Service Specifications

v. 01012017

The Service Specifications related to the Digital Guardian, Inc. Master Managed Services Agreement consist of the following three documents below: Managed Services Terms, Support Services Terms, and Service Level Agreement.

Digital Guardian Managed Services Terms

Digital Guardian’s Managed Service offerings consist of the following:

I. DG Managed Service – Setup Services

II. DG Managed Service for Data Visibility & Control

III. DG Managed Service for Data Loss Prevention – Gold Level

IV. DG Managed Service for Advanced Threat Protection – Gold Level

V. DG Managed Service – Incident Response

I. DG MANAGED SERVICE – SETUP SERVICES

The Implementation “Setup” process1 follows the normal Digital Guardian Deployment Methodology. The phases are detailed below, and upon completion of the Setup phase, the client will be turned over to DG MSP Operations team for normal operations, maintenance, and data reviews as outlined in the Service Description. The phases are as follows:

 The Planning and Requirements phase will focus on designing and defining client’s detailed requirements based on client’s business objectives for information protection. This includes defining the target uses cases, project schedule, and resource plan.

 The Qualification phase will include building and testing agent deployment packages for each operating system and verifying agent compatibility within client’s standard operating environment.

 The Deployment phase will focus on configuring, testing, and deploying the Digital Guardian Management Console (DGMC) and assisting in the deployment of the core Digital Guardian Agent and enabling any additional licensed modules.

 The Use Case Implementation phase will focus on reviewing and developing the necessary DLP rules and policies; tailoring any customized Advanced Threat Protection rules and policies, and determining the approaches for incorporating the functionality of the optional modules and deploying the completed package in the production environment.

 The Transition phase will focus on assisting client with the definition of their internal DG operations and support processes, as well as facilitating knowledge transfer to ensure a smooth transition of regular operations to the MSP Operations Team. Additionally, Digital Guardian will provide support, governance and strategic oversight during this phase to ensure the solution is adopted within client and to ensure that client has a successful deployment.

Required Team Roles and Responsibilities

Role Responsibilities

Digital Guardian  Responsible for all aspects of the partnership and engagement between client and Account Manager Digital Guardian

 Overall progress of the project and day-to-day project management  Ownership of project delivery, quality and timely execution of project Digital Guardian  Risk identification, analysis, response, monitoring and control Program Manager  Communication management and conflict resolution  Management of Digital Guardian resources  Business requirements gathering and use case definition

1 The Setup cost is determined by the size (number of agents) and scope of deployment (target systems, use cases, etc.), and is outline with any specific client requirements in the Order Schedule.

v.01012017 Digital Guardian Confidential 1 Role Responsibilities

Digital Guardian  Digital Guardian infrastructure requirements definition Technical  Digital Guardian installation/configuration Consultants  Policy and rule development, testing and deployment support of all modules  General technical support for the duration of the project Digital Guardian Managed Service  Security experts that hunt through the data to identify security risks to the organization. Analysts They also review ongoing operation of the system, and make recommendations

Digital Guardian Trainer  Deliver training to client personnel

In addition, the following client team members will be expected to participate in the project (some more than others). It is appreciated that the multiple roles below may be filled by a single person:

Role Responsibilities  Makes broad-reaching decisions that may be outside the scope of the other participants  Clarifies business opportunities, drivers and high-level security considerations Decision Maker  Commits the necessary cross-functional resources to the project (CSO, CISO, etc.)  Ensures project stays aligned with business and corporate strategy  Champions project effort and monitors overall project progress  Resolves issues outside of the responsibility and authority of the Project Manager  Serves as the main contact point for day-to-day project-related issues, including project Project Manager timeline, deliverables and issue escalation  Involved in all stages of the engagement  Arranges and coordinates the participation of other client team members  Identifies business use cases, has a good understanding of the client business process Business Analysts and security needs  Understands end-user behavior  Ensure compliance with external regulations and internal security policy IT / IT Security  Has a strong understanding of all aspects of client security needs  Has details on Active Directory integration / VPN Setup as required

Help Desk  1st line DG Agent support

II. DG MANAGED SERVICE FOR DATA VISIBILITY & CONTROL

The Managed Services offering aligned with DG for Data Visibility and Control (“DG DV&C”) brings forward a managed service that will deliver the functional benefits as outlined in the product offering of DG DV&C.

DG DV&C consists of the following services: 1) Setup and ongoing administration of one (1) Digital Guardian Management Console (DGMC) Production Environment.

2) Pre-deployment testing of the DG Agent on up to four (4) server, workstation or laptop images to verify application compatibility. a. Create and test Windows / Linux / OSX installer packages for deployment.

3) Bi-annually scheduled DGMC Console Server upgrades. a. Agent upgrades are unlimited and available upon client request.

4) Access to MSP Support and Administration team via Web Portal and email during business hours. Business hours are determined by the location of Customer’s Headquarters. For companies headquartered in EMEA, business hours are 9am to 5pm (GMT) on days on which the banks in London, England are open for business. For companies headquartered in APAC, business hours are 9am to 5pm JST on days on which the banks in Tokyo, Japan are open for business. For companies headquartered in the Americas, business hours are 9am to 5pm ET on days on which banks are open for business in Boston, Massachusetts.

5) Online access and selected weekly automated secure email delivery of Standard Report & Dashboard Packages as well as monthly Executive-level summary dashboards including: a. Weekly Forensic Reports for Case Creation

v.01012017 Digital Guardian Confidential 2 i. Cloud ii. NTU iii. Removable Media iv. Send mail b. Classified NTU to Public c. Data to Cloud (NTU) d. Data to Cloud (Folder) e. Classified Send Mail to Public f. Data to CD-ROM g. List of Alerts w/ Count h. Data to Removable i. Classified Remote to Removable ADE j. Classified Remote to Browser ADE k. Classified (only) Print l. Application Start from Removable m. Resume Egress Report n. P2P Application Starts o. Process Execution Report p. Banned Subnet Access Alerts

6) Near Real Time Alerting of Suspicious Data Theft Activity conducted by the MSP Analyst team: a. Identify anomalous activity in logged events and reports b. Best practices recommendations c. Filter, rule, and report tuning

7) Online Storage Provided: a. Online reporting and forensics access for 13 weeks at 200 daily DG Agent events average per DG Agent license b. Archived Bundle storage for up to 12 months of agent data for recovery and forensic analysis

8) Active Directory integration for user and group assignment naming.

9) Rule set is limited to subscription content available for the DG for Data Visibility & Control Agent.

The Digital Guardian Network Event Monitoring (“DGNEM”) is not included in this subscription. In the event that Customer desires to run DGNEM, which can have a significant usage fluctuation based on a Customer’s workforce, Digital Guardian will run a trial DGNEM and determine the appropriate fees for DGNEM based on actual usage in a trial period.

III. DG MANAGED SERVICE FOR DATA LOSS PREVENTION – GOLD LEVEL

In order to subscribe to the DG Managed Service for Data Loss Prevention (DG DLP), Customer must have a subscription to DG DV&C at least equal to the quantity of DG DLP.

DG DLP – Gold Level consists of the following services:

1) Console and Server environment(s) hosted on a dedicated virtual environment. a. Setup and administration of DGMC Production Console Environment. b. Setup and administration of DGMC Development/Staging Environment.

2) A dedicated Security Analyst to address custom requests, review reports, usage, anomalies and recommendations.

3) Around the clock access to MSP Support and Administration team via Web Portal, email and phone (7/24/365).

4) Unlimited access and users accounts for customer branded DG Management Console and Reporting Secure Web interface

5) Classification – customized content and context classification rules will be developed and maintained.

6) Conditional Notification Rules – customized rules for event notification that will be configured based on customer requirements.

7) Control Rules – Customization and creation of control rules specifically for advanced device control and other DLP use cases where a control/prompt is needed.

8) Conditional Application Control Rules – Create and maintain customized application control rules as well as add conditional statements and criteria to customize application control rules such as; by user, by version, by file type/classification, etc.

9) Advanced DLP Reporting Packs – Enables customization of reporting and federation in the environment. MSP team will work for customer to align reporting packs to the customer environment.

v.01012017 Digital Guardian Confidential 3

10) Outside of specific customizations listed above, maintaining of the environment (i.e., updates), and the implementation of DG Content Server content; each customer is entitled to the following levels of custom rule and report development via DG PSG Consultants after their initial setup is complete.

a. <1,000 Agents = 8 hours PSG annually b. >1,000 & <5,000 = 20 hours PSG annually c. >5,000 & <10,000 = 40 hours PSG annually d. >10,000 & <20,000 = 60 hours PSG annually e. >20,000 = 80 hours PSG annually

The custom rule and report development is time after the initial Setup is complete. The DG Program Manager will identify to the customer when the Setup Fee is depleted and we are in an “Operational State.” After an operational state is achieved, custom rule and report development may be restricted to the amounts outlined above. Additional hours can be purchased at any time using standard rates. Hours will not be rolled over from year-to-year.

11) SIEM Integration/Log Management – provides necessary effort to connect to a customer-provided SIEM and maintenance work to ensure data feed is operational. a. SIEM Integration requires a custom setup fee – see Special Pricing Section. If the customer requires DG to host the SIEM in the cloud, separate pricing is required.

The Digital Guardian Network Event Monitoring (“DGNEM”) is not included in this subscription. In the event that Customer desires to run DGNEM, which can have a significant usage fluctuation based on a Customer’s workforce, Digital Guardian will run a trial DGNEM and determine the appropriate fees for DGNEM based on actual usage in a trial period.

V. DG MANAGED SERVICE FOR ADVANCED THREAT PROTECTION – GOLD LEVEL

The Managed Service offering aligned with the DG for Advanced Threat Protection (“DG ATP”) product is a monitoring service that will identify host based indicators of a compromise from threats targeting the organization to gain unauthorized access to client systems and sensitive data. Additionally, the ATAC (Advanced Threat and Analysis Center) team provides detection services by proactively hunting Digital Guardian data for new and unique methods adversaries use to achieve their intent on endpoints. ATAC employs a wide array of intelligence, indicators, and intrusion detection signatures to perform these activities. When the ATAC team discovers an indication of malicious activities as part of its hunting analyses, it escalates these findings to the customer.

In order to subscribe to the DG ATP Service, Customer must have a subscription to DG DV&C at least equal to the quantity of DG ATP being ordered. Currently the ATP Service is only available for Windows Devices.

The Managed Service offering aligned with the DG ATP – Gold Level consists of the following services:

1) One (1) Production Console and Server environment(s) hosted on a dedicated virtual environment.

2) Once DG ATP has been deployed, an initial deep dive review of the events will be conducted by the ATAC team and a formal presentation will be provided with any identified threats to the organization. Additionally, any recommendations for mitigation will be provided.

3) Indicators of Compromise (IOC) & Indicators of Attack (IOA) Updates - the ATAC team will create, deploy and manage IOC’s (atomic indicators which include IP Addresses, MD5’s, Domain Names, etc.) and IOA’s (behavioral based signatures) via the DG MSP Content Server and any analytical backend systems for alerting purposes. Threat Intelligence feeds will be leveraged as a part of this service as well.

4) Cyber Threat Alerting & Reporting – online portal access for visibility into alerts, reports, and dashboards.  Process Usage Report – detailing process usage for anomaly detection across the organization. This includes initial launch detail.  Threat Scan Report – Anti-virus hits for processes executing within the environment  Alerts Report – tracking an alert to its source and providing all the relevant detail.

5) Alert Triage & Notifications – The ATAC team shall monitor and evaluate alerts generated by the software and provide the client with an analysis of events that have either been internally categorized as being high fidelity alerts or that indicate a legitimate threat to the security of the client’s environment. The analysis will include details associated with the alert, any potential root causes or entrance vectors identified, and a recommendation for remediation. If the ATAC team determines that an alert is a “false positive” or that it otherwise poses no legitimate threat to the client’s environment, ATAC shall have no obligation to provide an alert analysis.

6) Advanced Network Device Integration (e.g., FireEye) – for customers that own network devices, the service would include uni- directional or bi-directional feeds to malware detonation engines which can be used to create block lists from the results. Integration type will be on a device-type basis.

v.01012017 Digital Guardian Confidential 4

7) Threat Prevention Rules – Ability to add custom block rules to prevent and/or mitigate against attacks via known bad MD5s, IP addresses, domains, etc. Block mode is not enabled by default and will need to be requested in order to receive functionality. The ATAC team will provide recommendations on the most viable approach depending on the client’s environment.

8) SIEM Integration/Log Management – provides necessary effort to connect to a customer-provided SIEM and maintenance work to ensure data feed is operational. a. SIEM Integration requires a custom setup fee – see Appendix below.

9) VirusTotal Integration – the service will utilize the private API version of VirusTotal and will manage per VirusTotal’s SLAs for events that can be submitted (no more than 6,000 requests per minute). Each process executed within the client’s environment will have its MD5 hash submitted to retrieve VirusTotal hit results. Note: We do not submit the executables themselves to VirusTotal.

10) Custom Threat Feeds – The ATAC team has the ability to configure agents to utilize custom threat feeds from the customer. An incremental setup fee may be required based on complexity of integration.

11) Unlimited access and users accounts for customer branded DG Management Console and Reporting Secure Web interface.

12) Access to MSP Support and Administration team via Web Portal and email during business hours. Business hours are determined by the location of Customer’s Headquarters. For companies headquartered in EMEA, business hours are 9am to 5pm (GMT) on days on which the banks in London, England are open for business. For companies headquartered in APAC, business hours are 9am to 5pm JST on days on which the banks in Tokyo, Japan are open for business. For companies headquartered in the Americas, business hours are 9am to 5pm ET on days on which banks are open for business in Boston, Massachusetts.

13) The ATAC team’s general business hours are 7am – 8pm EST and can be reached at the following email address: [email protected]. Response time for any inquiries are within 24 hours.

Note: The ATP Gold Managed Service does not include Incident Response (IR) or other professional services. Digital Guardian does not warrant that the agent or the service will resolve, detect, or prevent all prior, current, or future threats to the client’s networks.

VI. DG MANAGED SERVICE – INCIDENT RESPONSE

These services are delivered on a Time & Materials basis, and can be conducted remotely or on site depending on the customer requirements. This offering is available for customers that want to have that extra level of protection in place in case a major breach or infiltration takes place.

Incident Response Approach:

 Determine the scope of the incident, including identifying potentially affected assets, infrastructure, and data;  Contain the impact of the incident, and coordinate the removal of the attacker(s), if relevant;  Determine the originating cause of the incident, including the goal or motivation of the attack, if relevant;  Develop a timeline detailing the sequence of events relating to the incident;  Help determine the impact of the incident, including the extent of any data loss or data breach;  Recommend remediation measures and measures to help prevent future Incidents. This may include deploying Cyber Threat Containment Rules which are additional block rules to prevent the spread of an event. Upon identification of a bad actor, the customer can instruct the DG Threat Team to deploy containment rules.

The Incident Response agreement can be purchased as an add-on with any level of DG Managed Service under a separate Statement of Work.

APPENDIX: ADDITIONAL SERVICES Items that require an additional fee or custom sizing include the following:

1) Virtualization / Citrix Use Case Support / Virtual Desktop Infrastructure – this use case requires an additional setup fee as of the increased complexity of the environment. Operating costs for managing multiple virtual environments will be subsumed by the Managed Service.

2) Custom Data Extracts – customers requesting customer data extracts / custom reporting outside of DG that require additional configuration and data storage/bandwidth will require a sizing and a custom set-up fee to be added. This is due to the extra infrastructure requirements and time to setup the custom operation.

v.01012017 Digital Guardian Confidential 5 3) Additional Servers / Additional Storage / Server Agents – customers that require more environments than our standard two – production and development and / or require data separation from a data privacy perspective or Server Agent storage requirement will need to be sized and properly priced.

4) SIEM Integration – customers that want to integrate a SIEM may require a custom setup fee depending on target SIEM. If the customer requires DG to host the SIEM in the cloud, separate pricing is required.

5) Custom Threat Feeds – DG Threat Team will configure agents to utilize custom threat feeds. A setup fee may be required based on complexity of integration.

6) Digital Guardian Network Event Monitoring (“DGNEM”) - if customer requests to run DGNEM, which can have a significant usage fluctuation based on a Customer’s workforce, Digital Guardian will run a trial DGNEM and determine the appropriate fees for DGNEM based on actual usage in a trial period.

7) Multifactor Authentication (MFA) – if a customer requires multifactor authentication (MFA), it will require an additional fee as the service is provided via a third-party. Details on the service are provided below:

Digital Guardian introduce an optional Multifactor Authentication service to our Digital Guardian Management Console (DGMC) credential validation process. This multifactor authorization will supplement a user’s existing chosen identity by adding an additional layer of user validation on top of their normal authentication method. This authentication will be used as a method of (DGMC) access control in which a user is only granted access after successfully presenting two separate pieces of evidence. Knowledge (something they know) their username and password, possession (something they have) access to their validated cellphone or authentication application.

To facilitate MFA validation Digital Guardian is integrating the Authy (https://www.authy.com) service as the second component of the two factor validation. Customers will be able to use one of the following multifactor validation options for their DGMC access control:

 Authy OneTouch – easiest to use, using an app on your IOS or Android device. Swipe once and authentication is complete—no code to enter anywhere.  Authy SoftToken – one app on your IOS, Android, Windows, Linux or MAC devices, SOFTTOKEN produces a new One Time Passcode (OTP) every 20 seconds that can be used for your MFA.  Authy OneCode – finally if you do not have access to an Authy app, Authy OneCode is a one-time verification code can be sent to your device via SMS (or an automated voice call). All you have to do is enter the code provided as your MFA. This method would be recommended for users who don't have access to any of the Authy apps.

Customers that sign up for this service as part of their Order Schedule will be provided more detail instructions and the implementation of this service will be done in the Setup Phase or as an additional service request to existing customers.

v.01012017 Digital Guardian Confidential 6 Support Services Terms

I. SUPPORT

1. DEFINITIONS 1.1 Terms in this Support Policy which are capitalized have the meanings set forth below. A “Malfunction” means any defect, problem or condition that prevents the Service from performing substantially in accordance with the Service Description. Digital Guardian’s personnel will contact Customer’s designated support contact(s), within the timeframes designated below to explore the nature of the Malfunction experienced by Customer, determine whether the Malfunction is related to the Service and reasonably assign a priority level to the Malfunction in accordance with definitions in the table below. A “Response Time” means the elapsed time between the first contact by a designated support contact to report an issue, and the target time within which Digital Guardian’s personnel report back to the designated support contact to acknowledge receipt and define an Action Plan for resolution. A Response Time is a guarantee of communication timeframes; Digital Guardian does not guarantee a problem fix, workaround, or other final disposition within these timeframes. An “Action Plan” is a formal verbal or written description of the tasks to be taken by both Digital Guardian and Customer to diagnose, triage, and address a support issue, along with an approximate timeframe for the processing and completion of each task. 1.2 The Support Web Portal is available 24 x 7 x 365. Response Times are determined by the table below. 1.3 Support Services consist of (a) reasonable telephone and e-mail support, (b) reasonable efforts to correct errors to keep the Service in conformance with the Service Description, and (c) modifications and enhancements made to the Service which are provided to Digital Guardian’s general client base at no additional charge (collectively, the “Refinements”). Digital Guardian shall have no obligation to develop Refinements. All Support Services will be delivered in English. 2. SERVICE RESPONSIBILITIES 2.1 Digital Guardian will provide Customer during the hours outlined in the Managed Services Terms based on the Managed Service Offering purchased the Support Services described in this Support Policy with respect to the Managed Service. Support Services will be performed in a timely and professional manner by qualified Support technicians familiar with the Software and its operation. Digital Guardian will provide, upon Customer’s request, periodic reports on the status of Support Services requested by Customer. 2.2 Digital Guardian will provide to the Customer the Digital Guardian customer support telephone number, customer support email address, and access to the Digital Guardian customer support website. 2.3 If Customer desires Support Services, Customer will contact Digital Guardian by telephone or e-mail. Digital Guardian’s personnel will use commercially reasonable efforts to respond to Customer’s initial telephone call or e-mail with offsite telephone or e-mail consultation, assistance, and advice relating to Support of the Software as described in Section 2.6. 2.4 When a suspected error is reported, Digital Guardian will analyze the information provided by Customer and will classify the error. Digital Guardian will use commercially reasonable efforts to repair any major inherent Malfunction or error in the Service, when attributable to Digital Guardian. 2.5 Digital Guardian shall use commercially reasonable efforts to correct any reproducible Malfunction in the Service reported to Digital Guardian by Customer. 2.6 Response Times and Priority Definitions:

RESPONSE TIME PRIORITY DEFINITION (within) 1 Critical Customer reports a Malfunction that (i) renders the Service inoperative or 2 hours intermittently operative; or (ii) causes any material feature to be unavailable or substantially impaired; or (iii) compromises overall system integrity or data integrity when the Service is operational in a production environment (that is, causes a system crash or hang, or causes loss or corruption of data); or (iv) causes a complete failure of the Service. 2 High Customer reports a Malfunction that (i) renders a required program or feature of 4 hours the Service inoperative or intermittently operative; or (ii) substantially degrades performance in a production environment. 3 Medium Customer reports a Malfunction that (i) renders an optional program of feature 12 hours inoperative or intermittently operative; or (ii) causes only a minor impact on Customer’s use of Service. 4 Normal Customer reports a Malfunction (i) that has only a minor effect on Product 24 hours functionality; or (ii) cosmetic flaws; or (iii) inquiries and questions about configuration and management of the Service.

v.01012017 Digital Guardian Confidential 7 3. CUSTOMER RESPONSIBILITIES 3.1 Before contacting Digital Guardian with a suspected error, Customer undertakes to: (i) analyze the suspected error to determine if it is the result of Customer’s misuse or misunderstanding of the Service, the performance of a third party or cause beyond Digital Guardian’s reasonable control, (ii) ascertain that the error can be replicated and (iii) collect and provide to Digital Guardian all relevant information relating to the error. 3.2 If a reported error is directly caused by something that is not part of the Digital Guardian software, then Digital Guardian is not obliged to perform Support Services in respect of that error.

4. BACK-UPS AND STORAGE

4.1 Digital Guardian will maintain daily backups of Customer’s Digital Guardian data for disaster recovery purposes as outlined in the applicable Managed Service Terms for the purchased Service. Scheduled backup procedures take full SQL backups of all Digital Guardian databases as well as bundle archive repositories generated by Customer’s DGMC. Digital Guardian strives to maintain fault tolerant system architectures to protect DGMC data against accidental data loss due to hardware or system failure.

4.2 Recovery Point Objective (RPO). Data backup occurs at a fixed point in time according to a schedule specified by Digital Guardian. Any data that is collected or created between backups is vulnerable to data loss. The length of time between backups is the Recovery Point Objective. This is the point back in time to which a Customer’s data can be recovered. This would typically be a maximum of 24 hours since backups typically take place daily. If a more frequent backup schedule is required, it must be pre-arranged with Digital Guardian and may result in some additional fees.

4.3 Recovery Time Objective (RTO). This is the maximum elapsed time required to complete the recovery of Customer’s data. RTO is a function of the size of the data delivery circuit (for offsite recovery) and the total amount data to be recovered. RTO objectives should be discussed with a Digital Guardian account executive. An RTO can only be estimated. Once a Customer’s environment is fully operational, more exact RTO measurements can be performed. RTO may be impacted by a Disaster Recovery Event or other environmental factors.

4.4 Service Level Exemptions. Degradation in the RPO or RTO shall not be considered if such degradation or unavailability arises from: (a) Scheduled Maintenance or other service interruptions agreed to by the Customer for the purpose of allowing Digital Guardian to upgrade, change, maintain, or repair the Services or related facilities; (b) failure of equipment or systems not within Digital Guardian’s network, or of equipment or systems not provided, or not under the control or direction of Digital Guardian including equipment or systems Digital Guardian may obtain or contract for at the request of the Customer.

4.5 Typical Production Servers – Long Term Data Retention levels  DGMC Online Data – Typically twelve to thirteen (12-13) weeks of online DGMC accessible data  DG Bundle Archives – Typically kept for one year from date of collection (For forensic instance playback only)  SQL DB backup – one created every twenty-four (24) hours and retained for one year from date of creation.

4.6 Development, Visibility Assessment (VA) and POC Server – Long Term Data Retention Levels  DGMC Online Data – (of online DGMC accessible data) – Typically fourteen (14) days  DG Bundle Archives – Typically kept for two months from date of collection (for forensic instance playback only)  SQL DB backup – one created every twenty four (24) hours and is kept for two months.

4.7 Offsite Storage  Off-site data storage by qualified secured third party provider. All metadata is encrypted with privately held keys controlled by Digital Guardian. A nightly synchronization job runs to transfer new backups to alternate offsite locations.

5. ARCHIVE & RESTORE

5.1 Digital Guardian uses Digital Guardian Archive & Restore functionality for all MSP environments to provide playback functionality for investigations of events older than the DGMC retention period as outlined in the applicable Managed Service Terms for the purchased Service. The main objective of this capability is to provide Archive & Restore with playback functionality of MSP environment metadata using forensic only instances of DGMC so that particular selected archives can be restored and played back for targeted investigations without any disruption of the production environments.

5.2 Archive Restore Usage guidelines:  Restorations are only performed upon Customer requests. Customer may request up to four (4) AR restorations per calendar year at no charge. Additional restorations will result in additional fee as per Digital Guardian’s current price list or a pre- negotiated price established by Customer and Digital Guardian.  Archives backups are performed daily and can be restored to a forensic only instance of the DGMC for specific ranges of archived events for investigation purposes.  Customer has the ability to request what gets restored per date, per user, per machine.  Current retention period settings on production environments remain the same.  Digital Guardian is able restore data that is older than the DGMC standard retention period to a forensic instance in its original format (Events/Alerts on DGMC)

v.01012017 Digital Guardian Confidential 8 5.3 Forensic Instance RTOs should be discussed with a Digital Guardian account executive. An RTO can only be estimated. Once a Customer’s environment is fully operational, exact RTO measurements can be performed.

6. DISASTER EVENTS AND DISASTER RECOVERY

6.1 Digital Guardian schedules daily backups for all DGMC hosted in the MSP environments. Backups are monitored and checked for errors, and regularly scheduled tests of the restoration procedures are performed. In order to ensure the readiness of Digital Guardian’s operators to complete the offline restoration process, Digital Guardian runs frequent drills to test restoration performance as outlined in Section 4 (Backups and Storage).

6.2 If a disruption of the Service occurs, Digital Guardian will assign its highest priority and will make its best commercial efforts to ensure the timely restoration of the Service. Depending on the type of disruption that has occurred, Digital Guardian may elect to first restore the DGMC Service with policy deployment only and without all of the historical data available in the Production DGMC console. Any data not immediately accessible after a disruption in the Service will be restored from the most recent backup and made accessible.

6.3 The above excludes any exceptions described within the Digital Guardian Master Managed Services Agreement document. Digital Guardian will not be held responsible if the fault resolution is beyond the control of Digital Guardian due to a Force Majeure event. Digital Guardian will not be responsible for service outages directly attributable to a maintenance delay due to the Customer’s change management implementation restrictions.

v.01012017 Digital Guardian Confidential 9 Service Level Agreement

1. Data Center Uptime. Digital Guardian commits that our data center network will be available 99.99% of the time, excluding scheduled maintenance. 2. Downtime Measurement. Downtime is measured from the time a trouble ticket is opened until network availability is restored, or the affected device is powered back on, as applicable. 3. Maintenance. For the purposes of the Service Level Commitment, Support shall mean: a. Digital Guardian Maintenance Windows - modification or repairs to shared infrastructure, such as core routing or switching infrastructure that Digital Guardian has provided notice of at least seventy-two (72) hours in advance, that occurs during off-peak hours in the time zone where the data center is located. b. Scheduled Customer Maintenance – Maintenance of Customer configuration that Customer requests and that Digital Guardian schedules with Customer in advance (either on a case-by-case basis, or based on standing instructions), such as hardware or software upgrades. c. Emergency Maintenance – Critical unforeseen maintenance needed for the security or performance of Customer configuration or the Digital Guardian’s network. 4. Customer Desktop Health and Availability. Customer is responsible for managing and supporting its desktop environment. As outlined in the Service Description, Digital Guardian will complete a thorough quality assurance process to ensure that the Digital Guardian Agent and associated rules function correctly on the Customer’s desktop image. Digital Guardian provides to Customer through the console access to information on the functioning of the Digital Guardian Agent which alerts Customer’s support staff to Digital Guardian Agent related issues. The training provided by Digital Guardian to Customer’s personnel includes standard support processes.

5. Service Requests Response Commitments. Response and resolution levels for typical customer requested actions related to ongoing support and maintenance of the Digital Guardian solution environment

MSP Customer Request SLA Matrix

Category Priority Description/Examples Response * Resolution

Security Incident High Request application of pre-defined 3 Hours Continuous effort until resolved response Rule control rule to address ongoing critical Request exposure or attack.

Remediation of daily High Identification and triage of anomalous or 3 Hours Same day alerts exceeded event thresholds

Customer Incident High Request for analytic investigations in 2-4 Hours Continuous Effort Until Resolved Response response to a specific event, issue or infection.

Incident Response High Customer notification of any potentially 24 Hours 24 Hours Notification Suspicious or Malicious events as identified by DG Security Analyst Review

Forensic (Short) Medium Targeted Forensic Report <13 weeks 4 Hours Next Business Day Investigations data for one user

Medium Simple Dynamic Group, Resource Files 4 Hours Next Business Day Configuration (process flags, directory control, implicit Create/Update filters, custom configuration), Alert or report notifications

Medium Perform scheduled upgrade of Windows 8 Hours As per agreed Schedule Upgrade Agents agent software as a push from DGMC for up to 100 total agents

Medium Modify an existing rule or policy 8 Hours 5 Business days Policies and Rules (excludes substantial maintenance modification/rewrite) Includes tuning

Medium Review request and provide estimate of 8 Hours As per estimate provided Policies and Rules effort for development, testing and creation deployment

v.01012017 Digital Guardian Confidential 10 Request and new Medium Renew and create new Product License Same Day Next Business Day license keys Keys, Install keys on requested server

Medium Respond to properly documented Same Day 5 Business Days Setup PROD MSP environment request and complete environment deployment of DG Server Environment.

Medium Maintenance Server Upgrades 1 Week Per mutually agreed Schedule Upgrade the DGMC (Development will always precede server Production) applies to current releases only

Access Admin Low Password Reset, Account Creation, 4 Hours Same Day Privilege or Role change or add

Forensic (Long) Low Targeted Forensic Report >13 weeks, 8 Hours 5 Business Days Investigation one user (multiple users or complex request may require additional time)

Documentation & Low Product, General, How to, Report Data Same Day As per research required. Questions

Low Develop/Configure package for agent 8 Hours 5 Business Days Create install deployments per platform (one at a package time)

Configure Custom Low Provide estimate for effort to perform 8 Hours Next Business Day or as per Report/Dashboard Report Customizations Mutually Agreed Schedule

MSP Service Low Effort and completion time provided on 8 Hours TBD Request other non-standard requests

Low Document Request and requirement 8 Hours TBD Enhancement and submit to DG Engineering for Requests review and feasibility

Low Respond to properly documented Same Day 5 Business Days Setup POC/DEV environment request and complete MSP environment deployment of DG Server Environment.

* Response is the confirmation of receipt, initial evaluation of the request and acceptance or request for more information.

v.01012017 Digital Guardian Confidential 11