Individuals assigned to this engagement can perform more than one of the following roles when required. The following roles need to be appointed within the Customer and Data Defenders to serve as the basis of fulfilling the Scope of Services and the mutually agreed upon SLA outlined in this Order Form: 1. Data Shield SOC team lead (DD SOC Manager): Responsible for managing the SOC services and reporting to the Customer. 2. Data Shield SOC analysts (DD SOC Technician): Responsible for delivering the SOC services to the Customer. 3. Data Shield Incident Manager, Data Defenders (Incident Manager): Can be the SOC team lead. Manages incidents and escalation of incidents when required (when manual handling of incidents is needed). Responsible for communicating directly with the Customer’s Incident Manager. 4. Incident Manager, Customer (Customer Dir. of Cyber and Technology Risk): Responsible for communicating with Data Defenders and coordinating when incidents that need manual handling occur. 5. Data Defenders Engagement Manager: Responsible for contract management at Data Defenders. Will also serve as its document owner. Responsible for arranging periodic status meetings with the Customer. 6. Data Defenders Engagement Manager: Responsible for monitoring SOC service delivery and facilitating all service level communications with Customer. Responsible for communicating status of SOC services internally at Data Defenders. 7. Data Defenders Engagement Manager (Change Management): Responsible for coordinating delivery of services during change management situations both internally and with Customer. 8. Customer Dir. of Cyber and Technology Risk (Change Management): Responsible for communicating with Data Defenders when implementation of changes are required. 9. Data Defenders Business Development (DD Regional SOC Business Development): Responsible for the service delivery budget, contract, and SLA.

In order to receive an SLA credit (specified herein) for Service, an Authorized Customer Contact must immediately notify Data Defenders’ designated Engagement Manager (EM) of an occurrence within the Data Shield Service that results in the inability of the Customer to access Service (“Service Outage”). A Service Outage does not include an outage that occurs during Scheduled Maintenance. Data Defenders’ designated EM will investigate the reported outage and assign a Service Request number. If the EM is able to substantiates the Service Outage that could qualify Customer for the SLA credit (“Verifiable Service Request”), then Customer may request a Service Credit within thirty (30) days after the event giving rise to the credit by contacting the Data Defenders EM and requesting an SLA credit escalation. A Verifiable Service Request must accompany Customer’s request for any SLA credit regarding the Service purchased by Customer. Credits will appear on Customer’s bill for the Service within sixty (60) days of the SLA credit request, after such SLA credit has been approved by the Data Defenders EM. If Data Defenders has been found to be out of compliance with agreed SLAs at the conclusion of a qualified service outage investigation request initiated by Customer, Customer will have the following remedies to cure any verified breach of SLAs: 1. Customer shall be credited for the cost component associated with the specific stream of service where the service outage occurred. The service cost credit will be 3% of the monthly Data Defenders cost per service outage instance. The following service credit stipulations shall apply: (i) If the Service that experienced a qualified and verified service delivery outage, and is determined to be eligible for a service credit by the Data Defenders EM, and the cost for that service is billed to the Customer on an Annual Billing Cycle, the monthly Service cost will be determined by dividing the Annual Service cost by 12 to determine the Data Defenders monthly cost for service delivery. (ii) If the Service that experienced a qualified and verified service delivery outage is determined to be eligible for a service credit by the Data Defenders EM, and the cost for that service is billed to the Customer on a Monthly Billing Cycle, the SLA service credit will be determined by using monthly Service cost for the affected Service. (iii) During any Contract Year, Customer’s aggregated SLA service credits may not exceed a total of 10% of the monthly cost for the Service where delivery was determined to be out of compliance. (iv) For purpose of calculating SLA credits, this monthly Service cost shall mean the monthly recurring charge (or the calculated monthly charge for Services billed on an Annual Billing Cycle) for such Service, but excluding, in all cases, (i) any monthly recurring fees for the Service features (e.g., domain name hosting or e-mail Service), (ii) all one-time charges, and (iii) at all times excluding the monthly recurring charge attributable to Equipment for such Service. Credits are exclusive of any applicable taxes or fees charged to the Customer or collected by Data Defenders.

SLAs do not apply and Data Defenders is not responsible for failure to meet an SLA resulting from: 1. Misconduct of Customer or Users of Service. 2. Failure or deficient performance of power, Equipment, Services, or systems not provided by Data Defenders. 3. Delay caused or requested by Customer. 4. Service interruptions, deficiencies, degradations or delays due to any access lines, cabling, or equipment provided by third parties. 5. Service interruptions, deficiencies, degradations, or delays during any period in which Data Defenders or its representatives are not afforded access to the premises where access lines associated with Service are terminated or Data Defenders Equipment is located. 6. Service interruptions, deficiencies, degradations, or delays during any period when a Service Component is removed from Service for maintenance, replacement, or rearrangement purposes or for the implementation of a Customer order. 7. Customer’s election to not release a Service Component for testing and/or repair and to continue using the Service Component. 8. Force Majeure conditions including but not limited to acts of God, labor strikes and other labor disturbances, power surges or failures, Internet connectivity, or the act or omission of any third party, or other causes beyond Data Defenders’ control, whether or not similar to the foregoing. 9. Service interruptions, deficiencies, degradations, or delays during any period when a Service Component is removed from Service for maintenance, replacement, or rearrangement purposes by Customer staff. 10. Service interruptions, deficiencies, degradations, or delays in Service caused by any piece of equipment, configuration, routing event, or technology not under the management and control of Data Defenders. 11. Failure to adhere to Data Defenders recommended configurations on unmanaged equipment. In addition, Service SLAs do not apply: 1. If Customer is entitled to other available credits, compensation, or remedies under Customer’s MSSTC for the same Service interruption, deficiency, degradation, or delay. 2. For Service interruptions, deficiencies, degradations, or delays not reported by Customer to Data Defenders. 3. Where Customer reports an SLA failure, but Data Defenders does not find any SLA failure. 4. When Service is dependent upon other Service with lower SLA. 5. If Customer has over thirty (30) day past due balance on any billing or service with Data Defenders. 6. After date of Service contract termination. If Customer elects to use another provider or method to restore Service during the period of interruption, Customer must pay the charges for the alternative Service used.

Log management via Data Shield Sentinel SIEM includes (SEIM): Ensuring the comprehensiveness of logs added continuously to the SIEM. Ensuring the uninterrupted addition of logs to the SIEM including endpoint agent services. Customer must initially specify the logs to be included in the SIEM log collection, and Data Defenders must assess the initial specification and point out shortcomings to ensure comprehensiveness. Comprehensiveness must proactively be maintained in change management situations (i.e., ensuring that newly-added systems have their logfiles added to the SIEM as well). SLA Metrics for Reporting: The average number of days for when new log sources become operational is defined in business days. The average number of days from the date when Data Defenders has been informed of a new log source being active for collection to the date when logfiles are continuously added to the SIEM is five (5) days. Recently added systems will have higher risks especially if they are internet-facing. The number must be listed per month and reported monthly via email. Data Defenders must ensure the uninterrupted addition of logs to the SEIM, which includes ensuring that end point log forwarding agents are running and that the SEIM receivers are listening and functional. SLA Metrics for reporting additionally include: 1. The total number of minutes that unique systems were not transmitting logfiles. Approved service windows are not included. 2. The average number of minutes without service for all devices. 3. The total number of minutes the SEIM was not actively receiving log files.

Customer must submit a complete list of Security Devices to be managed by Data Defenders within thirty (30) days of the Effective Date and in accordance with the Scope of Services defined in this Order Form. All security devices must be correctly configured and managed. This includes: 1. Daily verification that devices or applications that need signature updates receive these (i.e., IDS devices receive new signatures). 2. Monitoring for new firmware or software version availability. 3. Changing default passwords and community strings. 4. Documenting passwords in password managers. 5. Documenting asset configurations in the CMDB with the agreed-upon level of configuration item detail. 6. Ensuring separation of duties between production systems and backup systems holding backup data. All security devices must pass an initial configuration audit after being configured by Data Defenders. This audit will be performed by the Customer (or a third party employed for this purpose by Customer) and the audit must be performed within one month of the device going active.

For on-demand DDoS mitigation: The number of minutes from the detection of an attack until mitigation was active, per attack. For on-demand DDoS attacks that required extra mitigation to nullify: The number of minutes from when initial mitigations were active until extra mitigations became active, per attack. For always-on DDoS mitigation (for attacks too large to handle): The number of minutes until extra mitigations became active, per attack.

Vulnerability scanning must be performed monthly and results must be manually assessed by competent resources. The results must be communicated to the Customer monthly with impact assessments and remediation advice.

Change management means handling changes in coordination between the Customer and Data Defenders. Data Defenders must initiate change requests when new firmware or software updates are available or when incident management situations require such. Change management processes must follow the official change management policy of the Customer and Data Defenders and will be measured on adherence to the policy.

Incident management includes: 1. Creating, updating, and closing incidents. 2. Escalating incidents manually, when required. 3. Automatic escalation for incidents that are not solved within the defined resolution time frames. 4. Following up on alerts to determine whether or not an alert is a false positive and updating incident management databases with this information. 5. For alerts that are not false positives, incident management requires a follow-up to verify if an affected system was vulnerable to a potential payload delivered, plus remediation (in coordination with Customer), if a system was infected. 6. Major incidents need to be actively managed through their entire life-cycle.

For major incidents, the Data Shield SOC will handle forensics and incident response. This can also mean reversing and analyzing malware. Incident handling will include: 1. Data Defenders will provide incident response and/or forensics response personnel when alerted by Customer personnel. 2. Data Defenders will provide three-hour SLA for phone support. 3. Data Defenders will provide 24-hour SLA for onsite support. 4. Data Defenders will provide 8-hour SLA remote incident response support. 5. Data Defenders’ incident response team will respond when an incident is identified through a range of tools including the eSentire MDR and Customer’s Intrusion Detection System (IDS/IPS) and as officially declared by Customer Authorized Contact. 6. Data Defenders will provide assistance to Customer on in-bound and out-bound communications, including breach notifications, public relations, and crisis communications.