Information Security Policy

Purpose and Scope

This Information Security Policy addresses the information security policy topics and requirements which maintain the security, confidentiality,

integrity, and availability of Transmit applications, systems, infrastructure, and data. The topics and requirements called out in this policy

should be continuously improved upon to maintain a secure information security posture. From time to time, Transmit may update this policy

and implement different levels of security controls for different information assets, based on risk and other considerations. This policy is

guided by security requirements specific to Transmit including compliance with applicable laws and regulations.

This policy applies to all Transmit assets utilized by personnel acting on behalf of Transmit or accessing its applications, infrastructure,

systems or data. All personnel are required to read, accept and follow all Transmit policies and plans upon starting and at least annually.

Information Security Communication

Please contact admin@transmit.live if you have any questions about the Transmit information security program.

People Security

Background Check

All Transmit personnel are required to complete a background check. An authorized member of Transmit must review each background check

in accordance with local laws.

Confidentiality

Prior to accessing sensitive information, personnel are required to sign an industry-standard confidentiality agreement protecting Transmit

confidential information.

Security Awareness Training

Transmit has a security awareness training program in place to promote the understanding of security policies and procedures. All personnel

are required to undergo training following initial employment and annually thereafter. Completion of the training program is logged by

Transmit.

Secure Coding

Transmit promotes the understanding of secure coding to its engineers in order to improve the security and robustness of Transmit products.

Physical Security

Clear Desk

Transmit personnel are required to ensure that all sensitive information in hardcopy or electronic form is secure in their work area when it is

unattended. This requirement extends to both remote and in-office work.

Transmit personnel must remove hardcopies of sensitive information from desks and lock the information in a drawer when desks are

unoccupied and at the end of the work day. Keys used to access sensitive information must not be left at an unattended desk.

Clear Screen

Transmit employees and contractors must be aware of their surroundings at all times and ensure that no unauthorized individuals have access

to see or hear sensitive information. All mobile and desktop devices must be locked when unoccupied. Session time-outs and lockouts are

enforced through technical controls for all systems containing covered information.

All devices containing sensitive information, including mobile devices, shall be configured to automatically lock after a period of inactivity (e.g.

screen saver).

Remote Work

Any Transmit issued devices used to access company applications, systems, infrastructure, or data must be used only by the authorized

employee or contractor of such device.

Employees or contractors accessing the Transmit network or other cloud-based networks or tools are required to use HTTPS/TLS 1.2+ at a

minimum to protect data-in-transit.

If you are in a public space, ensure your sight lines are blocked and do not have customer conversations or other confidential conversations. If

someone is close to you, assume they can see and hear everything. Connecting directly to a public wireless network that doesn't employ, at

minimum, WPA-2 or an equivalent wireless protocol is prohibited

While working at home, employees and applicable contractors should be mindful when visitors (e.g. maintenance personnel) are at their

residences, as visitors could become privy to sensitive information left up on computer screens.

System Access Security

Transmit adheres to the principle of least privilege, specifying that team members will be given access to only the information and resources

necessary to perform their job functions as determined by management or a designee. Requests for escalation of privileges or changes to

privileges and access permissions are documented and require approval by an authorized manager. System access is revoked immediately

upon termination or resignation.

Account Audits

Audits of access and privileges to sensitive Transmit applications, infrastructure, systems, and data are performed regularly and reviewed by

authorized personnel.

Password Security

Unique accounts and passwords are required for all users. Passwords must be kept confidential and not shared with anyone. Where possible,

all user and system accounts must invoke password complexity requirements specified in the Access Control and Termination Policy. All

accounts must use unique passwords not shared with any other accounts.

Rotation Requirements

If a password is suspected to be compromised, the password should be rotated immediately and the security team should be immediately

notified.

Storing Passwords

Passwords must only be stored using a Transmit approved password manager. Transmit does not hard code passwords or embed credentials

in static code.

Asset Security

Transmit maintains a Configuration and Asset Management Policy designed to track and set configuration standards to protect Transmit

devices, networks, systems, and data. In compliance with such policy, Transmit may provide team members laptops or other devices to

perform their job duties effectively.

Data Management

Transmit stores and disposes of sensitive data, in a manner that; reasonably safeguards the confidentiality of the data; protects against the

unauthorized use or disclosure of the data; and renders the data secure or appropriately destroyed. Data entered into Transmit applications

must be validated where possible to ensure quality of information processed and to mitigate the impacts of web-based attacks on the

systems.

Data Classification

Transmit defines the handling and classification of data in the Data Classification Policy.

Data Retention and Disposal Policy

The time periods for which Transmit must retain customer data depends on the purpose for which it is used. Transmit retains customer data

as long as an account is active, as needed to provide services to the customer, or in accordance with the agreement(s) between Transmit and

the customer. An exemption to this policy would include if Transmit is required by law to dispose of data earlier or keep data longer. Transmit

may retain and use customer data to comply with its legal obligations, resolve disputes, and enforce agreements.

Except as otherwise set forth in the Transmit policies, Transmit also disposes of customer data when requested by customers.

Transmit maintains a sanitization process that is designed to prevent sensitive data from being exposed to unauthorized individuals. Transmit

hosting and service providers are responsible for ensuring the removal of data from disks allocated to Transmit use before they are

repurposed or destroyed.

Change and Development Management

To protect against unauthorized changes and the introduction of malicious code, Transmit maintains a Change Management Policy with

change management procedures that address the types of changes, required documentation, required review and/or approvals, and

emergency changes. Changes to Transmit production infrastructure, systems, and applications must be documented, tested, and approved

before deployment.

Vulnerability and Patch Management

Transmit uses a proactive vulnerability and patch management process that prioritizes and implements patches based on classification. Such

classification may include whether the severity is security-related or based on other additional factors. Transmit schedules third party

penetration tests and/or performs internal assessments at least annually.

If you believe you have discovered a vulnerability, please email admin@transmit.live and Transmit will aim to address the vulnerability, if

confirmed, as soon as possible.

Environment Separation

As necessary, Transmit maintains requirements and controls for the separation of development and production environments.

Source Code

Transmit controlled directories or repositories containing source code are secured from unauthorized access.

Logging and Monitoring

Transmit collects & monitors audit logs and alerts on key events stemming from production systems, applications, databases, servers,

message queues, load balancers, and critical services, as well as IAM user and admin activities. Transmit manages logging solution(s) and/or

SIEM tool(s) to collect event information of the aforementioned systems and activities. Transmit implements filters, parameters, and alarms to

trigger alerts on logging events that deviate from established system and activity baselines. Logs are securely stored and archived for a

minimum of 1 year to assist with potential forensic efforts.

Logs are made available to relevant team members for troubleshooting, auditing, and capacity planning activities. System and user activity

logs may be utilized to assess the causes of incidents and problems. Transmit utilizes access control to prevent unauthorized access, deletion,

or tampering of logging facilities and log information.

When events and alerts are generated from monitoring solutions and mechanisms, Transmit correlates those events and alerts across all

sources to identify root causes and formally declare incidents, as necessary, in accordance with the Security Incident Response Policy and

Change Management Policy.

Additionally, Transmit utilizes threat detection solution(s) to actively monitor and alert on network and application-based threats.

Business Continuity and Disaster Recovery

Transmit maintains a plan for continuous business operations if facilities, infrastructure or systems fail. The plan is tested, reviewed and

updated at least annually.

Backup Policy

Backups are performed according to appropriate backup schedules to ensure critical systems, records, and configurations can be recovered in

the event of a disaster or media failure.

Security Incident Response

Transmit maintains a plan that defines responsibilities, detection, and corrective actions during a security incident. The plan will be executed

following the discovery of an incident such as system compromise, or unintended/unauthorized acquisition, access, use or release of non-

public information. The plan is tested, reviewed and updated at least annually.

Transmit utilizes various monitoring and surveillance tools to detect security threats and incidents. Early detection and response can mitigate

damages and minimize further risk to Transmit.

A message should be sent to admin@transmit.live if you believe there may be a security incident or threat.

Risk Management

Transmit requires a risk assessment to be performed at least annually. For risks identified during the process, Transmit must classify the risks

and develop action plans to mitigate discovered risks.

Vendor Management

Transmit requires a vendor security assessment before third party products or services are used confirming the provider can maintain

appropriate security and privacy controls. The review may include gathering applicable compliance audits (SOC 1, SOC 2, PCI DSS, HITRUST,

ISO 27001, etc.) or other security compliance evidence. Agreements will be updated and amended as necessary when business, laws, and

regulatory requirements change.

Privacy

Personal Data

Transmit personnel must treat personal data with appropriate security and handling and accommodate data subject requests, as required by

applicable laws and regulations. No unauthorized personnel should have access to personal data.

Exceptions

Transmit business needs, local situations, laws and regulations may occasionally call for an exception to this policy or any other Transmit

policy. If an exception is needed, Transmit management will determine an acceptable alternative approach.

Enforcement

Any violation of this policy or any other Transmit policy or procedure may result in disciplinary action, up to and including termination of

employment. Transmit reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in

any investigation of such activity. Transmit does not consider conduct in violation of this policy to be within an employee’s or contractor’s

course and scope of work.

Any employee or contractor who is requested to undertake an activity that he or she believes is in violation of this policy must provide a

written or verbal complaint to his or her manager or any other manager of Transmit as soon as possible.

The disciplinary process should also be used as a deterrent to prevent employees and contractors from violating organizational security

policies and procedures, and any other security breaches.

Responsibility, Review, and Audit

Transmit reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements

at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are

communicated across the organization.

This document is maintained by Scott Young.

This document was last updated on 07/26/2022.