1. DRAGOS SECURITY PROGRAM 

The following describes Dragos’s Security Program.  The Security Program may be updated by Dragos from time to time, provided Dragos does not materially reduce the level of security. 

2. SECURITY PROGRAM AND STANDARDS  

Dragos maintains an information security program that aligns with industry standards for security controls and contains appropriate administrative, technical, and physical safeguards to protect Customer data against accidental or unlawful loss, alteration, access, or disclosure. Current customers and partners may request, in writing, no more than once a year, that Dragos provide Customer with its SOC 2 Type 2 Report.  All reports provided by Dragos are Confidential Information and not for distribution outside of agreed recipients.   

3. CONTROL ENVIRONMENT  

Dragos employees are required to sign confidentiality agreements in writing, committing not to disclose proprietary or confidential information, including customer information to unauthorized parties. Dragos employees are also required to sign a written acknowledgement documenting their understanding of Dragos’s employee handbook, and their responsibilities for adhering to Dragos policies and procedures.  

4. PERSONNEL SCREENING  

Dragos performs background checks on all potential employees and contractors prior to employment with the company where permitted by law. Dragos customer facing teams are subject to background checks and recurring drug testing.   

5. SECURITY TRAINING & AWARENESS  

Dragos maintains a security awareness program that includes training of Dragos personnel on Dragos’s security program. Training is conducted upon hire and at least annually.  

6. ACCESS CONTROLS  

Dragos has processes in place to limit access to its systems and customer data to authorized personnel only. There are processes and procedures in place to prevent personnel from obtaining access which they should not have, and to remove access in the event of a change in job responsibilities or job status. Dragos’s policies require personnel to report any known security incidents to Dragos’s security team for investigation.   

7. NETWORK SECURITY  

Dragos utilizes security controls to protect the confidentiality and availability of customer data, including logging, monitoring and alerting systems to detect and prevent network attacks. Any transmission of Customer data is encrypted in transit.  

8. APPLICATION SECURITY  

Dragos follows industry best practices during code development. Dragos’s secure software development lifecycle (SSDLC) includes a controlled source code management system, peer review, and routine vulnerability scans. Dragos also leverages a combination of code reviews, threat modeling and internal testing. Dragos uses industry standard efforts to ensure that our offerings contain no harmful code at delivery and to prevent the introduction of such harmful code into the offerings.  In addition, Dragos contracts with an external third party to perform penetration testing on all major product releases (minimally once per year). Any vulnerabilities identified are remediated based on standard industry timeframes as per our Dragos Product Security Assurance and Vulnerability Disclosure Policy.  Dragos’s products align with NIST CSF, ISO 27001 and SOC 2 Type 2 standards.  

9. WORKSTATION & SERVER SECURITY  

Dragos workstations and servers are secured using industry standard technology and practices, including firewalls, encryption, anti-malware software and asset tracking.  

10. BUSINESS CONTINUITY AND DISASTER RECOVERY PLAN  

Dragos maintains a Business Continuity and Disaster Recovery Plan (“BCP”), which defines the processes and procedures for the company to follow in the event of a disaster. The plan is built according to industry generally accepted practices and includes elements such as roles & responsibilities, recognition and prioritization of mission critical systems and processes, identification of off-site servers, logistics to allow critical resources to work from home or other facility as quickly as possible in case of a disaster, resources including a call list and designated temporary operating facilities, specific recovery steps, and customer notification.  Dragos will regularly review and test the BCP to ensure that it is capable of recovering Dragos assets and continuing key Dragos business processes in a timely manner.  

11. PRIVACY  

Dragos’s privacy program is designed to materially comply with applicable legal requirements for privacy, data protection and confidentiality of communications, including the European Union (EU) General Data Protection Regulation and the California Consumer Privacy Act. Dragos can enter into a Data Privacy Addendum (DPA) for the transfer of data collected in the European Economic Area and Switzerland to the United States, with Standard Contractual Clauses. Dragos’s Privacy Policy is available at www.dragos.com/privacy.  

12. SUBPROCESSORS & DATA TRANSFER  

Dragos may utilize subprocessors to provide certain services, provided that: (i) Dragos and the subprocessors have an agreement that covers security, confidentiality, and privacy standards; and (ii) Dragos remains responsible for delivery of the scope established in an Order. A current list of subprocessors engaged by Dragos is accessible via www.dragos.com/partners/subprocessors. 

13. RETURN OR DESTRUCTION OF CUSTOMER DATA.  

Upon termination of an Agreement, Dragos will delete Customer Data in its possession (i) as set forth in any written Agreement; and/or (ii) upon written request of Customer. Dragos will have no obligation to return or destroy information retained in standard archival or computer back-up systems or pursuant to normal document or e-mail retention practices and may retain information as per legal, governmental or regulatory requirements. 

14. INCIDENT RESPONSE PLAN  

Dragos maintains an Incident Response Plan (“IRP”) and will notify Customers of any unauthorized disclosure of Customer confidential data, as required by applicable privacy laws. Dragos’s IRP includes roles and responsibilities, communication guidelines, and audit and forensics guidelines.  

15. STORAGE AND TRANSMISSION SECURITY  

Dragos will ensure Customer data is encrypted in transit and at rest. 

16. DRAGOS AUDITS  

Dragos does not provide Customers or Partners with audit rights related to IT or systems environment and procedural controls. Dragos will provide an independent SOC 2 Type II annually upon execution of NDA.