Voxeo Privacy and Information Security Compliance Statements

Voxeo products and services are designed to meet the physical and technical standards of our customers, and to provide all necessary controls and resources for our customers to maintain their own administrative security compliance standards. Specifically, Voxeo agrees to: Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected financial, healthcare, and business information that it creates, receives, maintains, or transmits on behalf of our customers. Voxeo has implemented reasonable and appropriate safeguards to protect our customers' financial, healthcare, and business information. Voxeo agrees to report to our customers any security incident of which it becomes aware within eight business hours of incident discovery.

Specifically, Voxeo products and services are designed to comply with:

• Gramm-Leach-Bliley Act 1999
• HIPAA
• ISO 17799
• Payment Card Industry (PCI)

Please read the sections below for specific compliance details for each of the above.

Contacting our Privacy and Security Compliance Officer

For questions or concerns regarding any of our information security compliance programs please contact:

Gramm-Leach-Bliley Act 1999 Compliance

Voxeo provides services to companies in the financial services industry, and as such has planned its internal controls and data security policies to follow the standards laid out in section 314 of the Gramm-Leach-Bliley Act, specifcally as it relates to standards for safeguarding customer information. Voxeo maintains a comprehensive information security program that contains administrative, technical, and physical safeguards that are appropriate to the nature of the non-public personal information that Voxeo handles.

Voxeo recognizes the objectives of section 501(b) of the Act, namely:

1. To ensure the security and confidentiality of customer information;
2. To protect against any anticipated threats or hazards to the security or integrity of such information; and
3. To protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

As a result Voxeo has designated an employee, the Security Compliance Officer, to coordinate its informational security program. The Security Compliance Officer's duties include:

1. Identifying reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.
2. Employee training and management;
3. Assessing the security of network and software design, as well as information processing, storage, transmission and disposal;
4. Ensuring personnel and systems are in place to detect, prevent and respond to attacks, intrusions, or other systems failures;
5. Regularly testing the effectiveness of the safeguard key controls, systems, and procedures;
6. Oversee service providers;
7. Evaluating and adjusting information security programs in light of the results of the testing and monitoring

HIPAA Compliance

Voxeo realizes that our health care clients must comply with HIPAA patient information confidentiality requirements. Voxeo has implemented the following HIPAA compliance steps:

• All Voxeo employees sign a confidentiality agreement. These agreements make it clear that we reserve the right to terminate any employee if they cause a confidentiality breach. These confidentiality agreements also provide sanctions for employees as recommended by HIPAA.
• All patient-and-provider-specific information and electronic data that we receive or generate as a result of delivering our services is treated as confidential. Access to such information is provided only to a limited set of Voxeo employees in our network operations team. Such electronic data is stored only on secure servers which can be accessed only via a unique per-employee user name, password, and RSA SecureID two-factor authentication card.
• Voxeo does not allow patient or provider information to be printed at any time.
• Voxeo does not share any patient or provider information with any of our vendors, clients, partners, contractors, or temporary or part-time employees.
• Voxeo has a designated Privacy Officer. Our Privacy Officer has the responsibility for the development and implementation of Voxeo's information security policies, procedures, and technology. Our Privacy Officer also works closely with Voxeo clients to understand their requirements and to ensure Voxeo complies with them. Our Privacy Officer monitors the ongoing requirements of HIPAA and is designated to receive and address any complaints related to privacy compliance.
• Voxeo has established secure logging and tracking mechanisms that document any access to protected healthcare information.
• Voxeo monitors the latest HIPAA news and legislation to ensure our compliance where required and as agreed upon with our clients.
• Voxeo has established training programs focused on our privacy policies to educate our employees on the appropriate care and handling of private health care data as required by HIPAA mandates.
• Voxeo has established procedures to receive and resolve complaints, including a zero-tolerance policy and sanctions for employees who fail to comply with privacy policies. We take non-compliance with our privacy policies very seriously.
• Voxeo has established a minimum of three layers of physical security at each of our data center facilities to further protect patient and provider information.

ISO 17799 Compliance

Voxeo's products and services are designed to support the requirements of ISO 17799, the most widely recognized international security standard. ISO 17799 addresses ten major areas of information security, including: business continuity planning, system access control, system development and maintenance, physical and environmental security, legal compliance, personnel security, organization, system and network management, asset control, and security policies.

Payment Card Industry (PCI) Compliance

The Payment Card Industry (PCI) Data Security Standard is a worldwide standard for payment card and consumer financial data protection. It incorporates the requirements of the Visa USA Cardholder Information Security Program (CISP) and the Visa International Account Information Security (AIS) program, the MasterCard International Site Data Protection (SDP) program, as well as the security requirements of American Express DSS, DiscoverCard DISC and the Japan Credit Bureau (JCB).

To be in compliance with this standard, all of our Internet connections, assigned IP addresses, and all Internet connected servers (Web, email, DNS, etc.) must have no level 3, 4 or 5 severity vulnerabilities in their most recent security audit. Audits must be conducted at least every 90 days. VISA and Mastercard now require all merchants to adhere to the PCI security standard.

Our compliance with PCI standards is certified by an approved PCI compliance scanning and auditing firm. In order to maintain PCI Compliance certification, all publicly accessible internet devices and any associated domain(s) hosted on them must have been audited within the past three months, and all vulnerabilities categorized as Urgent, Critical, or High severity (Level 3 or greater) must have been corrected within 72 hours of their discovery.

Our sites are tested with industry-standard PCI Compliance remote vulnerability testing, and are tested at least every 90 days to pass all external vulnerability audit recommendations of the Department of Homeland Security's National Infrastructure Protection Center (NIPC), the SANS/FBI Top 20 Internet Security Vulnerabilities list, as well as the vulnerability audit requirements of Visa's CISP and AIS, MasterCard's SDP, American Express' DSS and Discover Card's DISC security standards.