Effective April 15, 2024

First Orion Corp. (“First Orion,” “we,” or “our”) is a business dedicated to using technology and data to give consumers tools to recognize and manage calls they receive and to help businesses reach the right people in a compliant manner. Our mission is to provide transparency and control in communication that empowers people to trust their phones again.

This Privacy Policy describes how we collect, use, and share your personal information. “Personal information” means any information that relates to an identified or identifiable individual. The Privacy Policy applies to information we collect when you use our website and in in connection with our products and services.

Our products and services include various features and functionality to tell you who is calling and why, identify and block calls from businesses who are likely scammers, do reverse telephone number lookups, file complaints and report call violations to the proper authorities, and have enhanced information displayed on your device about who is calling you and why. In addition, our Call Knowledge Suite helps companies verify to whom the phone number belongs, what type of line it is (wireless, landline or other), and whether a number is in service.

Your Rights as a Consumer

First Orion takes the privacy of personal information about individuals seriously. Under various federal and state laws, you have certain rights related to how your personal information is collected, used, disclosed, and sold. First Orion extends these privacy rights to anyone who is a resident of the United States or Canada. In addition, these rights apply differently to each line of business as described below. A general description of your rights is provided at the end of this Privacy Policy.

First Orion’s Customer Portal

First Orion’s Customer Portal located at https://portal.firstorion.com is a website that collects registration information and phone number information from businesses who register in order to provide various services offered through the Customer Portal.

The registration information includes information about the business entity that owns the phone number information and how to contact the registrant. The number information includes the telephone number itself and other descriptive information about the kinds of calls made by the number such as the registrant’s industry and the reason for their calls.

First Orion may obtain other information about registrants on the Customer Portal from third parties and combine it with information provided by the registrant to create a more accurate reflection of who is calling and why.

More information about the Customer Portal can be found at https://firstorion.com/first-orion-customer- portal-privacy-policy/.

First Orion’s Branded Communication solutions

First Orion’s INFORM® branded communication solutions available through the Customer Portal provide businesses who call you the ability to display enriched, branded, personalized information so you know more about who is calling and why they are calling so you are comfortable answering the call.

These solutions are provided through carriers and their service providers who are clients of First Orion. First Orion is a data processor for the calling party for these services. We also offer solutions that prevent spoofing by authenticating calls before they terminate in the carrier network. Our optional INFORM feature called Paired prevents a spoofed call from being branded, while SentryTM prevents spoofed calls from being delivered. These solutions require that the business provide the calling party number and called party numbers as part of a pre-call API request. Called party numbers received with the pre-call API request are immediately encrypted and the hashed value is stored only for the duration of the pairing.

Our ENGAGE® service allows a richer display of information that is not limited to the caller ID field. This service is provided as a feature of Apps you may download or have on your mobile device. For ENGAGE to function, you will need to allow the App to access your contacts so the ENGAGE delivery service can dynamically create a contact for incoming calls that display the enhanced information. We do NOT export any information from your contacts for any purpose. Once the enhanced call is delivered to your phone, the contact is automatically deleted.

The App also collects identifying information in the form of your phone number and uses it initially for identity validation purposes. We also use your phone number and other specifications about your device so we know where to deliver the enhanced information about the caller and to properly deliver the message in a compatible format.

Any personal information provided by a business in connection with its use of our Branded Communication services is stored in the USA and retained until it is no longer needed by our clients.

We do not sell any personal information obtained in connection with our Branded Communication services.

First Orion’s Communications Protection services

First Orion’s Communications Protection services provide business labels such as “Scam Likely” and “Telemarketer” to identify likely scammers and other types of callers to help you to avoid becoming a victim of phone fraud or being bothered by unwanted calls. In addition, these solutions offer various other features and functionality for you to block unwanted, private, or unknown calls, do reverse telephone number lookups, file complaints, and report call violations to the proper authorities.

You can take advantage of First Orion’s Communications Protection services in several ways. You can download the free First Orion PrivacyStar® App or you can access these features through your telecommunications carrier if they are a First Orion client. You can find our PrivacyStar App in the Google Play Store for Android devices or the App Store for iPhones.

Your phone number will be used for identity validation purposes and to know who to bill for fee-based services as well as to improve the functionality of our Apps and carrier services.

To provide this service, First Orion’s data scientists analyze information from your carrier and the App about the calls you receive and the actions you take (such as blocking a call or reporting a problem). We also collect and analyze identifying information (name, address, and phone number) about businesses from third parties, including carriers and data brokers, and publicly available government records to accurately identify business lines.

When you download the PrivacyStar® App, you will need to agree to several permissions so that it functions properly. The questions may vary depending on whether you are on an Android or iOS device since these operating systems function differently.

– Allow First Orion to make and manage phone calls?

This allows the App to launch a call from your detail screen when you touch the phone icon and to perform the other call management activities provided in the App such as identifying unknown callers, blocking calls, filing complaints, and receiving enhanced caller information about who is calling and why.

– Allow First Orion to access your contacts?

We want to assure that any incoming call from a number already in your contacts displays the name stored in your contacts on your device. We do NOT export outside the App any information from your contacts for any purpose.

– Allow First Orion to send and view SMS messages?

This allows the App to streamline the verification process that sends an SMS message when you first launch the App and to block SMS messages from the same numbers used to make scam calls. The App does not do anything else with SMS messages.

In the USA if you voluntarily choose to provide complaint information about calls you receive, this information will be provided to the appropriate government agencies including, but not limited to, the Federal Trade Commission (FTC), the Federal Communication Commission (FCC), and the Consumer Financial Protection Bureau (CFPB) to aid in their enforcement activities. We may also use complaint information to assist calling parties in understanding how individuals who are called view their calling practices and to better understand complaint and call block trends.

First Orion does not sell any personal information collected in connection with our Communications Protection services.

All personal information relative to our Communications Protection services is stored in the USA and retained for 12-18 months.

First Orion‘s Call Knowledge Suite

First Orion’s Call Knowledge Suite helps businesses reach the right people and the right companies in a compliant manner with products and services that provide information our clients need to comply with various telecommunication laws and regulations.

Our Call Knowledge Suite collects and sells information about a phone number (both consumer and business lines), including names and addresses, the status of the phone number (active or inactive), and other information about the line. This information is collected by First Orion from third parties, both carriers and data brokers, from our own research activities, and from publicly available government records.

Our clients, businesses, and data resellers use this information to verify contact numbers, know the type of line (landline or cell) so they can comply with various laws and regulations, and know whether a line is active or inactive so they won’t waste money trying to call it. In addition, we provide information when phone lines are ported from one carrier to another. We also identify businesses that our analytics show are likely scammers. Finally, we use this information internally to improve the functionality of our Apps and services.

You may opt out of the sale of your personal information in our Call Knowledge products by going to https://privacy.firstorion.com.

All personal information relative to our Call Knowledge Suite is stored in the USA and retained until the information is no longer accurate.

First Orion’s Corporate Website

First Orion has a corporate website that describes our lines of business and provides a link to this Privacy Policy which explains your rights relative to each line of business, how to contact us, and a link, privacy.firstorion.com, to opt out of the sale of your personal information from our Call Knowledge Suite of products and services.

Personal information collected on the First Orion website will help us deliver a better user experience. You may provide your identifying information including name, mailing address, phone number, email address, contact preferences, and commercial information relating to an inquiry or support issue. This enables us to give you convenient access to First Orion and helps us keep you posted on the latest product announcements, software or service updates, special offers, and events that you might like to hear about. It also allows us to respond to any concerns you may have voiced on the site or with our customer service department.

The information you provide related to an inquiry may be shared with one of our authorized resellers if your business better fits the reseller’s market focus. This is for the purpose of providing more relevant information about how our products and services are used and to provide better support if you need to know more about these offerings.

All personal information collected through the First Orion website is stored in the USA indefinitely.

Cookies and other technologies

As is standard practice on many corporate websites, First Orion uses “cookies” and other technologies to improve the user experience. These include the use of Google Analytics to study traffic patterns, to make the website user experience more rewarding as well as to study the effectiveness of our website user communications. How Google uses the data may be found at www.google.com/policies/privacy/partners/.

Information gathered using Google Analytics consists of counts of unique daily or monthly visitors, visitors by device type, location data, unique registrants, time on site, browser types, onboarding abandonment, channel, and existing user abandonment.

If you prefer not to enable cookies, certain features of the First Orion website or the First Orion Customer Portal may not be available once cookies are disabled.

First Orion may gather certain information automatically and store it in log files. This information includes Internet Protocol (IP) addresses, browser type, Internet Service Provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information, which does not

identify individual users, to analyze trends, to administer the site, to track users’ movements around the site, and to gather demographic information about our user base as a whole.

In some of our email messages we may use a “click-through URL” linked to other content. When users click one of these URLs, they pass through our web server before arriving at the destination web page. We may track this click-through data to help us determine interest in particular topics and measure the effectiveness of our communications. If you prefer not to be tracked simply avoid clicking text or graphic links in the email.

In addition, we may use pixel tags — tiny graphic images — to tell us what parts of our website users have visited or to measure the effectiveness of searches website users perform on our site.

Pixel tags also enable us to send email messages in a format that website users can read. And they tell us whether emails have been opened to ensure that we’re sending only messages that are of interest to our website users.

First Orion’s website has links to the sites of other companies. First Orion is not responsible for their privacy practices. We encourage you to learn about the privacy policies of those companies.

If you use a bulletin board, chat room, or blog on a First Orion website or App, you should be aware that any information you share is visible to other users. Personal information you submit to one of these forums can be read, collected, or used by other individuals for their purposes. First Orion is not responsible for the personal information you choose to submit in these forums. In addition, First Orion may, at its sole discretion, delete information from the bulletin board at any time.

First Orion does not sell any personal information collected in connection with our website.

Personal information stored in the United States may be accessed by courts, law enforcement, and national security authorities in the United States upon First Orion receiving a proper request.

How we protect your personal information

First Orion takes precautions — including administrative, technical, and physical measures — to safeguard your personal information against loss, theft, and misuse, as well as unauthorized access, disclosure, alteration, and destruction.

Children

We do not sell the personal information of a consumer if we know that the consumer is less than 16 years old unless the consumer, or the consumer’s parent or guardian if the consumer is between the ages of 13 and 16, has affirmatively authorized the sale of the consumer’s personal information. We do not knowingly collect personal information from children under 13 for marketing purposes. If a child under 13 submits personal information to First Orion via our website and we learn that that personal information is about a child under 13, we will delete the information as soon as possible.

Your State Law Privacy Rights

Several states have enacted laws governing the processing of personal information. To learn more about your rights under State Privacy Laws, please see the State Privacy Notice

Your EU and UK Privacy Rights

First Orion complies with applicable local privacy laws with regard to the collection and use of personal information received by First Orion in the US from the EU, UK and other countries.

Updates

First Orion reserves the right, at its sole discretion, to change, add, or remove portions of its Privacy Policy from time to time by posting the updated Privacy Policy and effective date. It is your responsibility to check this Privacy Policy periodically for changes.

Employees and Prospective Employees

First Orion’s Global HR Privacy Notice can be found at https://firstorion.com/hr-privacy-notice-global/

Privacy questions

If you have questions or concerns about this Privacy Policy or our information practices, please contact us at 1-877-640-4220, privacy@firstorion.com, or https://firstorion.com/contact-general/

First Orion Corp.
Attention: Legal Team
520 Main Street, Suite 400
North Little Rock, AR 72114 USA
© 2024 First Orion Corp. All rights reserved.

---

First Orion Customer Portal Privacy Policy

Last Updated: May 1, 2023

Version 1.1

First Orion’s Customer Portal located at https://portal.firstorion.com/ is a website provided by First Orion Corp., a business dedicated to using technology and data to give consumers tools to recognize and manage calls they receive and to help businesses reach the right people and is referred to in this Privacy Policy as the “Customer Portal.”

This Privacy Policy covers the collection, use, and disclosure of predominately business information, including identifying information about the registrant (“Registration Information”), information about the telephone numbers the registrant uses to make calls (“Number Information”), the services provided to businesses that utilize the Customer Portal and the technologies used by the Customer Portal.

All other obligations governing the information registrants provide on the Customer Portal and the use of the Customer Portal are set forth within the First Orion Terms of Service (the “Terms”) posted for and applicable to the Customer Portal. The Terms can be found at https://firstorion.com/first-orion-customer-portal-terms-of-service/.

What information First Orion collects

The Customer Portal collects Registration Information and Number Information from registrants in order to provide various services offered through the Customer Portal.

The Registration Information includes information about the responsible business entity who owns the Number Information and how to contact them. The Number Information includes the telephone number itself and other descriptive information about the kinds of calls made by the number such as industry and reason for the call.

First Orion may obtain other information about registrants on the Customer Portal from third parties and combine it with information provided by the registrant to create a more accurate reflection of who is calling and why.

First Orion may transmit Registration Information and Number Information to or from the United States for processing, storage or other purposes related to supporting the Customer Portal.

How information First Orion collects is used

The Customer Portal provides access to several services which provide greater transparency to the called party about who is calling them and why.

The basic service provides protection for the registrant’s communications against fraud. The service uses First Orion’s proprietary analytics to identify suspicious calls as possible scams or nuisance calls. The basic service also identifies scam calls from numbers legitimately used only for inbound calls (“Do Not Originate” or “DNO” numbers) when these numbers are fraudulently used for outbound calls. When registering with the Customer Portal, this basic scam protection service is free.

Additional services provide registrant with branded communication solutions such as the opportunity to display up to 32 characters in the caller ID field to provide more information about who is calling and why. These services are provided by First Orion for a fee.

When we disclose Registration Information and Number Information

To help us provide an accurate and more transparent experience for the called party, Registration Information and Number Information may be shared with legal entities within the First Orion group globally who will take steps to safeguard it in accordance with the Terms.

There are also times when it may be appropriate for First Orion to make certain Registration Information and Number Information available to companies that First Orion has a relationship with or that perform work for First Orion with regard to the Customer Portal or to provide call management functions on our behalf. These companies may help us process information, fulfill orders, deliver applications and other services to the registrant, manage and enhance data, provide customer service, assess the registrant’s interest in our applications and services, conduct customer research or satisfaction surveys or offer registrants additional related products and services’.

At times, we may be required by law or litigation to disclose Registration Information and Number Information. We may also disclose Registration Information and Number Information if we determine that for national security, law enforcement, or other issues of public importance, disclosure is necessary. If First Orion is involved in a business transaction, such as a merger, acquisition or sale of all or a portion of its assets, Registration Information and Number Information will likely be among the business assets transferred. Registrants will be notified by email or prominent notice via the Customer Portal of such change in ownership as well as any choices registrants may have regarding this information.

How we protect Registration Information and Number Information

First Orion takes precautions — including administrative, technical, and physical measures — to safeguard Registration Information and Number Information against loss, theft, and misuse, as well as unauthorized access, disclosure, alteration, and destruction.

Cookies and other technologies

As is standard practice on many corporate websites, the Customer Portal may use “cookies” and other technologies to help us understand which parts of the Customer Portal are the most popular, where our visitors are going, and how much time they spend there. We may use cookies and other technologies to study traffic patterns on the Customer Portal in order to make it even more user friendly as well as to study the effectiveness of our user communications. And we may use cookies to customize the user’s experience and provide greater convenience each time a user interacts with the Customer Portal. This includes the use of Google Analytics to study traffic patterns to make the user experience more rewarding as well as to study the effectiveness of our user communications. How Google uses the data may be found at www.google.com/policies/privacy/partners/. Information gathered using Google Analytics consists of counts of unique daily or monthly visitors, visitors by device type, location data, unique registrants, time on site, browser types, onboarding abandonment, channel, and existing user abandonment.

If a registrant prefers not to enable cookies, certain features of the Customer Portal may not be available once cookies are disabled.

The Customer Portal may gather certain information automatically and store it in log files. This information includes Internet Protocol (IP) addresses, browser type, Internet Service Provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information, which does not identify individual users, to analyze trends, to administer the site, and to track users’ movements around the Customer Portal.

In addition, we may use pixel tags — tiny graphic images — to tell us what parts of the Customer Portal users have visited or to measure the ease of use for visitors.

Pixel tags also enable us to send email messages in a format that users can read. And they tell us whether emails have been opened to ensure that we are sending only messages that are of interest to our users.

We also use Hotjar in order to better understand our users’ needs and to optimize the Customer Portal experience. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our Customer Portal and services with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.

Updates

First Orion reserves the right, at its sole discretion, to change, add or remove portions of this Privacy Policy from time to time by posting an updated Privacy Policy and applicable effective date. It is a user’s responsibility to check this Privacy Policy periodically for changes.

Privacy questions

If a registrant has questions or concerns about this privacy policy or its information practices, contact us at https://firstorion.com/contact/ or send paper mail to:
Attention: Privacy
First Orion Corp.
520 Main Street, Suite 400
North Little Rock, Arkansas 72114 USA

© 2023 First Orion Corp. All rights reserved.
First Orion Corp., 520 Main Street, Suite 400, North Little Rock, Arkansas 72114, USA.

First Orion Security Overview

Highlights of First Orion’s Security Policy v3.4
June 2023

1.0 Introduction, Scope & Applicability

This document provides a high-level overview of First Orion’s Security Policy and is intended as a vehicle for sharing information regarding our security posture and approach with partners, clients and prospects.

These policies apply to all First Orion employees, contractors, sub-contractors, vendors, and entities employed to perform work or process information on behalf of First Orion that have access to the corporate network of First Orion.

First Orion’s security program follows industry best practices and guidelines established by National Institute of Standards and Technology (NIST) publications. First Orion has also received ISO 27001:2013 certification for its Information Security Management System (ISMS).

2.0 Roles and Responsibilities

All employees and company officers must comply with the Security Policy and report any suspected policy violation.

Our Security Policy describes the roles and responsibilities of the Chief Security Officer, the Chief Privacy Officer, the Chief Legal Officer, the Chief Marketing Officer, the Chief Human Resources Officer, the Chief Technology Officer, and the Chief Information Officer.

3.0 Security and Privacy

Security and privacy are at the core of First Orion’s business, products, and solutions. When developing applications and solutions, First Orion employees, contractors, and vendors must take necessary steps to include security and privacy considerations from inception. This includes techniques to minimize attack surface area, employ appropriate defaults, apply principles of least privilege, defense in depth and design our systems to fail securely.

Our Privacy by Design approach addresses global standards for the collection, use and disclosure of personal information while complying with all legal requirements and best practices related to transparency and choice, access and control, and data minimization. This approach also complies with any applicable trans-border data flow obligations.

First Orion’s product managers, supported by the Chief Privacy Officer and Chief Security Officer, perform Project Risk Impact Assessments (PRIAs) aka Data Protection Impact Assessments (DPIAs) and Security Impact Assessments (SIAs) any time there is a product release, change to the product, or change in the law that results in changes to how the product collects, uses, or transfers personal information.

4.0 Cloud Computing

First Orion inherits the security controls pertaining to its cloud providers’ physical, environmental, media protection, and business continuity when operating inside those cloud environments. However, security and compliance are a shared responsibility and can only be achieved when First Orion also takes measures to secure its deployments in cloud-based environments.

Information regarding cloud-based security and compliance can be found in their respective Security and Compliance centers online.

First Orion employees are prohibited from using third-party software as a service, social networks, cloud services or other web applications for official First Orion business, unless authorized to do so.

5.0 Secure Email Communication

First Orion email accounts should be used primarily for First Orion business related purposes. All First Orion data contained within an email message or an attachment must be secured according to the data classifications in the Data Management Policy.

First Orion monitors all messages and utilizes methods to detect phishing, fraud, or malware on the incoming or outgoing messages. However, employees and vendors are still required to screen email and be able, through security awareness training, to discern legitimate communication from potentially hazardous communication.

6.0 Encryption and Hashing

First Orion has designated acceptable hashing algorithms for storing passwords in accordance with the Security Policy.

Acceptable protocols and encryption algorithms are also defined for client to site VPN connectivity, site to site VPN connectivity, and wireless network connectivity.

Data transport is performed using acceptable transport layer security protocols and cypher suites.

7.0 Asset Management

First Orion defines an information asset as any application, system, device, or other component of its environment that supports business critical activities. Information assets include, but are not limited to, data, software, physical and virtual assets that should be protected to ensure confidentiality, integrity, and availability of key information.

An inventory of information assets will be maintained by First Orion with identified owners responsible for classification, security, and proper handling of assets. Classification of assets should be based on criticality. Data stored by the asset should be classified as defined by First Orion’s Data Management Policy.

Prior to disposal and destruction, information assets will first be sanitized, purged, or destroyed according to NIST guidelines.

8.0 Standard Configuration Hardening and Data Loss & Leak Prevention (DLP)

System or configuration hardening occurs prior to deployment of new systems, applications, or processes, as well as periodically reviewing common system hardening templates.

First Orion may monitor the network, systems, applications, or processes for proper use of data in any state – in motion, at rest, or in use, in accordance with the Security Policy and Data Management Policy.

No computer, digital media storage device, or technology equipment may be repurposed or sold, without going through disposal or digital sanitization processes, which may include physical destruction.

9.0 Change Management

First Orion maintains a change management policy and process to ensure that security related releases, updates, and patches are installed on all applicable systems in a reasonable time to minimize exposure to known risk factors.

10.0 Vulnerability Management

Vulnerability Management is intended to allow First Orion to (a) identify computer system security weaknesses; (b) prioritize assets; (c) assess, report, and remediate the weaknesses; and (d) verify that they have been eliminated.

First Orion will perform periodic vulnerability assessments of production systems.

First Orion will conduct application penetration testing of all new applications prior to release into production and any applications that under-go major revisions.

First Orion will also conduct static code scanning of all new applications, code, or code changes. Static code vulnerability findings will be resolved prior to application or code release.

Source code shall be treated and classified as proprietary and its use shall be governed according to data classification policy, unless said code has been specifically classified otherwise. The Chief Technology Officer shall maintain coding standards utilized by First Orion. All employees or vendors working on source code must abide by these coding standards.

11.0 Logging and Audit Trails

First Orion maintains an audit trail on all network, security and other electronic devices, servers, and applications where technically feasible or required by law or policy. Audit and security logs are confidential business records and are treated as such. Whenever technically feasible, logs are to be encrypted or hashed at rest and in transit.

12.0 Identity, Password, and Access Management

First Orion networks require users to authenticate themselves prior to allowing access using multi factor authentication. All information processing systems and networks that employ passwords are enabled to adhere to a set of minimum controls that include processes for changing the password, enforcing password standards and change requirements. All systems and applications track login and audit information.

13.0 Network & Data Security

Limited Access to Network Services

In deploying the principles of least privilege, First Orion allows only authorized access for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks. Practices are implemented that establish effective authentication processes applicable to First Orion’s private networks. Furthermore, no mechanisms or facilities may be implemented or utilized that bypass established First Orion network access facilities.

Wireless Network Security

Employees may connect to First Orion wireless networks at work and/or public or private access-points to conduct official business. Any communication data transmitted (web, email, voice, or messaging) is to be encrypted during transport regardless of wireless network encryption protocol or wireless network location.

First Orion designs and operates employee and guest wireless networks in accordance with our wireless network standards.

Bring-Your-Own-Device (BYOD) and Internet of Things (IoT)

Personal computer, mobile, BYOD or IoT devices not owned and managed by First Orion are not allowed on First Orion corporate network. Employee-owned personal devices, such as mobile cellphones, tablets or laptop computers are allowed on the First Orion guest wireless network subject to IT approval.

14.0 Anti-Malware Protection

All employees, service providers, vendors, subcontractors, and such entities are required to have anti-malware protection on their computing devices of sufficient functional effectiveness and currency to provide protection to First Orion.

15.0 Physical Security

First Orion employees are responsible for the safety of the electronic equipment assigned to them. Workstations, laptops, tablets, and phones are secured according to the Security Policy. Certain designated software or hardware is not allowed on the First Orion network, workstations, servers, or mobile devices.

Employees must ensure that all Restricted or Sensitive information in hardcopy or electronic form is secure in their work area and is locked up when the workspace is unoccupied.

Printouts containing information classified other than Public should be immediately removed from the printer. All documents destined for disposal should be placed in the locked confidential disposal bins. Whiteboards containing Restricted and/or Sensitive information should be erased.

Doors that require badged access shall not be kept open at any time. Employees must badge in at any time they cross through a controlled access point. Badge surfing or trailing behind authorized employees who badged through a door is not allowed.

All non-First Orion employees accessing First Orion property shall be considered visitors. The First Orion employee hosting the visitor shall notify reception/front desk when a visitor is scheduled to be at a First Orion site. All visitors must register with reception. Visitors must provide a valid, non-expired, government issued identification, such as driver’s license or passport. Visitors will be escorted at all times while remaining within First Orion facilities, excluding designated restrooms and areas designated for visitors.

16.0 Backup & Disaster Recovery

First Orion solutions shall be documented, and the documentation, configuration files, and programs required for the solution must be backed up to allow for disaster recovery or rapid redeployment. Documentation and deployment plans are updated annually or at any time a new version of deployment is released.

Whenever possible, hosted systems or applications shall be distributed across multiple availability zones and/or regions to allow continuous business processing without a centralized point of failure. Systems or applications that are not distributed across multiple regions or availability zones or are incapable of fault tolerance (example: losing a region or processing center) shall have a documented business continuity plan, and an assigned team performing annual business continuity testing.

In an event of a disaster, a disaster incident team led by a product manager who will be responsible in coordinating communication to the affected stakeholders shall be formed to restore services.

17.0 Incident Management & Response

First Orion maintains various incident response teams. These teams consist of First Orion employees, vendors, and contractors tasked with investigating, containing, and managing incidents.

The Chief Security Officer is responsible for coordinating the investigation and leading the Incident Response Team, notifying, and keeping executive leadership apprised of the status of the incident, and notifying, as required by law, the appropriate authorities.

The Chief Security Officer, in conjunction with the Chief Privacy Officer, the Chief Legal Officer, and public relations team will coordinate disclosure and make necessary announcements.

18.0 Vendor Selection and Management

All vendors, contractors, subcontractors, entities, companies, or individuals hired to process data, do work on behalf of First Orion, or access First Orion’s data, network or facilities are subject to screening – which may exceed screening usually performed on First Orion’s own new hires.

Vendors, contractors, and subcontractors must comply with First Orion’s Security Policy and maintain their own security policy that matches or exceeds First Orion’s Security Policy relative to the work performed.

19.0 Security Awareness & Training

The Chief Security Officer will conduct annual security and compliance awareness training in coordination with human resources. Employees are required to review and acknowledge they have read the latest security policy at the time of hire, and yearly thereafter for the duration of their employment.

The Chief Security Officer and/or executive management will communicate the Security Policy and any policy changes to employees and applicable contractors as needed to support the ISMS program.

20.0 Compliance and Exceptions

Failure to comply with the Security Policy and associated policies, standards, guidelines, and procedures may result in disciplinary actions up to and including termination of employment or contracts.