POSTX PRODUCT SUMMARY & CORPORATE OVERVIEW

POSTX PRODUCT SUMMARY & CORPORATE OVERVIEW

TABLE OF CONTENTS Introduction to PostX... 3 PostX Platform Overview... 4 SecureEmail Highlights... 5 PostX Architectural Overview... 8 Delivery Models...9 Deployment Options... 21 Scalability & Performance... 23 High Availability...23 Administration... 24 Security... 28 Extensibility... 29 Appendix A: Business Overview... 31 Appendix B: PostX Customers... 32 Appendix C: Industry and Analyst Acknowledgements... 35 PostX Product Summary and Corporate Overview 2

INTRODUCTION TO POSTX In 1996, just as the Internet began to expand at a phenomenal rate, PostX founders envisioned that email would become the preferred channel for business communication. They recognized the need for software to enable secure email exchanges between a business and its customers software that worked with all email systems and operating systems. And so PostX was launched. In 1998, after eighteen months of engineering effort, PostX released Version 1.0 of the PostX Envelope, an innovation that was awarded U.S. Patent 6,014,688. The PostX Envelope uses embedded executable software to authenticate, decrypt, and present secured content to the email recipient. Later that same year, when the United States Postal Service wanted to extend federal protection to First Class Mail delivered electronically, PostX played a key role in developing the USPS Electronic Postmark System. That experience provided PostX with the insight and tools required to move swiftly to commercial implementation. Charles Schwab was among the first major firms to utilize PostX technology. Early in 2000, Schwab began emailing 401K statements to customers using PostX Envelopes. Schwab used email delivery of statements initially to create market differentiation and deepen customer relationships. Once PostX software was installed Schwab discovered real savings - email delivery eliminated the time, energy and money spent preparing and delivering paper statements. Growing Reputation In 2001, PostX released the PostX Messaging Application Platform, the only enterpriseclass secure messaging solution available today. Its open J2EE architecture meets volume, performance, and redundancy requirements with maximum reliability. The PostX Messaging Application Platform could be deployed across multiple servers in clustered or load-balanced configurations to support the delivery of millions of documents per month. PostX Product Summary and Corporate Overview 3

In 2002, Mayo Clinic selected PostX to ensure the privacy of confidential medical communications. Many patients had wanted to communicate with Mayo using email rather than telephone, but privacy considerations and HIPAA regulations made it impossible to use regular, unsecured emails. Additionally, doctors and researchers needed to exchange confidential information in emails. The PostX Messaging Application Platform not only met Mayo's need for secure communications but did so while conforming to HIPAA regulations By October of 2002, the U.S. Patent Office had awarded PostX a total of four patents, further solidifying its leadership position in secure email technology. As the secure email market matured, PostX released PostX WebSafe to meet secure online message center requirements. In 2003 JPMorgan Chase selected PostX technology for the launch and maintenance of their Chase Message Center. In a recent survey of U.S. banks, Livermore Research concluded that the Chase Message Center was the Gold standard for functionality in a message center. And Gomez gave Chase top place in their ranking of credit card customer service sites. In 2004 PostX implementations included AT&T Wireless, who selected PostX to deliver monthly invoices to subscribers, ABN AMRO, and Marsh, Inc. In 2004, IBM selected PostX as a Premier partner and signed a global marketing teaming agreement for Banking and Insurance. The first joint customer for the partnership, Royal Bank of Scotland, launched their online message center, built on PostX WebSafe, in the fourth quarter of 2004. Also in 2004, PostX led the establishment of the TECF, an industry consortium focused on efforts to eliminate the phishing and spoofing attacks that can cause identity theft and brand distrust. With Shawn Eldridge of PostX as acting chairman, TECF membership includes over 45 companies from around the world. Since the beginning of the year, PostX has received over 300 mentions in publications including Wall Street Journal, Wired, Newsweek, InfoWorld, eweek, PC World, USA Today, and the San Jose Mercury News. PostX Today Current customers include Aetna, American Family Insurance, Aon, Allstate Insurance, Citibank, Hertz Corporation, Putnam Investments, Mercy Health Partners, the University of Louisville, Friends Provident and HSBC, among others. Already established as the vendor of choice for leading institutions in the financial services, telecommunications, insurance and health care industries, PostX is poised to expand its secure email capabilities into new markets. POSTX PLATFORM OVERVIEW The PostX Messaging Application Platform provides an integrated trusted communication framework flexible enough to solve the complete range of secure messaging requirements. PostX Messaging Application Platform is the only enterpriseclass secure messaging solution available today. Its open J2EE architecture satisfies PostX Product Summary and Corporate Overview 4

volume, performance, and redundancy requirements with maximum reliability. It can be deployed across multiple servers in clustered or load-balanced configurations to support the delivery of millions of documents per month. PostX Messaging Application Platform integrates seamlessly into your application and IT environment. It is supported on multiple platforms (including Sun Solaris, AIX, Windows, and Linux), databases (including DB2, Oracle, and MS SQL), and application servers (including WebSphere, WebLogic, and JBoss). PostX offers three solutions built on the PostX Messaging Application Platform: PostX SecureEmail enables enterprises to secure internal and external email communications by providing secure point-to-point delivery of email messages. PostX SecureEmail delivers secure messages to any email inbox, regardless of the desktop platform or email client, and no special software is required to view the document. PostX SecureDocument creates and securely delivers personalized electronic customer communications. Documents, such as statements and invoices, traditionally delivered by the postal service can be delivered securely to customers email inboxes. By consolidating information from multiple databases, legacy systems, and third-party data sources, PostX creates targeted personalized documents. Embedded hyperlinks enable customers to navigate directly to information and services available in the company s Internet portal. PostX InteractionHub provides a powerful platform for customers to manage their online interactions and communications to the customer service center. Its extensible, open framework can be tightly integrated with in-house systems, such as Epoch, Customer Relationship Management (CRM), single sign on, authentication, and messaging systems to provide a customized solution to secure messaging requirements. Universal reach and delivery PostX is the only solution which integrates patented push, pull and traditional certificate encryption schemes into a single product platform. PostX provides push delivery, which delivers encrypted email directly to the customer s inbox. It also provides pull delivery, where messages are stored centrally and viewed by recipients through a secure website. Additionally, PostX supports S/MIME or OpenPGP for enterprises using Public Key Infrastructure (PKI) or OpenPGP certificates. PostX solutions can be configured to automatically select the appropriate delivery method for each message. PostX ensures that security does not come at the expense of accessibility. PostX patented technology delivers secure messages to any email inbox regardless of the computer platform or email client. PostX messages work on PCs, Macs, and Unix workstations. And, whether the recipient uses a desktop email application, such as Outlook or Notes, or a Web-based email system, such as AOL or Yahoo, no special software is needed to receive and read PostX messages. SECURE EMAIL HIGHLIGHTS Today s customers increasingly seek access to business services through the Internet. By offering online access to services and information, enterprises not only reduce costs but also enhance customer loyalty and satisfaction. It is not enough, however, to promote e- mail as the preferred channel for business communication. Email messages containing sensitive or confidential data must be encrypted and delivered securely to protect privacy and comply with regulatory requirements. Regulations such as: PostX Product Summary and Corporate Overview 5

HIPAA (Health Insurance Portability and Accountability Act) Graham Leach Bliley Act Sarbanes-Oxley Act European Privacy Initiative NASD 3010 Patriot Act SEC Rule 17 affect both profit and not-for-profit companies in all industry sectors. Additionally, communications intended for private use, such executive correspondence and exchanges concerning personnel, legal, and merger and acquisition matters must be protected. IT organizations have already invested significant time and resources to build robust email infrastructures that include components such as email servers, virus scanning, and spam filtering. Secure email is still one more component that must be implemented to work within the existing infrastructure, yet without creating an additional administrative burden. PostX SecureEmail is the complete solution to securing email communications with customers, partners, and providers, enabling enterprises to: Ensure compliance - With PostX SecureEmail, sensitive messages are handled in compliance with regulations. Improve customer service - PostX SecureEmail makes it easy for customers to communicate securely using the channels that they prefer. Reduce costs - By migrating phone volume to email, PostX SecureEmail enables enterprises to reduce operating expenses. PostX WebSaf PostX Envelope Groupware Email Servers (Exchange, Domino, etc.) PostX SecureEmail PostX Certificate Repository S/MIME OpenPGP Secure Messaging Infrastructure PostX Product Summary and Corporate Overview 6

As the only enterprise-class secure messaging solution available today, PostX offers unique capabilities: PostX is the only solution, which integrates patented push, pull and traditional certificate encryption schemes into a single product platform. PostX has the broadest production experience on the largest, most comprehensive, longest running deployments of secure messaging in the industry. PostX provides superior policy management capabilities to dynamically route and send messages based on sender, recipient or message attributes through predetermined secure delivery mechanisms. PostX offers robust authentication options including a comprehensive enrollment system, support for LDAP lookup, single sign-on and directory chaining. The open architecture of PostX SecureEmail satisfies volume, performance, and redundancy requirements with maximum reliability. It can be deployed across multiple servers in clustered or load-balanced configurations to support the delivery of millions of documents per month. And it is fully flexible to meet future requirements across the entire spectrum of secure messaging applications. For example, JPMorgan Chase uses PostX to provide secure customer service to a recipient community of over 30 million customers, while Charles Schwab offers secure email delivery of 401K statements to over 8 million customers. Point-to-point secure messaging Email has become the preferred channel for business communication. But e-mail messages containing sensitive or confidential data must be encrypted and delivered securely to protect privacy and comply with regulations. PostX SecureEmail provides secure point-to-point delivery of messages to any email inbox, without requiring the recipient to install any special software. No client software PostX ensures that security does not come at the expense of accessibility. The PostX SecureEmail guarantees that your customers and business partners will be able to open secure emails from any email platform on any operating system without installing new software on their desktops. This solution works like regular email, no need for the recipients to follow the link back to view secure messages. Reach At the core of all PostX technology is a cross-platform guarantee. Both the server-side and the recipient-side technologies are designed from their cores to work in all major distributed IT environments. The delivery technology is entirely email client and platform-agnostic. This assures that a message sent to a user using Windows will work as flawlessly as one sent to a Mac or Linux user; and will work equally well on AOL, Outlook, Lotus Notes, and Yahoo! mail, or Microsoft Hotmail. No advance knowledge of the email client is required of the sender, greatly simplifying the secure messaging application. PostX Secure Delivery methods make secure messaging work as simply as normal email, with the expectation that no advance recipient-system knowledge is available. PostX Product Summary and Corporate Overview 7

POSTX MESSAGING APPPLICATION PLATFORM The heart of the PostX software platform is the PostX Messaging Application Platform. As the name implies, the platform is the core for messaging applications that currently includes: Secure email Customer Interaction Hub Electronic delivery and composition of systematic messages such as statements, bills, or notifications. The platform is built on a standards-compliant J2EE code-base that provides comprehensive extensibility and configurability options. This overview just discusses the SecureEmail application, which is core to the other two. Within SecureEmail, the application platform provides: Flexible policy engine Multiple secure delivery options including web-portal based (pull) and standard inbox delivery (push) methods Broad spectrum of deployment and configuration options Secure administration Further, the software provides for both vertical and horizontal scaling, high availability, and extensibility for the future. The following sections are provided to give insight into all of the options available through the PostX server. Policy Engine Message Filters The policy engine receives MIME messages from a variety of sources, primarily SMTP and JMS. The PostX policy engine determines the correct delivery mechanism and branding to be used for each email. For example, some recipients should receive S/MIME email while others will choose a different delivery mechanism such as PostX Envelopes. Mail that is not sensitive can be forwarded in the clear. The PostX policy engine can filter the email using a number of filtering options: a. Standard Message Filters i. Headers: Senders, Recipients, Subjects (keywords / regular expressions), and X-Headers ii. Attributes: Message size, attachment presence/types/names, etc. b. Lookup Filter i. Connects with LDAP directories or Databases (via JDBC) to identify sender / recipient attributes c. S/MIME and OpenPGP Filters i. Designed specifically to identify S/MIME or OpenPGP d. Content Filter i. Can identify nearly any content within a message based on keywords or regular expressions. ii. Supports scoring and thresholds PostX Product Summary and Corporate Overview 8

iii. Message component inspection options: 1. Headers 2. Message Body 3. Attachments (including zip, rar, jar, tar, etc.) e. pymatchers i. Fully scriptable (using the scripting language Python) via the UI (no recompilation required) ii. Allows for completely programmable filters to address complex or unanticipated Matcher requirements iii. Can also modify messages (any type of transformation is possible) These policies often are combined to achieve specific effects. By using these policies PostX can direct email delivery and branding based on who the sender is, the sender or recipient s domain, whether the recipient is using S/MIME or OpenPGP, the size and type of attachments, or many other available options. In addition, upstream agents can add custom X-Headers to force specific treatment by the PostX engine. Anti-Spam and Anti-Virus Integration PostX works with a number of OEM partners to provide integrated solutions which then are marketed by those partners. Publicly announced partners include CipherTrust, Ironport, SendMail and Proofpoint. Each of these partners has unique capabilities that derive from their analysis of the content of messages. Rather than duplicate this analysis, some customers choose to have the partner s system forward messages requiring encryption to PostX. PostX then applies policies to determine which delivery mechanism is most appropriate. Email does not get scanned twice, greater performance is achieved and the PostX solution can be optimized for encryption, branding and delivery. DELIVERY MODELS Authentication Options Whatever delivery mechanism is chosen, the next step in the secure messaging process is authentication of the recipient. If our customer already has a relationship with the recipient, as in the case with a recipient where member ID, social security number and other information is already stored, it may be desirable to use that information for authentication credentials when email is accessed. If the recipient s information is unavailable through any existing lookup, the customer will need to enroll the new recipient and setup authentication credentials. The PostX architecture provides for a number of authentication schemes and approaches, and some customers use multiple solutions. PostX embeds a default authentication database to store recipient credentials. While this database is capable of handling credentials for large user groups, many customers already have databases or directories containing user information and don t want to build a duplicate store. It is common for the PostX authentication module to access existing customer directories using LDAP lookups. Although LDAP lookups are frequently used for employees, customers are often unwilling to add large numbers of external users to their corporate directories. For some customers, information about many recipients is already stored internally in a database. When available, user specific data such as patient identification or other information can be used for authentication of the recipient. PostX, though Java Database Connectivity (JDBC), can access this information and use it for authentication. PostX Product Summary and Corporate Overview 9

In fact, several pieces of information might be used to create multiple-password authentication. For example, a user might be requested to provide a 10 digit phone number, a 5 digit zip code, as well as a patient id to access secure email. These credential lookup methods are not mutually exclusive. The PostX Messaging Application Server allows the customer to chain or cascade multiple authentication lookup methods if required. For example, a credential search could first look in the internal LDAP directory, if unsuccessful scan customer information databases and if no match exists there search the default PostX database for ad hoc recipients. Furthermore, just as delivery and branding can be based on policy, authentication lookups can also be rules-driven. Enrollment One of the most valuable features of the PostX system is that messages may be sent without prior enrollment by the recipient, or even prior knowledge of the delivery method preferred by the recipient. The policy toolkit supporting user enrollment and authentication is rich enough to support nearly any desired protocol, or even several protocols on the same system depending on policy. To handle these new recipients, the PostX Messaging Application Server includes a sophisticated and easily extensible Enrollment Manager. Secure messaging users can be pre-enrolled, or first communications with new recipients can initiate an enrollment process. The PostX Enrollment Manager includes built-in default enrollment functionality, or it can integrate with an existing customer enrollment system. In the Envelope delivery method, when the PostX server cannot find a recipient in an existing enrolled user directory, the secure email is queued and an enrollment request is sent to the new user. PostX polls for a successful enrollment, releasing the secure email from queue when the enrollment process is complete. The PostX WebSafe (web-based pull method) process is similar, but the message is released from queue into the user s WebSafe mailbox after successful enrollment. By default, the enrollment process sends a clear-text enrollment message to the user. The recipient receives the enrollment message inviting them to enroll in order to receive or open an encrypted email. PostX Product Summary and Corporate Overview 10

The text of the messages is completely customizable and can be different for every delivery mechanism. For cases where OpenPGP or S/MIME may be in use, the message might include a request to return a signed email to an email address at the PostX server, where PostX can harvest the intended recipient s OpenPGP or S/MIME certificates. Once harvested, the certificate is used to encrypt and sign secure messages to the newly enrolled recipient. The recipient clicks on message link and enrolls using a PostX secure enrollment web application. The enrollment form asks for name, a password (hidden and confirmed), and the answer to one of five challenge questions such as mother's maiden name or favorite book. This default method is the easiest to maintain and provides the highest level of selfservice. This method assumes that the original email is correctly addressed and that the original enrollment notification arrived safely to the intended recipient. To further secure the process, the enrollment engine is commonly modified with additional recipient verification functionality. This verification might ask the recipient to enter a PIN number from the sender that is obtained through other means (phone or IM) or answering questions specific to the recipient. One part of our professional service is to advise the customer in selecting the most appropriate enrollment approach. Once the recipient is known, PostX has the flexibility to deliver the message according to customer policies or recipient preferences. Push & Pull Not every secure delivery mechanism can fit all end-user recipients. Some users are more technologically sophisticated than others. Some have high bandwidth connections while others have dial-up. Some were early adopters of secure email and have their own solutions in place, while the majority of users do not. It is PostX policy to support relevant, standard delivery options (such as S/MIME and OpenPGP). In addition, PostX provides unique delivery options that are more flexible and extensible than legacy options while retaining a standards-compliant base. PostX Product Summary and Corporate Overview 11

The two basic delivery strategies are delivering a message directly to the end user (push) or holding the message in a web-based email system for the user to view via the web (pull). PostX provides both options. Pull (or Web mail) solutions are browser-based email infrastructures, similar to Yahoo! or Hotmail, that allow users to exchange information securely while in the browser environment. They often are integrated with existing customer Web portals. Advantages of the pull approach include: The interfaces can be similar to Hotmail or Yahoo and may be familiar to the end user. The Web mail site and the corporate web site can be tightly integrated so the user experience is one of a single web site. Web mail can be a better experience if very large (many megabyte) statements or attachments are required. The sending company fully controls storage, expiration and access control for the email. This can be a benefit or a disadvantage, depending on circumstances. The benefits are largely control and management-related. (See disadvantages below) Provides unrestricted reach to all recipients who can access web browsers. Some of the disadvantages to pull delivery methods are: The Web mail site represents yet another place for the user to receive mail. The user must be online to read email. You become responsible for storing your customers messages, including retention policies, backup and high availability storage. Depending on archival and retention policies, storage costs could become a major factor. The web portal becomes another access to the corporate site for hackers. Care needs to be taken to secure this server as with other email servers and web servers. There may be legal liabilities that derive from your access to your users mail. With push delivery, email is encrypted at the sender s site (on a gateway or on the desktop of the sender) then shipped to the recipient. Once delivered, email is opened and decrypted at the recipient s desktop. Common advantages to the push delivery method include: The sender and the sender s site do not need to maintain or store the email. The recipient assumes that responsibility. Customer friendly analysts have stated that 70-80% of customers would rather receive communications addressed to and accessible in their existing email inboxes. Most familiar the push delivery method is the most analogous to the US Postal Service experience. The user can maintain a single email location to open all emails. Depending on the solution, each email can be branded to represent the sending company s look and feel. Depending on the delivery model, email can be read without being connected to the internet. Disadvantages of the push methods include: Difficulties in handling very large emails/attachments ISP email systems frequently limit emails to 2 to 10MB. PostX Product Summary and Corporate Overview 12

Different push options provide different levels of security. Selected option should be carefully matched to the security requirements of the payload. Password or certificate management can be cumbersome if a true offline solution is selected. There are a very small number of recipients who may not be able to receive PostX Envelopes. This could occur in very restrictive environments where all HTML attachments are stripped. This is rare. With the OpenPGP and S/MIME delivery models the recipient must have the ability to obtain and install the appropriate software and certificates. PostX does not provide OpenPGP client software or S/MIME certificate authority services. Outside users cannot generally initiate an email conversation and can only act as receivers. Some solutions provide the ability to securely reply to incoming secure emails. Full-featured solutions provide a web interface that allows recipients to initiate a secure communication. It is possible to use pull and push methods together. In fact, most organizations eventually discover that they need both delivery methods to solve their business issues. The ability to use both push and pull depends on the integration of the selected applications. For example: Do the products share enrollment and authentication databases and procedures? Is there a common rules engine that can select delivery method based on matching criteria like domain, attachment size and source application? Is a hybrid approach the most appropriate (ex: a monthly statement with single click online access to the check archive)? Because PostX provides both push and pull solutions -- built on a common code base with shared enrollment, content filtering, authentication, storage and archiving mechanisms -- integration between the PostX solutions is seamless. S/MIME and OpenPGP Options PostX also offers multiple methods of push depending on requirements. These include: S/MIME Gateway to Gateway S/MIME Gateway to Desktop OpenPGP Gateway to Gateway OpenPGP Gateway to Desktop PostX Envelopes S/MIME and OpenPGP are long established methods of sending email using asymmetric key encryption technology. The PostX S/MIME Adapter utilizes RSA standardization. S/MIME (Secure / Multipurpose Internet Mail Extensions) is a protocol that adds digital signatures and encryption to Internet MIME (Multipurpose Internet Mail Extensions) messages described in RFC 1521. OpenPGP is a similar email encryption standard, described in IETF RFC 2440. In a gateway-to-gateway scenario, PostX can encrypt messages using a site key to another email domain that will accept the messages from the PostX site, decrypt the messages, and deliver them in the clear to the end user. This method is very effective for B2B or partner communications. PostX Product Summary and Corporate Overview 13

Using S/MIME or OpenPGP to the desktop, the sender must have the receiver s public key to encrypt (to be decrypted by the recipient s private key). Similarly, the recipient needs the sender s public key to reply. As the number of senders and recipient s grow, the number of key pairs that each participant must maintain can become overwhelming. This key management responsibility along with the need to install and maintain desktop client software has limited the adoption of both of S/MIME and OpenPGP. In the gateway-to-desktop model, PostX proxies for the participant inside the gateway. That is, encryption and decryption is done at the PostX gateway using a public/private keypair generated and maintained by the PostX engine on the internal participant s behalf. The experience for the external participant is the same as if the internal participant held the keypair. On the other hand, the internal participant need not be aware of the specific protocol used for the message. He just pushes the Send or Send Secure button as usual and the gateway manages the details. Similarly, the PostX gateway can maintain a directory of external keys. At enrollment time, the PostX system can harvest keys from inbound mail. The centralized management of keys can significantly reduce the complexity of interoperating with external users who have established S/MIME or OpenPGP requirements. While the PostX enhancements to S/MIME and OpenPGP usability can make support for an existing implementation easier, our experience is that adoption continues to be slow due to issues intrinsic to the administrative challenges. Among these are: Issues with maintaining certificates, including revocation and reissue management Lack of support for either technology in all major web-based mail portals (AOL, Yahoo, MSN, etc.) Fear of complexity and management overhead based on war stories Difficulty in setting up and maintaining desktop client configurations For these reasons, PostX has developed its own secure delivery technologies designed to meet two key requirements no client software requirements and universal reach to all email clients. PostX Envelope and SecureReply (with user experience) PostX provides a user and administrator-friendly delivery method, the PostX Envelope. This envelope is targeted to the majority of users that have never used secure email and may not have the software or desire to utilize it. To open an Envelope, the end user only requires a standard browser and the ability to authenticate. The sender experience is transparent from the beginning. There is no need to acquire or maintain a personal certificate or certificates for intended recipients. The sender simply sends messages using any email client just as with non-secure email. The PostX server handles decisions on encryption and delivery automatically and transparently. The server determines the encryption and delivery methods depending on policies and recipient requirements. Using the PostX Envelope, the recipient needs no certificates or additional plug-in software. For both the sender and recipient, the PostX Envelope greatly reduces the startup requirements for email encryption since certificate management or software downloads is not required. The encrypted email arrives as an in the clear email with PostX Product Summary and Corporate Overview 14

an HTML attachment that includes an encrypted payload containing the original email text and attachments. The clear email text is fully configurable and normally instructs the recipient on entering password information to decrypt the html attachment. An example of such a message is seen below. The attachment can be opened with any standard browser that will ask the recipient for authentication credentials. The screen shot shown below shows a typical authentication using a single password. As mentioned previously, PostX also supports the use of multiple passwords or other authentication schemes. The external envelope view and text messages can be customized for each delivery option. After entering the correct authentication, the email is decrypted and presented as in the following screen. PostX Product Summary and Corporate Overview 15

As can be seen below, attachments are completely supported with the envelope. As can be seen above, the user may be offered (as an option, configurable by the PostX administrator) any or all of the email response functions shown; Secure Reply, Secure Reply to All, and Secure Forward. These buttons provide a secure link (SSL) back to the PostX server displaying a page for composing secure email. This interface supports attachments. The PostX server transforms the compose page into a MIME email, which is scanned for encryption handling as with any message going to the PostX server. The Secure Reply screen is shown below: Comment [MA1]: Do we need to describe secure forward and that the recipients will also be enrolled, or certificates will be used? PostX Product Summary and Corporate Overview 16

Additionally, PostX can provide the ability for enrolled external users to initiate email securely. PostX SecureCompose provides this functionality via a link on a customer web site or portal. After a user selects the 'Contact Us' (see example below) link and completes the authentication process, PostX SecureCompose launches a browser-based email form. After the user completes the inquiry, a click of the 'Send Secure' button sends the email to PostX SecureCompose using HTTPS, where it is securely forwarded to the intended recipient. PostX Product Summary and Corporate Overview 17

An example of SecureCompose is shown below: Additional PostX Envelope Functionality The PostX Envelope provides additional functionality beyond other push methods. As an example, the PostX push method is more efficient than many competing technologies. PostX Envelopes include the decryption code in the secure html attachment. The result is that no client software outside a common browser is required to open and decrypt the secure message. Further, the secure message will, under almost all circumstances, decrypt without server intervention. Other vendor solutions use a technique best described as triple trip to provide push delivery without client side software. In a triple trip solution, the recipient establishes an SSL connection to a server that decrypts the message and renders it back to the user s display. Triple trip significantly increases the resources required on the server and networking infrastructure, since the data is transferred three times once on initial send and a round trip for rendering and will generally be slower than local decryption. PostX supports triple trip as a fallback method, gracefully degrading if client setup does not allow local decryption. PostX Envelopes can be encrypted using RC-4 or AES encryption. Both are well know and proven encryption algorithms. Proprietary technologies do not have a proven track record, introducing questions about future support and viability. Using an industryrecognized standard mitigates such risks. PostX Envelope Online Authentication/Offline Authentication Envelope using Online Authentication -- For most customers interested in message tracking, the PostX Envelope using Online Authentication is the best choice. With this implementation, a random key is generated for each message, or Envelope. Technically known as a session key because it is used only once, the key is used for decrypting the envelope and stored in the PostX server (key server). The Envelope is sent to the user without this key. When the message is opened at the recipient desktop, the Envelope automatically establishes an SSL connection to the PostX server. Once the authentication has been successfully completed, the server releases the key for decryption and the message is decrypted locally at the recipient s desktop. Unlike triple trip, only PostX Product Summary and Corporate Overview 18

the key is transmitted; requiring far less resources than shipping the full message three times. Step 1: PostX Envelope with online authentication sent via SMTP email to the customer s inbox. Step 2: Customer is authenticated at corporate server and receives key. Step 4: Decryption and display occur on customer s PC. Public Intern Step 3: Message activity logged on corporate server. This method also provides complete control and tracking of the message. Since the key is required to open the message, the PostX server records that the message has been opened. In addition, the sender of the message can be sent a return receipt that the recipient cannot disable. Further, if a user is unsuccessful opening a message after a specified number of attempts because they are using an incorrect password, the PostX server can lock the message automatically. Only an administrator can unlock the message. Messages can be locked manually at any time by the administrator or sender and/or automatically expired after a defined period of time. Envelope using Offline Authentication -- The PostX Envelope is also available with Offline user authentication. In this implementation, the session key is encrypted using a hash of the user s credentials, and included in the html attachment. As a result, the key need not be requested from the server and only the user s credentials are required to open the message. Because communication with the PostX server is not required for opening, the messages can be opened offline when disconnected from the internet. Offline authentication is typically used when delivering notifications or statements where tracking is not required. PostX Envelope Tamper Detection Options Security of the PostX Envelope can be further enhanced with the use of tamper detention technologies. Two such technologies are available and both authenticate the sending domain and the contents of the original email with what has arrived at the recipient s mailbox. The first option is with the U.S. Postal Service Electronic Postage Stamp, or EPS. Each time an Envelope is sent, the email is checked in, a checksum is taken and a corporate certificate is attached. When the recipient opens the message, the envelope can be verified with the EPS code by clicking on the stamp in the upper right hand corner of the envelope. The USPS charges a fee for each envelope, and promises US government action against anyone tampering with the mail, just as is true with the standard US mail. Alternately, the PostX EnvelopeSignature can provide similar functionality on the PostX server itself. The following shows an envelope using PostX EnvelopeSignature. PostX Product Summary and Corporate Overview 19

By clicking on the Verify this envelope s signature, the envelope is checked for the signature and content at the PostX server. The following is an example message from the server after the check has been completed. WebSafe (with user experience) If the delivery mechanism chosen is pull, the recipient is sent a notification email telling the recipient that email has been received at the web portal and provides a link to the WebSafe environment. An example of the email is shown below. As with the text messages in the PostX Envelope, the message sent with the link is completely configurable. PostX Product Summary and Corporate Overview 20

Once clicking the link, the user is taken via a secure connection (https) to the WebSafe web-mail environment. As with the PostX Envelope, the user must authenticate to enter the environment using any number of authentication schemes. A typical environment is seen below and may be customized to reflect the customer s web styles and could be different for different business units. The email can be opened and viewed in a similar fashion to Yahoo! Mail or Hotmail. DEPLOYMENT OPTIONS The PostX solution provides deployment flexibility and scalability in a number of ways. One way is in the choice of underlying technology used to deploy the product. These choices include the hardware platform used to host PostX, the database that is used by PostX to store information, and web applications. These architectural features provide PostX with the greatest flexibility in secure message delivery. PostX Product Summary and Corporate Overview 21

Platform options PostX is available on AIX, RedHat Linux, Solaris, and Windows. The hardware selection is left up to the customer, with a minimum PostX Server requirement for at least one high performance CPU (2 preferred for threading), at least 1 GB of physical memory and at least 50 GB of disk storage. Should the customer desire, vertical scaling using more or faster processors can provide additional performance on single PostX servers. Largely for cost/performance reasons, the preferred scaling method is horizontal, implementing multiple inexpensive load-balance servers for greater scalability and performance. Database options PostX can interface with DB2, Oracle, PostgreSQL, MySQL, and Microsoft SQL. Using one of these common databases, customers can maintain PostX as they would any other production database application. There are no special requirements for database backup or high availability. PostX recommends database replication and regular hot backups to maximize solution availability. Application Server options PostX is self-contained and is generally configured with this internal Web-application server, JBoss. PostX fully supports this built-in application server as a component of the solution, and the customer will have no need to interact directly with JBoss. When needed for customer standards compliance, PostX can also be configured with a WebSphere Application Server. Layout diagrams Deployment of the PostX solution will depend on the component of the server being used and the level of security desired at the site. In the simplest configuration, a single server can be deployed in the DMZ as seen below. In most deployments, external users will need to connect to the PostX server via an SSL (https) connection. This connection is needed for: PostX Native Enrollment Retrieving PostX Registered Envelope Decryption Keys SecureReply SecureCompose WebSafe External Administration PostX Product Summary and Corporate Overview 22

By allowing this access, the PostX server is more open to external attack. To mitigate this situation, the PostX server is usually placed behind the internal firewall and is frontended with a reverse proxy server in the DMZ. In some rare cases, companies have not allowed reverse proxy servers. To support these environments, the PostX server can be split into the base server and web-facing components. The web-facing PostX server is installed in the DMZ, while the Policy Engine and other components are housed inside the inner firewall. An overview of this deployment option is seen below: SCALABILITY & PERFORMANCE PostX implementations have been placed in some of the largest SecureEmail environments in the world. Some of these implementations can support 10 million messages or more per month. This level of performance is provided using a group of load balanced PostX servers. The number of servers will depend on several factors, including the size of the messages, the operating system, the speed of the hardware, and the level of integration with other infrastructure components such as LDAP. Typically, the limiting factor in performance is the network infrastructure rather than the PostX solution. For most customers, PostX recommends using Linux servers with dual 2.4 GHz Pentium IV (or faster) CPUs. Using an average message size of 5 KB, two servers (configured for high availability) can process more than 90 messages per second or 324,000 per hour. This configuration provides more than enough capacity for most customers current requirements and plenty of growth for the future. Our largest statement generation application sent more than 1M 300KB statements per month. PostX also supports Windows, Solaris and AIX. HIGH AVAILABILITY The PostX platform is designed as an enterprise-class solution, and integrates with industry standard clustering, load balancing, replication and high availability/fail-over options to satisfy this requirement. For example, in the PostX solution multiple Messaging Application Servers can share the encryption load, accessing a single, central, replicated database. This creates a load-balanced, redundant solution where messages bound for any server can be immediately rerouted to another. In this configuration, PostX integrates seamlessly with Cisco and other DNS/MX based loadbalancing/availability solutions to approach 100% uptime. As mentioned earlier, PostX supports enterprise class replicated databases like Oracle, DB2 and SQL Server to store keys, enrollment information and messages in queue or in WebSafe storage. These PostX Product Summary and Corporate Overview 23

databases that are usually located on other servers can be clustered with standard techniques if desired. Finally, PostX can also integrate with load-balancing devices on the inbound path, providing high performance and availability for key-service and mail portal access with multiple PxWeb servers. The following diagram shows a high availability solution for a typical PostX SecureEmail implementation. The servers in the blue boxes represent the PostX redundant components. The servers in the DMZ are generally proxy servers rather than PostX servers or may include the full PostX configuration depending on security requirements. With either approach, the number of required PostX servers for high availability can be easily reduced to two systems. The database servers are optionally clustered for high availability applications. ADMINISTRATION The PostX Administration GUI is provided though a web browser and can, depending on security, be accessed from outside the organization using https if desired. This interface provides: Configuration Management Real-time Reporting User Tracking and Management Registered Envelope Key Management Certificate Management Access to this interface can be strictly controlled and managed as required by customer policies. Authorization options PostX users with the current version, 5.2.2, are designated as: PostX SuperUser The SuperUser role can access the following features/functionality: Edit values of individual entries in the configuration file Start/stop services related to the PostX system Revert to an earlier configuration View reports Edit the certificate store PostX Product Summary and Corporate Overview 24

PostX User PostX Admin The User role can only view the PostX configuration and monitors. The Admin role can access the following features/functionality: Edit values of individual entries in the configuration file Add applications, matchers, data sources, etc. Start/stop services related to the PostX system Revert to an earlier configuration Add, modify and delete users View reports Edit the certificate store Archive Admin Archival Admin can search, view and resend archived messages via the user interface. These roles are completely independent from system rights thus providing another level of security for the SecureEmail environment. Administrators of systems that have no knowledge or reason to access this PostX configuration are not automatically granted rights. Though these levels of administration are useful for many environments, many customers wanted a more granular assignment of roles. PostX 5.3 has a fundamentally different mechanism for roles and privileges. PostX is enhancing the product to make it easier to delegate certain user management tasks to administrators who manage user categories defined by our customer, such as departments or subsidiaries. Version 5.3.0 is expected to be available in April, 2005. Reporting and Audit The administrative interface also provides a number of real-time reporting and monitoring capabilities. The Messaging Application Server s Tracking and Reporting component records all message delivery activities and system events from macro to micro level. PostX offers full reporting on message delivery activity from the web-based administration interface. Audit trails can be viewed for selected messages, and reports track success and exception rates. Time-based triggers can be used to monitor message delivery and take action when deliveries fail. PostX logs basic information about each message sent through the system (time stamp, From, To, Application used to send), and provides a UI for running reports on this throughput data. PostX Tracking and Reporting includes the ability to track and report on: An individual message's path through the PostX system from initiation through delivery Message open events, when using the Registered Envelope or WebSafe Bounce-backs Click-level events, but this is typically customized based on specific requirements. This can also be integrated with traditional Web tracking systems, such as WebTrends Because all reporting data is stored in an ODBC compliant database, custom reports can be created easily using third party report generation tools, like Crystal Reports. PostX Product Summary and Corporate Overview 25

PostX maintains a separate and highly configurable audit trail. This audit trail is hardened against tampering and optionally includes auditing of operator actions. Broadly, the audit trail is intended for auditors and the log files are intended for operators. The following screen shots illustrate the available audit configuration options. Message Tracking One of the most powerful features of the PostX Registered Envelope is the ability to track and control messages. Since the decryption key to open the envelope must be obtained from the server each time the envelope is opened, the server can track when the message is opened and can also control after the message has been sent whether the message can be opened at all. PostX Product Summary and Corporate Overview 26

The following screenshot of the Register Envelope report shows envelopes and their current state. Notice that the last two emails in the report show that the email has been created but not opened. Our message with the subject Consultative Help has been opened and a return receipt to the sender was generated. To understand how messages can be controlled, the following screen shot illustrates how access to a single message can be controlled from the server even though the message now resides in the recipient s desktop email. We know from the previously generated report that our message was opened. From this interface, we can change the status to Locked or Expired and deny access to the message by withholding access to the decryption key at the server. The recipient can no longer open the message and will be referenced to a configurable set of instructions for problem resolution. PostX Product Summary and Corporate Overview 27

Backup and Maintenance The PostX solution does not add any unique backup or recovery challenges to an existing environment. PostX installs into a well-defined directory structure, and PostX supports standard enterprise databases (MSSQL, Oracle, DB2, PostgreSQL, and MySQL) for its repository. For system outages, the configuration and procedures detailed in 4.6 provide redundancy and resilience. For site outages, standard backup and/or remote mirroring configurations will support PostX recovery requirements. SECURITY Security and usability -- both important design goals frequently conflict. In providing more security, the usability of the system will usually suffer and vice-versa. Not every environment requires extremely high security, with some preferring the convenience of a fully automated and self-maintaining environment over one implementing extensive manual checks and balances, restrictive password management rules, stronger security algorithms (at the expense of increased email latency and system overhead) and the like. Others, such as financial institutions, require the highest security possible. The PostX solution is designed to provide a balance of security and usability, with flexible, configurable options available to allow a customer to bias their implementation toward either end of the spectrum as required. As was shown in Section 4.4, the server can be partitioned in several ways to protect access to the PostX server containing user information, email queues, and email messages in WebSafe (pull). These configuration options allow a balance between the number of servers to be deployed, management points, and required security from external attack. Administration can also be tiered to provide the right level of access to the correct user and is separate from system administration rights. As mentioned in the Administration section above, the levels of access will be enhanced in an April PostX release to grant very granular access rights for administration and reporting that is appropriate for each line of business. User authentication and security can also be configured to the level of security required. Users may authenticate to LDAP, flat-files, databases, or any other authorization infrastructure. If no authorization infrastructure exists, PostX can provide its own enrolment and user database. Enrollment can be automatic, semi-automatic (PIN example in Section 4.3.2), or completely controlled by PostX Administrators. Encrypted email can include personal certificates using S/MIME or OpenPGP or utilize site certificates with S/MIME, OpenPGP, United States Postal Service Electronic Postmark System, or PostX EnvelopeSignature (Section 4.3.3). Each of these technologies assures the recipient that the email is genuine and assures the identity of the sender. PostX also provides the Registered Envelope that provides complete control and visibility of pushed messages. This kind of control was previously only available with pull solutions, positioning the PostX Registered Envelope with an excellent mix of best features benefits from both push and pull solutions. PostX Product Summary and Corporate Overview 28

EXTENSIBILITY One of the key differentiators of the PostX Messaging Application Server is its extensibility and the ability to plug new applications into the system. Because of this extensibility, The CIO of JPMorgan Chase called PostX our number one re-usable application. The following gives some examples of why. Adding new modules Within the SecureEmail application, PostX early on determined that customer environments were diverse and dynamic. These environments required products that we flexible and easily modified and extended to include a variety of options. As seen in the preceding sections, PostX functionality can be extended by incorporating external modules such as: Authentication databases and directories including LDAP, flat-files, SQL-based and other Third party database for PostX storage Third party web application servers The PostX server has also been extended in the past to handle new or different technologies not originally included. These include: Alternative delivery applications such as S/MIME and OpenPGP Alternative encryption algorithms (RC-4, AES, 3DES with RSA integration) Alternative hashing algorithms (SHA-1, MD5) New technologies are continually being added to the product driven by industry standards and customer demand. For example, OpenPGP support was added this year. Because of the modular approach offered in the PostX Message Application Server, OpenPGP was added in a matter of weeks rather than months as is typical with other email delivery systems. Customer Interaction Hub One of the first applications to be added after the base server was implemented with SecureEmail was the Customer Interaction Hub. This system was developed for JP Morgan Chase to facilitate customer communication with the bank. Before PostX, JPMC s email was directed into the Kana system and accessed by Customer Service Representatives (CSRs) in a serial fashion. No pre-sorting or filtering of the information coming in was possible. Many messages were handled on the average of five times before resolution was reached. By integrating the basic WebSafe system with JPMC s web site and CRM databases, PostX was able to reduce the number of mis-handles to an average of 1.7. This reduction was accomplished by presenting each customer with a restricted set of forms that reflected only the types of accounts and activities that the end user would be accessing. Further, each inquiry was accompanied with an automatically generated form that was generated as the customer was guided through a list of questions and clarifications on their inquiry. This form standardized the look and feel for the assigned CSR. Further, by providing this framework, PostX could route the email to the correct group of CSRs rather than to the entire 8,000 CSR population in Kana. This final system has resulted in a more cost effective customer service application as well as higher customer satisfaction. Other such Customer Interaction Hubs have been configured for customers such as the Royal Bank of Scotland as well. Each has been customized to reflect the needs and goals of the entity of involved. PostX Product Summary and Corporate Overview 29

estatements One of the most exciting extensions of the server was the addition of statement creation and delivery. Many of our customers send out messages that are programmatically generated. These messages may be trade confirmations, billing statements, or simple notifications that include sensitive information about the customer. Because of the sensitivity, the messages should be encrypted, making these bulk mailings a natural extension of the PostX Message Application Server. As a start, PostX added the capability to monitor file folders and look for simple files (pdf, Word, etc) and send these attachments in a PostX envelope to a list of defined recipients. PostX took this simple application further, extending the server to not only send the message, but generate the content as well. In this configuration, the PostX statement system receives raw data for an individualized message. This message might include detailed billing information, recipient contact information, and possibly a targeted marketing campaign to use for this recipient. This input is generally in XML, flat file or AFP format, and can be augmented with information from marketing or CRM databases to add content. Using the information available, PostX can then generate an ActiveStatement in HTML format that includes graphics and web site links. This resulting document is then encrypted and sent to the user. An example architecture is shown below: AT&T Wireless, Charles Schwab, HSBC, and others have employed this technology. PostX Product Summary and Corporate Overview 30

APPENDIX A: BUSINESS OVERVIEW History and Accomplishments 1996 PostX was founded in Cupertino, California. 1998 Delivered the first Version 1.0 PostX Envelope to a recipient s email inbox. The encrypted payload was included as an email attachment, and the recipient was required to download and install a desktop client in order to decrypt the message. 1999 Co-developed United States Postal Service Electronic Postmark (USPS EPM). PostX was the first company to integrate the USPS EPM with secure message delivery and the first partner to license USPS EPMs. 2000 Awarded U.S. Patent #6,014,688 for an e-mail program capable of transmitting, opening and presenting a container having digital content using embedded executable software. Created and delivered first electronic Charles Schwab 401K statements. Built using Macromedia Flash, the interactive statements enabled clients to visually measure performance and analyze third-party investment advice incorporated into the statement. 2001 Awarded U.S. Patent #6,304,897 for processing e-mail messages including representations of envelopes including time stamps, sender identity identification, and branding elements with hyperlinks. Delivered the first Version 2.0 Zero Install PostX Envelope, which used embedded JavaScript to decrypt the secure message. The Version 2.0 PostX Envelope worked on any platform (Windows, Mac, Linux, Unix) and with any email client (Exchange, Notes, Yahoo!, AOL) to provide universal reach. 2002 Released first integrated secure delivery platform providing push and pull delivery. Mayo Clinic deployed PostX SecureEmail to meet HIPAA compliance requirements. Awarded U.S. Patent #6,367.010 for secure symmetric encryption and decryption via the Internet using an advanced and sophisticated manner of preventing hackers from accessing sensitive and private information. 2003 Awarded U.S. Patent #6,477647 for system and method for confirming trade transactions via the Internet and/or private network to e-mail addresses. JPMorgan Chase deployed PostX-based Chase Message Center, which enabled Chase to o Unify customer experience o Reduce inquiry response times o Enable the exchange of confidential information through email. A recent Livermore Research Report calls the Chase Message Center the gold standard for functionality in a secure message center. Released first secure delivery platform providing integrated S/MIME support in addition to push and pull delivery. PostX Product Summary and Corporate Overview 31

2004 Released first secure delivery platform providing integrated support for full range of secure delivery methods, including push, pull, S/MIME, and OpenPGP delivery methods. PostX became an IBM Premier Partner, and PostX and IBM completed a global marketing teaming agreement for Banking and Insurance verticals AT&T deployed PostX ebills, making 20 million customers eligible to receive monthly bills through PostX Envelopes. Led the establishment of the TECF, an industry consortium focused on efforts to eliminate the phishing and spoofing attacks that can cause identity theft and brand distrust. 2005 Completed partnership agreements with leading content filtering providers, CipherTrust, IronPort, Proofpoint, Sendmail, and BT Syntegra. APPENDIX B: POSTX CUSTOMERS PostX has been intentional in our marketing and customer acquisition strategy during the maturing of the secure email market segment. We believe that during the maturing of a technology market the largest, most complicated customers will likely drive technology requirements and identify critical business issues that must be satisfied by the vendors in the space. PostX is proud to have the largest deployments of secure messaging in the world, reaching millions of recipients. Below is a list of some of our largest customers and a brief description of some unique deployments: Healthcare Mayo Clinic Boston Medical Children s Hospital Mercy Health Partners Scott & White Memorial Insurance Aetna Allstate Aon American Family Aviva Marsh PostX Product Summary and Corporate Overview 32

Financial JPMorgan Chase VISA Citibank Charles Schwab ABN AMRO HSBC ADP Putnam Royal Bank of Scotland Union Planters Bank Retail/Services/Gov t Hertz IBM-GS DST Systems BeTrusted Ireland Revenue CSC Customer: Description: Charles Schwab The Charles Schwab Corporation is one of the nation s largest financial services firms engaged, through its subsidiaries, in providing securities brokerage and related financial services for over 7 million active accounts. SchwabPlan, retirement planning services arm of Charles Schwab & Co., selected PostX to deliver of SchwabPlan 401K statements via secure email. With PostX, Schwab is able to deliver secure email to any desktop or web-based email client, allowing them to reach 100% of their online customers. With PostX, Schwab customers could view their secure statements without being connected to the Internet, giving them full email flexibility. The Schwab Retail group uses PostX to securely deliver trade confirmations to customers. Schwab Retail has also integrated the PostX platform with their egain customer relationship management system, enabling them to respond securely to customer service emails. Schwab Retail completed this integration without the involvement of PostX Professional Services Organization, clearly demonstrating the power, flexibility, and maturity of the PostX solution. Customer: Description: Citibank Citibank is the consumer and corporate banking arm of Citigroup, the largest company of its kind in the world. With operations in more than 40 countries, the unit has some 1,400 offices (more than half of them are in the US, mainly in and around New York; Chicago; Miami; Washington, DC; and in California). Citibank serves consumers and small business, offering deposits and loans, and utilizes its parent's breadth of financial services, offering insurance and investment products. The bank's online service is a leader in its field, claiming some 15 million users. The International Credit Card (ICC) division of Citibank has rolled out electronic statements using PostX technology for their customers in Taiwan, and next plans to make PostX electronic statements available to customers in Japan. PostX Product Summary and Corporate Overview 33

Customer: Description: JPMorgan Chase Chase Financial Services, the consumer banking division of JPMorgan Chase, is a major provider of banking, credit, investment and financing products and services to consumers and small and middle market businesses throughout the United States. PostX worked with JPMC to implement a fully functional email portal for JPMC, based on PostX Trusted Communications Hub, to use to communicate securely with their customers. Customers use a forms-based email submission process to define their question. Based on initial customer information, PostX Trusted Communications Hub dynamically queries multiple databases and systems and prompts the customer to choose from a list of possible answers to each part of the form. With this approach, JPMC ensures that the customer provides all the information necessary for the customer support representative to answer his question in one pass. Bank One, recently merged with JPMorgan Chase, uses PostX to securely communicate confidential account information to commercial banking customers. Since its implementation of PostX SecureEmail, the Bank now provides new online account login information as soon as an account is established. The Bank also uses PostX to provide instant service for password-reset requests. Customer: Description: Customer: Description: Customer: Description: Mayo Clinic Large, nationally respected health service provider and biomedical research organization. Provider community includes more than 45,000 physicians, scientists, employees, and associates that treat more than 500,000 patients annually. Mayo Clinic uses PostX to enable secure email communication between patients and providers and within its research community, ensuring compliance with HIPAA legislation. Children s Hospitals and Clinics Minneapolis/St. Paul Minnesota The largest pediatric health care organization in the Upper Midwest and one of the largest pediatric organizations in the nation. More than 1,500 physicians, 3,000 employees, 750 volunteers, and 1,500 associates are included in its provider community. Children s Hospitals and Clinics chose PostX to ensure that confidential emails are sent securely in compliance with HIPAA legislation. PostX enables the healthcare organization to secure email communication within their patient and provider community. HSBC Headquartered in London, HSBC is one of the largest banking and financial services organizations in the world. HSBC's international network comprises about 10,000 offices in 76 countries and territories in Europe, the Asia-Pacific region, the Americas, the Middle East and Africa. HSBC selected PostX as the banks secure messaging vendor. HSBC s first implementation of PostX technology is creation and securely delivery of electronic statements for their off shore banking customers. PostX Product Summary and Corporate Overview 34

APPENDIX C: INDUSTRY AND ANALYST ACKNOWLEDGEMENTS PostX is proud of our accomplishments in the industry. Our success in providing quality solutions that solve real business problems is evidenced by our marquis customer list for secure messaging. Additionally leading experts agree that the PostX approach to secure messaging provides the best solution to fit large organizations. Below are a few acknowledgments to the PostX strategy: Livermore Research Group The Livermore Research Group conducted an independent analysis of the best secure messaging centers. Here is the summary of the findings PostX was rated the GOLD STANDARD The analysis was conducted by Livermore by using live sites and user experiences Study was conducted with the largest uses of secure pull (secure messaging centers): - American Express - Bank of America - Capital One - Chase (GOLD STANDARD) - Citibank - Discover - First USA - Fleet - Household Bank - Juniper - MBNA - National City - US Bank - Target - Wells Fargo PostX Product Summary and Corporate Overview 35

DocuLabs DocuLabs conducted an independent analysis of the best secure messaging vendors with the TMS (Treasury Management Services). Here is the summary of the findings PostX was Top-Rated PostX evaluation was rated as the best technology PostX was given marks for its flexibility in - Architecture - Delivery Methods - Encryption Algorithms - Uses eweek eweek performed an in-depth lab analysis of the PostX Enterprise Platform. The following is a snapshot of the review: PostX was Top-Rated PostX evaluation was rated as the best technology PostX Product Summary and Corporate Overview 36

InfoWorld InfoWorld conducted an independent analysis of the secure messaging industry, and performed a technical evaluation based on their top performers (PostX, PGP, Sigaba, and Tumbleweed). Here is the summary of the findings PostX was Top-Rated PostX Product Summary and Corporate Overview 37

Gartner Gartner has conducted several studies and reports on secure messaging. It is their consistent opinion that PostX is the best secure messaging vendor. This report is one of many that validate PostX as the top vendor and a tier one player. Here is the summary of the findings PostX was Top-Rated Highlights SchwabPlan ultimately selected the Secure Envelope solution from PostX because of its capability to meet customer preferences for offline viewing and convenience while addressing the challenges of delivering content directly to the customer. This solution is available through a variety of means, including via application service providers, but SchwabPlan chose to purchase and install it on-site because of the control over the operations and data that it allows. SchwabPlan believes that the PostX solution matches its customer expectations and offers additional benefits to SchwabPlan. PostX Product Summary and Corporate Overview 38

Growthink PostX Named To Prestigious Top Ten List of Emerging Companies Cupertino, CALIF. September 1, 2004 -- PostX, a leader in trusted delivery of electronic information vital to business and customer relationships, today, on the heels of its successful new product launch Trusted Enterprise 5.0, announced it has been named to the Growthink Research 'Top Ten Emerging' companies list. PostX, which provides trusted messaging and e-business solutions for some of the world's largest financial, telecommunications, and healthcare organizations, joins the list after having been selectively chosen from more than 2,100 other companies. The list of was compiled by Growthink Research, an independent venture capital research firm that analyzes financing trends for emerging companies. The criteria for PostX and others selected as the 'Top Ten Emerging' companies included funding history, innovative product cycles, management team and the overall business model, proving stability and future success. "Our research team spent months evaluating companies based on specific criteria, however, PostX Corporation emerged as a clear leader within its space," said, Corey Lavinsky, President, Growthink Research. "The company's ability to succeed and evolve within the secure messaging space over the last seven years is a testament to its stability, business-savvy leadership and its position at the top of the industry. PostX has demonstrated its ability to command the marketplace given its impressive list of clients and cutting-edge products." Growthink Research is an independent venture capital research firm. Its proprietary database has detailed information regarding thousands of venture capital funding transactions. Emerging ventures raising capital, venture capital firms, large corporations and service providers rely on their reports to raise venture capital funding, identify and secure highly qualified new clients and gain competitive intelligence. For additional information, call 310-823-8346, or visit the company s web site at, www.growthinkresearch.com. PostX Product Summary and Corporate Overview 39

Copyright PostX Corporation 2005 PostX Corporation 3 Results Way Cupertino, CA 95014 U.S.A.