Security Overview The ActiveDisclosure is a highly secure environment leveraging advanced security capabilities to help protect clients’ most sensitive financial data against today’s security threats. Talk to an expert Our systems, processes and experts leverage numerous tools to secure our clients data SOC 2 Type II audits Data is encrypted end-to-end while in transit via TLS v1.2 AES 256-bit encryption used to protect data at rest AES 256-bit encryption used to protect database files Fully supported Multifactor Authentication and customer Single Sign-On (SSO) integration Static and Dynamic Application Security Testing technologies (SAST/DAST) are integrated into DFIN’s software development cycles to identify security risks prior to releases Azure Key Vault used for key storage Comprehensive, ongoing vulnerability scans are conducted across all applications to quickly identify and mitigate cyber vulnerabilities Use of next-gen antivirus and antimalware technologies Commitment to GDPR and other data protection regulations Annual third-party penetration testing with each finding’s remediation effort independently validated Extensive employee security awareness and training Rigorous governance and compliance controls Product Security Overview AD SOC 2 Type II Annual ActiveDisclosure SOC 2 Type II audit and report Global Capital Markets Annual Global Capital Markets SOC 2 Type II audit and report AICPA Trust Service Principles Rigorous governance program is in place leveraging the AICPA Trust Service Principles of Security, Availability, and Confidentiality Application Security Encryption Data transmission is encrypted while in transit via TLS v1.2 Static and Dynamic Application Security Testing technologies AES 256-bit encryption is used to protect data while at rest AES-256-bit encryption is used to protect database files Identity Access Management Multifactor Authentication and customer Single Sign-On integration fully supported Azure Key Vault used for key storage Zero Trust internal system Privileged Access Management Identity Lifecycle automation implemented internally Threat Management Performed continuously, leveraging state-of the-art threat management tools Penetration Testing Annual third-party Penetration Testing for independent verification of ActiveDisclosure’s security posture Findings are reviewed and resolved according to DFIN policy The third party is brought back to validate that the remediation was effective Executive Summary reports are available for client review Application Development Code reviews Performed multiple times throughout the development process Rigorous QA Testing process is in place to identify potential issues early in the development process including SAST and DAST testing SDLC and Continuous Integration / Deployment DFIN embraces modern Software Development Life Cycle (SDLC) and Continuous Integration & Continuous Deployment (CI/CD) best practices aligned to a multi-environment (Integration, Quality Assurance, Staging, and Production) release promotion process Infrastructure Comprehensive Network Infrastructure Security controls are in place (firewalls, IDS & IPS, logging, and security monitoring) Oversight Regular network and server vulnerability scans Regular OS patching (Microsoft security patches are applied each month) Regular backup schedule Hosted in Microsoft Azure DFIN Security Team Led by Dannie Combs SVP, Chief Information Security Officer Enterprise Security team supporting Security Incident and Response, Application Security, Network Security and Security Governance, Risk and Compliance, further supporting: The use of security tools and utilities to scan and monitor DFIN assets Security Response Team and process in place to address any potential vulnerabilities or events Security monitoring and logging Policy management - comprehensive policies including Information Security Policy and Security Awareness annual employee training Cybersecurity incident response Frequent, ongoing employee training programs and best practices We can provide additional information, including our SOC 2 type II report, once a Non-Disclosure Agreement is signed. Talk to an expert or call +44 203 047 6100