iscan Online Cloud Security And Privacy Guide

iscan Online Cloud Security And Privacy Guide Updated December 3, 2014 iscan Online, Inc. 5600 Tennyson Parkway Suite 343 Plano, TX 75024 214.276.1150 www.iscanonline.com

INTRODUCTION PRODUCT OVERVIEW ISCAN ONLINE SECURITY OVERVIEW Amazon Web Services Security Overview Reports, Certifications, and Independent Attestations Information Assurance Certification and Accreditation Program (DIACAP) Physical Security Secure Services Data Privacy PCI DSS Level 1 ISO 27001 iscan Online Product Security Device Security iscan Online Cloud Console Data Security 3 3 3 4 4 4 5 5 5 5 6 7 7 7 7 ISCAN ONLINE, INC. SUBSCRIBER AGREEMENT ISCAN ONLINE, INC. PRIVACY POLICY AMAZON EC2 SERVICE LEVEL AGREEMENT 9 15 17

Introduction This document is intended to provide the reader with a thorough understanding of the iscan Online cloud based architecture as it relates to security and privacy matters. The document will provide samples of various iscan Online policies and documents to help organizations make informed decisions about using the iscan Online service and the security posture of the of the data being collected, analyzed and stored within the system. Product Overview iscan Online is a cloud based data breach prevention platform delivering endpoint scanning by leveraging the power of the cloud and via the iscan Browser Plugin, CLI Scanner or Native Mobile Apps. This methodology is fast, highly accurate, and leverages what most organizations already have in place; Microsoft Active Directory, Systems Management tools, Web Applications, Internet access, and a browser. This new highly accurate methodology delivers very unique scanning capabilities for today and tomorrow s computing and mobile platforms. The cloud is leveraged for management, analysis, and reporting, while devices perform the heavy lifting of the scan process, permitting scalability across the globe. This distributed architecture provides unparalleled scalability allowing hundreds of thousands of devices to be scanned in a matter of seconds. iscan Online performs deep inspection of devices using a variety of methodologies including the Windows Registry, native file systems, interrogating system configurations using operating system and Application API s, and Windows WMI queries Using these direct access methods instead of relying upon network packet response and injection provides highly accurate results, virtually eliminating false positives which will save time and money for security personnel. Additionally there are no requirements for modifying ingress firewall routes and ports or configuring VPN connections as iscan Online executes on the device and communicates via standard HTTPS web traffic. iscan Online Security Overview iscan Online utilizes multiple layers of security throughout the system to ensure that customers data and privacy are protected. As the cornerstone of any cloud based solution, the data center and storage locations of data is of upmost importance. Consequently iscan Online has selected Amazon Web Services as our 3

official cloud infrastructure provider. Below is a high level description of the security features provided by the Amazon Web Services infrastructure. Amazon Web Services Security Overview Amazon Web Services (AWS) delivers a highly scalable cloud computing platform with high availability and reliability, and the flexibility to enable customers to build a wide range of applications. In order to provide end- to- end security and end- to- end privacy, AWS builds services in accordance with security best practices, provides appropriate security features in those services, and documents how to use those features. In addition, AWS customers must use those features and best practices to architect an appropriately secure application environment. Enabling customers to ensure the confidentiality, integrity, and availability of their data is of the utmost importance to AWS, as is maintaining trust and confidence. AWS provides a wide range of information regarding its IT control environment to customers through white papers, reports, certifications, and other third- party attestations. This information assists customers in understanding the controls in place relevant to the AWS services they use and how independent auditors have validated those controls. This information also assists customers in their efforts to account for and to validate that controls are operating effectively in their extended IT environment. At a high level, Amazon Web Services takes the following approach to secure the AWS infrastructure: Reports, Certifications, and Independent Attestations AWS has in the past successfully completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls 1 (SOC 1), Type 2 report, published under both the SSAE 16 and the ISAE 3402 professional standards as well as a Service Organization Controls 2 (SOC 2) report. In addition, AWS has achieved ISO 27001 certification, and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). In the realm of public sector certifications, AWS has received authorization from the U.S. General Services Administration to operate at the FISMA Moderate level, and is also the platform for applications with Authorities to Operate (ATOs) under the Defense Information Assurance Certification and Accreditation Program (DIACAP) AWS will continue to obtain the appropriate security certifications and conduct audits to demonstrate the security of their infrastructure and services. For more information on risk and compliance activities in the AWS cloud, consult the Amazon Web Services: Risk and Compliance whitepaper. 4

Physical Security Amazon has many years of experience in designing, constructing, and operating large- scale data centers. AWS infrastructure is housed in Amazon- controlled data centers throughout the world. Only those within Amazon who have a legitimate business need to have such information know the actual location of these data centers, and the data centers themselves are secured with a variety of physical controls to prevent unauthorized access. Secure Services Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand. For more information about the security capabilities of each service in the AWS cloud, consult the Amazon Web Services: Overview of Security Processes whitepaper. Data Privacy AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and redundancy procedures for services so that customers can gain greater understanding of how their data flows throughout AWS. For more information on the data privacy and backup procedures for each service in the AWS cloud, consult the Amazon Web Services: Overview of Security Processes whitepaper referenced above. The AWS Security Center provides links to technical information, tools, and prescriptive guidance designed to help you build and manage secure applications in the AWS cloud. Our goal is to use this forum to proactively notify developers about security bulletins. Such transparency is the backbone of trust between AWS and our customers. PCI DSS Level 1 AWS has achieved Level 1 PCI compliance. AWS has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Merchants and other service providers can now run their applications on our PCI- compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. Other enterprises can also benefit by running their applications on other PCI- compliant technology infrastructure. PCI validated services include Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS) and Amazon Virtual Private Cloud (VPC), Amazon Relational Database Service (RDS), Amazon Elastic Load Balancing (ELB), Amazon Identity and Access Management (IAM), and the underlying physical infrastructure and the AWS Management Environment. For more information please visit the AWS PCI DSS Level 1 FAQs. 5

ISO 27001 AWS has achieved ISO 27001 certification of their Information Security Management System (ISMS) covering AWS infrastructure, data centers, and services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC). ISO 27001/27002 is a widely- adopted global security standard that sets out requirements and best practices for a systematic approach to managing company and customer information that s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This certification reinforces Amazon s commitment to providing transparency into our security controls and practices. AWS s ISO 27001 certification includes all AWS data centers in all regions worldwide and AWS has established a formal program to maintain the certification. A copy of the ISO certificate, available to AWS customers, describes the ISMS services and geographic scope. For more information please visit the ISO 27001 FAQs. 6

iscan Online Product Security The iscan Online product development team has many years experience developing solutions and applications for the security industry. Most of our team members have long and distinguished careers with security product companies both large and small and have published books and articles on secure product development and security standards. As part of our demanding standards for product quality and security iscan Online is continually assessing and refining our approach to developing secure products for our customers. At a high- level, the following are key components of the security architecture for iscan Online. Device Security The iscan Online Cloud Apps and components are digitally signed and verified before each execution to prevent unauthorized tampering with binary components. These components communicate directly to the iscan Online Cloud service over SSL verified connections to insure data security in motion. iscan Online Cloud Console The iscan Online Cloud Console is the heart of the solution. Providing a management interface that allows appropriate administration personnel to view and configure scanning and analyze the results of scans. The Cloud Console is hosted in the secure Amazon Web Services cloud infrastructure. The Cloud Console Provides multitenant and role based access that allows customers to view only the data that is associated with their account and for the appropriate privilege level assigned to the logged in user. Access to the Cloud Console is authenticated over SSL using the supplied user credentials to grant access as defined by the role and privilege of the requested user account within the assigned organization. Currently the iscan Online Cloud Console provides the following roles: User / Reporter Organization Administrator Domain Administrator Data Security iscan Online data is stored in Amazon s network of highly available data centers, strategically located around the world. These facilities are built from the ground up to protect services and data from harm, whether natural disaster or unauthorized access. Physical security best practices are maintained, including state- of- the- art hardware, 24- hour secured access, redundant power supplies, multiple fiber trunks, and other features. Because of system redundancy, updates can generally be 7

deployed to the system without any downtime for users. The system is protected at the logical layer by robust data isolation, continuous monitoring, and a wide array of other recognized practices and technologies. PAN (Primary Account Number) and PII (personally identifiable information) data is masked and redacted before being transmitted to the iscan Online cloud to eliminate any transmittal or storage of unencrypted sensitive data. 8

iscan Online, Inc. Subscriber Agreement SUBSCRIBER AGREEMENT TERMS AND CONDITIONS THIS SUBSCRIBER AGREEMENT ("AGREEMENT") SETS FORTH THE TERMS AND CONDITIONS THAT APPLY TO THE USE OF THE PROPRIETARY ISCAN ("SERVICE") PROVIDED BY ICAN ONLINE, INC. ("ISCAN") TO THE SUBSCRIBER ("YOU") IN ORDER TO RECEIVE THE SERVICE, YOU MUST CLICK ON THE "Agree" BUTTON DURING SIGN-UP. BY CLICKING ON THE "Agree" BUTTON, YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOODTHIS AGREEMENT, AND AGREE TO BE BOUND BY IT. IF YOU DO NOT CLICK ON THE "Agree" BUTTON, ISCAN WILL HAVE NOT ENTERED INTO ANY LEGAL AGREEMENT WITH YOU AND SHALL NOT PROVIDE OR DELIVER TO YOU THE SERVICE. 1. Subscription Period. Subject to ISCAN's receipt of necessary payment, your initial subscription for the Service shall be for one year from the date you establish your account (or the period of time set forth on your order if you purchase through a reseller) (the "Subscription Term") and shall automatically renew for addition one-year terms unless you cancel your account. ISCAN will notify you prior to the end of your Subscription Term for your particular Service plan, at which time you may choose to cancel your service. If you don't cancel the Service by the end of the then-current Subscription Term, you will be charged for and agree to a subsequent annual Subscription Term. In order to cancel the Service for subscriptions purchased directly from ISCAN, you must cancel before the end of the current Subscription Term by notifying ISCAN by sending an email to cancel@iscanonline.com with the words: "CANCEL ISCAN SUBSCRIPTION" in the Subject line of the email and further describe the number of Authorized User subscription you would like to cancel. A confirmation email will be sent by ISCAN within 7 business days confirming your cancellation. 2. Your Responsibility for Obtaining Internet Access, and Confirmation of Payment. You acknowledge and agree that you are solely responsible for purchasing and maintaining all software and hardware (collectively, "CPE"), and Internet access services necessary to access and use the Service, other than the server hardware and software used by ISCAN to provide the service. Further, you acknowledge and agree that if ISCAN does not receive payment for your account as required, ISCAN may terminate your account without liability to you. 3. Subscription Fee. If you decide to purchase a subscription for the Service, you are required to pay for your particular Service plan through our third party payment processing partner ("Payment Administrator") at the time you establish your account. ISCAN will send notification of activation of your account to the e-mail address provided when your account is registered after payment has been received. To the extent that payment mechanisms are provided through third parties, you acknowledge and agree that ISCAN shall have no liability to you arising out of the acts or omissions of such third parties. YOUR SUBMISSION OF THIS AGREEMENT CONSTITUTES YOUR CONSENT TO THE ANNUAL CHARGE ASSOCIATED WITH THE SERVICE TO THE CREDIT CARD NUMBER PROVIDED BY 9

YOU TO ISCAN, THE PAYMENT ADMINISTRATOR, OR THE ISCAN AUTHORIZED RESELLER, AND YOU EXPRESSLY AUTHORIZE ISCAN AND/OR SUCH THIRD PARTIES TO CHARGE ANY OR ALL AMOUNTS YOU MAY OWE FOR YOUR ACCOUNT AND/OR ANNUAL ACCOUNT RENEWAL TO THE CREDIT CARD YOU'VE PROVIDED. 4. Responsibility for Use of Your Service Account. You acknowledge and agree that you are responsible for your use of your account and the use of the Service by your Authorized Users. 5. Confidentiality of Account Access: End User Responsibility. You acknowledge and agree that (i) you and your Authorized Users are, and shall be, fully responsible for, and shall take all reasonable steps necessary in order to, establish and implement any and all measures needed to limit the control and/or access to your account, including limiting access to passwords used to access your account; and (ii) ISCAN's shall have no liability to you or any third party for your failure to prevent any unauthorized access or use of your account. 6. Termination. 1. Termination by You. You may terminate your Service at any time by following the instructions on the ISCAN support Website at iscanonline.com/support. In the event you terminate your Service prior to the end of your Subscription Term, you will not be entitled a refund of your subscription fee. 2. Termination by ISCAN. ISCAN may terminate this Agreement without notice if you are in default and/or if (a) you or your Authorized Users use the Service in a way that has a detrimental effect upon ISCAN, its customers or the Service (as determined by ISCAN, in its sole discretion); (b) you or your Authorized Users attempt to use the Service in contravention of the terms of this Agreement, (c) you or your Authorized Users transmit harassing, abusive, libelous, illegal or deceptive messages or files (as determined by ISCAN, in its sole discretion); (d) you or your Authorized Users use the Service to commit or attempt to commit a crime or facilitate the commission of any crime or other illegal or tortuous act; or (f) payment of the subscription fee is not timely made, and you fail to immediately provide ISCAN with an alternative method of payment acceptable to ISCAN (as determined by ISCAN, in its sole discretion). In addition, in the event ISCAN is prevented from providing any portion or all of the Service by any law, regulation, or ruling, regardless of form, issued by any judicial or other governmental entity, or if a notice from a governmental entity, department or agency indicates that the Service cannot be provided, ISCAN may immediately cease providing the Service without any liability whatsoever to you. Nothing herein shall be construed to require ISCAN to seek a waiver of any law, rule, regulation, or restriction, or seek judicial review or appeal of any court order. 3. Miscellaneous Representations and Warranties. You agree, represent and warrant to ISCAN that: 10

1. You and your Authorized Users will only use the Service in accordance with the terms hereof, and will not use the same in any manner that may degrade the performance or availability of the Services; 2. Any statement or representation made by you was, at the time made, and remains, material to, and relied upon by, ISCAN, its agents and its contractors ; 3. ISCAN retains all right, title and interest to the copyrights, trademarks and all other intellectual property rights associated with the Service; 4. You will not remove or alter any copyright notices and other proprietary legends from the material provided in connection with the Service; 5. You and your Authorized Users are not subject to export control restrictions established by laws and regulations of the United States of America and you and your Authorized Users shall comply with all export and import laws, rules, regulations and restrictions of the jurisdictions in which you and/or your Authorized Users reside; and 6. You will obtain any and all licenses, permits or other required approvals or authorizations that may be necessary or required by federal, state, and local laws in order to lawfully operate the CPE used by you in connection with the Services. 7. Indemnification. You shall defend, indemnify and hold harmless ISCAN, its employees, officers, directors and agents, as well as ISCAN's suppliers, successors, affiliates, agents and assigns (the.indemnified Parties.) from any claims, damages, losses, or expenses (including without limitation attorneys. fees and costs) incurred by any Indemnified Parties in connection with all claims, suits, judgments and causes of action: (i) for infringement of patents or other proprietary rights arising from combining with or using any device, system or service in connection with the Service; (ii) relating to a breach by you of the representations and warranties made by you herein; (iii) relating to a breach of any of the terms and conditions of contained in this Agreement; or (iv) injury, death or property damage arising in connection with the presence, use or non-use of the Service. No remedy herein conferred upon ISCAN is intended to be, nor shall it be construed to be, exclusive of any other remedy provided herein or as allowed by law or in equity, but all such remedies shall be cumulative. In the event of the termination of this Agreement by ISCAN for your breach, you shall pay to ISCAN all attorneys. fees, collection fees, and related expenses, expended or incurred by ISCAN in the enforcement of any right or privilege hereunder (including, but not limited to, telephone, freight, express and postal charges, expenses of paid investigators and reasonable compensation for time of ISCAN's employees, agents and representatives). 8. Privacy. ISCAN's privacy policy is located at iscanonline.com/privacy. You represent and warrant to ISCAN that you have submitted this Agreement only after you have read the privacy policy, understand it, and agree to be bound by its terms. 11

9. Limitation of Liability. 1. Notwithstanding anything contained herein to the contrary, the sole remedy for loss or damage caused by partial or total nonperformance of the Service, or for delay or nonperformance of the Service, or partial or total failure of the Service under this Agreement, regardless of the form of action, whether in contract, tort (including negligence), strict liability or otherwise, shall be your actual direct damages, if any, which shall not, notwithstanding anything contained herein to the contrary, exceed the amount paid by you under this Agreement. ISCAN SHALL HAVE NO LIABILITY WHATSOEVER TO YOU OR ANY PARTY CLAIMING BY OR THROUGH YOU FOR THE ACCURACY, TIMELINESS, COMPLETENESS OR CONTINUED AVAILABILITY OF THE SERVICE OR FOR ANY DAMAGES ARISING OUT OF YOUR USE OF THE SERVICE OR ANY COMPONENT THEREOF, INCLUDING USE FOR MISSION-CRITICAL OR EMERGENCY COMMUNICATIONS OR IMPROPER OR UNAUTHORIZED ACCESS TO OR INTERCEPTION OF ANY COMMUNICATION OR OTHER NON-PUBLIC INFORMATION. 2. AS A MATERIAL PART OF THE CONSIDERATION PAID BY YOU UNDER THIS AGREEMENT, YOU AGREE THAT IN NO EVENT SHALL ISCAN BE LIABLE TO YOU OR ANY PARTY CLAIMING THROUGH YOU FOR, AND YOU HEREBY WAIVE YOUR RIGHT TO CLAIM, ANY INDIRECT, SPECIAL, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING LOST PROFITS, BUSINESS OR REVENUES, LOSS OF THE USE OF THE R SERVICE, OR ANY ASSOCIATED PRODUCTS, LOSS OF DATA, IMPROPER OR UNAUTHORIZED ACCESS TO OR INTERCEPTION OF ANY COMMUNICATION OR OTHER NON-PUBLIC INFORMATION, COST OF CAPITAL, COST OF SUBSTITUTE GOODS, FACILITIES, SERVICES OR REPLACEMENT SERVICES, DOWNTIME COSTS OR THE CLAIMS OF YOUR CUSTOMERS FOR SUCH DAMAGES) DIRECTLY OR INDIRECTLY RELATING TO OR ARISING OUT OF THIS AGREEMENT REGARDLESS OF THE FORM OF ACTION, WHETHER IN AGREEMENT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT SUCH DAMAGES WERE FORESEEN OR UNFORESEEN. THE FOREGOING DISCLAIMER SHALL APPLY IN CIRCUMSTANCES INCLUDING, BUT NOT LIMITED TO, YOUR INABILITY TO USE THE SERVICE, OR ANY PART THEREOF. 3. THE SERVICE IS PROVIDED "AS IS" AND "AS AND WHEN AVAILABLE", WITHOUT WARRANTY OF ANY KIND. ISCAN MAKES NO WARRANTIES OR REPRESENTATIONS OF ANY KIND THAT YOU WILL HAVE OR ENJOY UNINTERRUPTED USE OR OPERATION OF THE SERVICE. ALL REPRESENTATIONS, WARRANTIES, ENDORSEMENTS AND CONDITIONS OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF TITLE OR NON-INFRINGEMENT AND ANY IMPLIED REPRESENTATIONS, WARRANTIES AND CONDITIONS OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY AND/OR THOSE ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE CONDUCT ARE HEREBY EXCLUDED. ISCAN SHALL HAVE NO LIABILITY TO YOU 12

FOR PATENT OR COPYRIGHT INFRINGEMENT OR MISAPPROPRIATION OF TRADE SECRETS WITH RESPECT TO ANY SERVICE PROVIDED BY ANY THIRD PARTY THROUGH ISCAN. YOUR RECOURSE IN THE EVENT OF ANY SUCH CLAIM WITH RESPECT TO ANY SERVICE SHALL BE SOLELY AGAINST SUCH THIRD PARTY. IN ADDITION, ISCAN DOES NOT WARRANT THE ACCURACY OR RELIABILITY OF THE RESULTS OBTAINED THROUGH USE OF THE SERVICE OR ANY DATA OR INFORMATION DOWNLOADED OR OTHERWISE OBTAINED OR ACQUIRED THROUGH THE USE OF THE SERVICE. YOU ACKNOWLEDGE THAT ANY DATA OR INFORMATION DOWNLOADED OR OTHERWISE OBTAINED OR ACQUIRED THROUGH THE USE OF THE SERVICE ARE AT YOUR SOLE RISK AND DISCRETION AND THAT ISCAN WILL NOT BE LIABLE OR RESPONSIBLE FOR ANY HARM OR DAMAGE TO YOU OR YOUR PROPERTY (INCLUDING ANY PERSONAL COMPUTER EQUIPMENT). 4. Assignment and Delegation. ISCAN may assign this Agreement without notice to, or preapproval by, you. You, however, may not and shall not assign this Agreement or any of your rights hereunder. ISCAN may perform all obligations to be performed under this Agreement directly or may have some or all obligations performed by its contractors or subcontractors. 5. Notices/On-Line Posting of General Changes. Except as otherwise provided in this Agreement, all notices or other communications hereunder shall be deemed to have been duly given when made in writing and delivered in person, via overnight courier or certified mail (postage prepaid, return receipt requested and addressed to you as shown on the Service Order/Order Form). Notices to ISCAN must be in writing, and must be physically mailed addressed to iscan Online, Inc., 15950 N. Dallas Parkway Suite 400 Dallas, TX 75248 (Attention: CEO). Notices to you will be addressed to you based on the information provided by you during the account registration process unless you have notified ISCAN of any changes. Notwithstanding the foregoing, or anything contained herein to the contrary, ISCAN may amend, revise, change, alter, replace, substitute the system requirements and interoperability standards, acceptable use provisions, or any other general policies applicable to all end users, at any time and in any manner, including by posting a notice of any such changes or modifications, etc. on the Service website or by e-mail. 6. Force Majeure. Notwithstanding any other provision of this Agreement, neither party shall be deemed in default of this Agreement for failure to fulfill its obligations when due to causes beyond its reasonable control. This provision shall not be construed as excusing nonperformance of any obligation by either party to make payment to the other party under this Agreement. 7. No Reverse Engineering, Decompilation, Disassembly, or Circumvention. You may not (i) modify, reverse engineer, or disassemble the ISCAN Software or Service whether in whole or in part, (ii) decompile the Software in whole or in part (except to the extent such right cannot be excluded or limited by law and then only when the express permission of ISCAN has been sought and refused), or (iii) create any derivative works from or of the Software, or bypass, 13

modify, defeat, or tamper with or circumvent any of the functions or protections of the ISCAN Software or any mechanisms operatively linked to the Software. 8. Miscellaneous Provisions. 1. No Third Party Beneficiaries. Except as otherwise specifically stated in this Agreement, the provisions herein are for the benefit of the Parties and not for any other person or entity. 2. Waivers of Default. Waiver by either Party of any default by the other Party shall not be deemed a continuing waiver of such default or a waiver of any other default. 3. Survival. The terms, conditions and warranties contained in this Agreement that by their sense and context are intended to survive the performance hereof by either or both parties shall so survive the completion of performance, cancellation or termination of this Agreement. 4. Governing Law. This Agreement shall be construed in accordance with the laws of the State of Texas applicable to agreements executed and wholly performed within that State without giving effect to anybody of law governing conflicts of laws. This Agreement shall not be governed by the United Nations Convention of Contracts for the International Sale of Goods, the application of which is expressly excluded. 5. Venue/Forum Selection/Service of Process. The parties hereto: (i) agree that any disputes shall be heard in and by any state or federal court located within the Dallas County, State of Texas, U.S.A.; (ii) hereby waive any objection to jurisdiction of said courts with respect to any action instituted against them as provided herein; and (iii) agree not to assert any defense based on lack of jurisdiction. Each party hereto also waives personal service of any and all process upon it and consents that all such service of process shall be made by Certified U.S. Mail or overnight courier directed to (a) you, at the address provided by you during the registration process, as updated by you from time to time, and (b) ISCAN, at the address set forth above in the notice section. 6. Right To Alter Systems, Equipment. ISCAN reserves the right, from time to time, to make changes in the configuration of ISCAN's proprietary facilities, type and location of equipment, programming languages, end user identification procedures, accessibility periods, allocation and quantity of resources utilized, rules of operation, its administrative and operational algorithms, and the designation of the control center serving you at any particular address. 14

iscan Online, Inc. Privacy Policy INTRODUCTION Your privacy is essential to us. Here at iscan Online, Inc., we believe that privacy is a top priority. We know that you care how information about you is used and shared. Thus, we provide this Privacy Policy to summarize our procedures and practices as regards to information collection and use. This will serve you as a guide in making an intelligent decision in sharing your information with us. By visiting iscan Online, Inc., you agree to be bound by this Privacy Policy and hereby accept the procedures and practices stated in this herein. SCOPE This Privacy Policy applies only within this website and other pages where this policy appears. This would describe and explain how we take care and handle your personal information you shared to us. By accepting the Privacy Policy and the User Agreement in registration, you expressly consent to our collection, storage, use and disclosure of your personal information as described in this Privacy Policy. COLLECTION & USE If you attempt to use the services and applications of our website and or choose to provide information to us, this website shall collect Personal Information from you. This information includes, but is not limited to: name, address, telephone number, mobile number and/or email address. Once collected, we will store your information for a reasonable period of time for record keeping purposes. The information that we store is sometimes deleted as space requires or in the normal course of business. DISCLOSURE We may share information with governmental agencies or other companies assisting us in fraud prevention or investigation. We may do so when: (1) permitted or required by law; or, (2) trying to protect against or prevent actual or potential fraud or unauthorized transactions; or, (3) investigating fraud which has already taken place. The information is not provided to these companies for marketing purposes. COOKIES The Site may use cookie and tracking technology depending on the features offered. Cookie and tracking technology are useful for gathering information such as browser type and operating system, tracking the number of visitors to the Site, and understanding how visitors use the Site. Cookies can also help customize the Site for visitors. SECURITY All collected information is stored in a technically and physically secure environment. While we use SSL encryption to protect Sensitive Information online, we also do everything in our power to protect PII (including Sensitive Information) off- line. Unfortunately, no data transmission over the Internet can be guaranteed to 15

be 100% secure. As a result, while we strive to protect our end- users' personal information, we cannot ensure or warrant the security of any information that you transmit to us, and you do so at your own risk. ACCESSING AND UPDATING PERSONAL INFORMATION When you use our services, we make good faith efforts to provide you with access to your personal information and either to correct this data if it is inaccurate or to delete such data at your request if it is not otherwise required to be retained by law or for legitimate business purposes. We ask individual users to identify themselves and the information requested to be accessed, corrected or removed before processing such requests, and we may decline to process requests that are unreasonably repetitive or systematic, require disproportionate technical effort, jeopardize the privacy of others, or would be extremely impractical, or for which access is not otherwise required. In any case where we provide information access and correction, we perform this service free of charge, except if doing so would require a disproportionate effort. Some of our services have different procedures to access, correct or delete users personal information. We do retain personal information from closed accounts to comply with law, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce our policies and take other actions otherwise permitted by law. THIRD PARTIES We provide links to Web sites outside of our web sites, as well as to third party Web sites. These linked sites are not under our control, and we cannot accept responsibility for the conduct of companies linked to our website. Before disclosing your personal information on any other website, we advise you to examine the terms and conditions of using that Web site and its privacy statement. CHANGES AND AMENDMENTS & NOTIFICATION OF CHANGES iscan Online, Inc. reserves the right to change or update this Privacy Policy at any time by posting a clear and conspicuous notice on the Website explaining that we are changing our Privacy Policy. All Privacy Policy changes will take effect immediately upon their posting on the Website. Please check the Website periodically for any changes. Your continued use of the Website and/or acceptance of our e- mail communications following the posting of changes to this Privacy Policy will constitute your acceptance of any and all changes. 16

Amazon EC2 Service Level Agreement Effective Date: October 23, 2008 This Amazon EC2 Service Level Agreement ( SLA ) is a policy governing the use of the Amazon Elastic Compute Cloud ( Amazon EC2 ) under the terms of the Amazon Web Services Customer Agreement (the AWS Agreement ) between Amazon Web Services, Inc. ( AWS, us or we ) and users of AWS services ( you ). This SLA applies separately to each account using Amazon EC2. Unless otherwise provided herein, this SLA is subject to the terms of the AWS Agreement and capitalized terms will have the meaning specified in the AWS Agreement. We reserve the right to change the terms of this SLA in accordance with the AWS Agreement. Service Commitment AWS will use commercially reasonable efforts to make Amazon EC2 available with an Annual Uptime Percentage (defined below) of at least 99.95% during the Service Year. In the event Amazon EC2 does not meet the Annual Uptime Percentage commitment, you will be eligible to receive a Service Credit as described below. Definitions Service Year is the preceding 365 days from the date of an SLA claim. Annual Uptime Percentage is calculated by subtracting from 100% the percentage of 5 minute periods during the Service Year in which Amazon EC2 was in the state of Region Unavailable. If you have been using Amazon EC2 for less than 365 days, your Service Year is still the preceding 365 days but any days prior to your use of the service will be deemed to have had 100% Region Availability. Any downtime occurring prior to a successful Service Credit claim cannot be used for future claims. Annual Uptime Percentage measurements exclude downtime resulting directly or indirectly from any Amazon EC2 SLA Exclusion (defined below). Region Unavailable and Region Unavailability means that more than one Availability Zone in which you are running an instance, within the same Region, is Unavailable to you. Unavailable means that all of your running instances have no external connectivity during a five minute period and you are unable to launch replacement instances. The Eligible Credit Period is a single month, and refers to the monthly billing cycle in which the most recent Region Unavailable event included in the SLA claim occurred. A Service Credit is a dollar credit, calculated as set forth below, that we may credit back to an eligible Amazon EC2 account. Service Commitments and Service Credits If the Annual Uptime Percentage for a customer drops below 99.95% for the Service Year, that customer is eligible to receive a Service Credit equal to 10% of their bill (excluding one- time payments made for Reserved Instances) for the Eligible Credit Period. To file a claim, a customer does not have to have wait 365 days from the day they started using the service or 365 days from their last successful claim. A customer can file a claim any time their Annual Uptime Percentage over the trailing 17

365 days drops below 99.95%. We will apply any Service Credits only against future Amazon EC2 payments otherwise due from you; provided that, we may issue the Service Credit to the credit card that you used to pay for Amazon EC2 for the billing cycle in which the error occurred. Service Credits shall not entitle you to any refund or other payment from AWS. A Service Credit will be applicable and issued only if the credit amount for the applicable monthly billing cycle is greater than one dollar ($1 USD). Service Credits may not be transferred or applied to any other account. Unless otherwise provided in the AWS Agreement, your sole and exclusive remedy for any unavailability or non- performance of Amazon EC2 or other failure by us to provide Amazon EC2 is the receipt of a Service Credit (if eligible) in accordance with the terms of this SLA or termination of your use of Amazon EC2. Credit Request and Payment Procedures To receive a Service Credit, you must submit a request by sending an e- mail message to aws- sla- request @ amazon.com. To be eligible, the credit request must (i) include your account number in the subject of the e- mail message (the account number can be found at the top of the AWS Account Activity page); (ii) include, in the body of the e- mail, the dates and times of each incident of Region Unavailable that you claim to have experienced including instance ids of the instances that were running and affected during the time of each incident; (iii) include your server request logs that document the errors and corroborate your claimed outage (any confidential or sensitive information in these logs should be removed or replaced with asterisks); and (iv) be received by us within thirty (30) business days of the last reported incident in the SLA claim. If the Annual Uptime Percentage of such request is confirmed by us and is less than 99.95% for the Service Year, then we will issue the Service Credit to you within one billing cycle following the month in which the request occurred. Your failure to provide the request and other information as required above will disqualify you from receiving a Service Credit. Amazon EC2 SLA Exclusions The Service Commitment does not apply to any unavailability, suspension or termination of Amazon EC2, or any other Amazon EC2 performance issues: (i) that result from a suspension described in Section 6.1 of the AWS Agreement; (ii) caused by factors outside of our reasonable control, including any force majeure event or Internet access or related problems beyond the demarcation point of Amazon EC2; (iii) that result from any actions or inactions of you or any third party; (iv) that result from your equipment, software or other technology and/or third party equipment, software or other technology (other than third party equipment within our direct control); (v) that result from failures of individual instances not attributable to Region Unavailability; or (vi) arising from our suspension and termination of your right to use Amazon EC2 in accordance with the AWS Agreement (collectively, the Amazon EC2 SLA Exclusions ). If availability is 18

impacted by factors other than those explicitly listed in this agreement, we may issue a Service Credit considering such factors in our sole discretion. 19