disclosures Procedure
• hc1 Access Authorization Policy
• hc1 Access Establishment and Modification Policy
• hc1 Audit, Logging, and Monitoring Policy
• hc1 Backup Policy
• hc1 Breach Notification Policy
• hc1 Change Management Policy
• hc1 Contingency Planning Policy
• hc1 Customer Support Policy and Procedure
• hc1 Data Management Policy
• hc1 Exception Policy
• hc1 General HIPAA Compliance Policy
• hc1 HHS HIPAA Investigations Policy
• hc1 HIPAA Privacy Complaints Policy
• hc1 Incident Management Policy
• hc1 Information Security Program
• hc1 Information Security Risk Management Policy
• hc1 Information System Maintenance Policy
• hc1 Malware Protection Policy
• hc1 Mobile Computing Device Security Policy
• hc1 Password Management Policy
• hc1 Patching Standard
• hc1 PHI Use and Disclosures Policy
• hc1 Risk Analysis Policy
• hc1 Security Reminders Policy
• hc1 Software Development Lifecycle Policy
• hc1 Systems Compliance Reviews Policy
• hc1 Third-Party Risk Management Policy
• hc1 Use of Cryptographic Controls Policy
• hc1 Vulnerability Management Policy
• hc1 Wireless Network Security Policy
• hc1 Workforce Clearance Policy
• hc1 Workstation Acceptable Use Policy
• hc1 Workstation Security and Clean Desk Policy

All of hc1’s employees are expected to be familiar with HIPAA regulations and, per these regulations, receive regular education and reminders about security best practices. All of hc1’s employees go through an annual third-party HIPAA training and certification program and must pass a test on the materials, whether they have access to PHI or not. Security information and updates are published to the team periodically throughout the year in accordance with the hc1 Security Reminders Policy. Additionally, employees are instructed about how security affects their specific roles within the organization and the company
as a whole.

The hc1 corporate network is completely separate from the hc1 platform network. No customer-facing systems are physically located at hc1’s office. All of the systems used to run the hc1 business
are either cloud based or operated by service providers. In the event of a disaster at the hc1 office, all employees would be able to provide full service to customers from home.

In accordance with both the hc1 Access Authorization Policy and the hc1 Access Establishment and Modification Policy, only authorized hc1 employees can access customer data based on their job function and a “need to know.” Control is also enforced by segregation of duties. hc1’s Security Team conducts periodic reviews to confirm users with privileged access continue to require that access.

To comply with the hc1 Workforce Clearance Policy, hc1 Human Resources employs a third party to perform full background checks on all candidates for employment. Information is collected and retained about educational background, work history, criminal felony and misdemeanor history, the results of an SSN trace and validation, the results of a search of global sanctions and national sex offender registries, and the candidate’s credit history.