Voxeo Privacy and Information Security Compliance Statements

Voxeo products and services are designed to meet the physical and technical standards of our customers, and to provide all necessary controls and resources for our customers to maintain their own administrative security compliance standards. Specifically, Voxeo agrees to: Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected financial, healthcare, and business information that it creates, receives, maintains, or transmits on behalf of our customers. Voxeo has implemented reasonable and appropriate safeguards to protect our customers' financial, healthcare, and business information. Voxeo agrees to report to our customers any security incident of which it becomes aware within eight business hours of incident discovery.

Specifically, Voxeo products and services are designed to comply with:

• Gramm-Leach-Bliley Act
• HIPAA
• ISO 27002
• Payment Card Industry (PCI)

Please read the sections below for specific compliance details for each of the above.

Contacting our Privacy and Security Compliance Officer

For questions or concerns regarding any of our information security compliance programs please contact:

Gramm-Leach-Bliley Act Compliance

Overview

The Gramm-Leach-Bliley Act (GLBA) addresses the privacy of "nonpublic personal information" handled by financial institutions. Voxeo is not "significantly engaged" in providing financial products or services to customers or consumers. As defined by the GLBA, Voxeo is not considered a financial institution and therefore not required to comply with the privacy obligations under the GLBA required of financial institutions. We do however receive "nonpublic personal information" from customers that are financial institutions. The GLBA limits our use of that information.

Compliance Statement

Privacy and Security of Data

While our customers are responsible for their own application security, we provide platform level options to support common application security requirements. We also provide a highly secure environment as an option for their hosting needs. This environment is based upon a PCI compliant Walled Garden network infrastructure. Access to this network is managed by a stringent set of policies, procedures and physical and logical controls. Since the data contained within belongs to our customers, our only need to access it is for purposes of supporting our customer. We limit this access to certified personnel with a specific need.

All of our certified personnel receive annual Security Awareness Training and sign an Information Security Policy agreement that includes the scope of customer data. We also conduct background checks on personnel before they are hired.

HIPAA Compliance

Voxeo realizes that our health care clients must comply with HIPAA patient information confidentiality requirements. Voxeo has implemented the following HIPAA compliance steps:

• All Voxeo employees sign a confidentiality agreement. These agreements make it clear that we reserve the right to terminate any employee if they cause a confidentiality breach. These confidentiality agreements also provide sanctions for employees as recommended by HIPAA.
• All patient-and-provider-specific information and electronic data that we receive or generate as a result of delivering our services is treated as confidential. Access to such information is provided only to a limited set of Voxeo employees in our network operations team. Such electronic data is stored only on secure servers which can be accessed only via a unique per-employee user name, password, and RSA SecureID two-factor authentication card.
• Voxeo does not allow patient or provider information to be printed at any time.
• Voxeo does not share any patient or provider information with any of our vendors, clients, partners, contractors, or temporary or part-time employees.
• Voxeo has a designated Privacy Officer. Our Privacy Officer has the responsibility for the development and implementation of Voxeo's information security policies, procedures, and technology. Our Privacy Officer also works closely with Voxeo clients to understand their requirements and to ensure Voxeo complies with them. Our Privacy Officer monitors the ongoing requirements of HIPAA and is designated to receive and address any complaints related to privacy compliance.
• Voxeo has established secure logging and tracking mechanisms that document any access to protected healthcare information.
• Voxeo monitors the latest HIPAA news and legislation to ensure our compliance where required and as agreed upon with our clients.
• Voxeo has established training programs focused on our privacy policies to educate our employees on the appropriate care and handling of private health care data as required by HIPAA mandates.
• Voxeo has established procedures to receive and resolve complaints, including a zero-tolerance policy and sanctions for employees who fail to comply with privacy policies. We take non-compliance with our privacy policies very seriously.
• Voxeo has established a minimum of three layers of physical security at each of our data center facilities to further protect patient and provider information.

ISO 27002 Compliance

Voxeo's products and services are designed to support the requirements of ISO 27002, the most widely recognized international security standard. ISO 27002 addresses ten major areas of information security, including: business continuity planning, system access control, system development and maintenance, physical and environmental security, legal compliance, personnel security, organization, system and network management, asset control, and security policies.

Payment Card Industry (PCI) Compliance

The Payment Card Industry (PCI) Data Security Standard is a worldwide standard for payment card and consumer financial data protection. It incorporates the requirements of the Visa USA Cardholder Information Security Program (CISP) and the Visa International Account Information Security (AIS) program, the MasterCard International Site Data Protection (SDP) program, as well as the security requirements of American Express DSS, DiscoverCard DISC and the Japan Credit Bureau (JCB).

To be in compliance with this standard, all of our Internet connections, assigned IP addresses, and all Internet connected servers (Web, email, DNS, etc.) must have no level 3, 4 or 5 severity vulnerabilities in their most recent security audit. Audits must be conducted at least every 90 days. VISA and Mastercard now require all merchants to adhere to the PCI security standard.

Our compliance with PCI standards is certified by an approved PCI compliance scanning and auditing firm. In order to maintain PCI Compliance certification, all publicly accessible internet devices and any associated domain(s) hosted on them must have been audited within the past three months, and all vulnerabilities categorized as Urgent, Critical, or High severity (Level 3 or greater) must have been corrected within 72 hours of their discovery.

Our sites are tested with industry-standard PCI Compliance remote vulnerability testing, and are tested at least every 90 days to pass all external vulnerability audit recommendations of the Department of Homeland Security's National Infrastructure Protection Center (NIPC), the SANS/FBI Top 20 Internet Security Vulnerabilities list, as well as the vulnerability audit requirements of Visa's CISP and AIS, MasterCard's SDP, American Express' DSS and Discover Card's DISC security standards.