Security Terms SaaS Solution meets the confidentiality, integrity, and availability standards set by government agencies and enterprises. For more information on SaaS Solution’s best-in-class security and compliance program, please visit our Trust Center. Any terms not defined have the same definition ascribed to them in the Terms. 1. Regulatory Compliance Commvault’s Customers know their data! As such, our Customers are in the best position to ensure compliance with all laws and regulations governing Customer Data, including without limitation, obtaining consents from, and providing disclosures to, data subjects and end users with respect to data security and privacy. Commvault implemented reasonable security measures as described herein and in relevant documentation. 2. Confidentiality By the nature of Commvault’s services, Commvault and its Customers regularly share confidential, proprietary information with each other. “Confidential Information” means any and all information and material disclosed by one party (the “Discloser”) to the other party (the “Recipient”) including but not limited to Customer Data, trade secrets, know-how, inventions, techniques, processes, programs, ideas, algorithms, formulas, schematics, testing procedures, software design and architecture, computer code, internal documentation, design and functional specifications, product requirements, problem reports, performance information, documents, and other technical, business, product, marketing, customer, financial information, or any other information the Recipient knows or ought to is confidential due to its nature. Recipient shall hold all Confidential Information in strict confidence and take the same degree of care that it uses to protect its own confidential information (but in no event less than reasonable care) to protect the confidentiality thereof. Confidential Information does not include information that (i) is or becomes generally known by the public, (ii) was or becomes available to a party on a non-confidential basis from a person not otherwise bound by the Terms or is not otherwise known to be prohibited from transmitting the information, or (iii) is independently developed by the parties, provided that the party claiming an exception shall have the burden of establishing such exception. 3. Security Compliance 3.1 Security Measures. Commvault has implemented and will maintain a security program that leverages a combination of the ISO/IEC 27000-series of control standards, NIST 800-30/CSF, and Information Security Forum ISF best practices. Commvault represents and warrants that the SaaS Solution is compliant with CJIS controls, FIPS 1401-2, SOC 2 Type II and PCI. Commvault regularly tests, assesses and evaluates the effectiveness of its technical and organizational measures set forth below and performs annual penetration and security incident response testing on the SaaS Solution. Commvault partners with Microsoft Azure and Oracle for hosted storage. The technical and organizational measures set forth by Microsoft Azure can be found here and by Oracle here. 3.2 Physical Security. Commvault’s web applications, communications, and database servers are located in secure facilities with security measures including but not limited to: (i) access authorization and documentation for employees and third parties, (ii) regulation and restriction of physical and digital access credentials, (iii) maintaining electronically-locked doors and separate cages within facilities (e.g., production and development), (iv) logging, monitoring, and tracking access to all facilities with electronic and CCTV video surveillance by personnel, and (v) protecting all facilities with security alarm systems and user-related authentication procedures, including biometric authentication in some instances, and electronic access cards. 3.3 Technical Security. Commvault has implemented measures to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services. For our security and yours, we do not list these technical security measures publicly. For specific details, please contact us at SOC@commvault.com. 3.4 Organizational Security. Commvault has implemented organizational measures that limit employees’ access to data based on the scope of their roles and responsibilities and respective access permissions and authorizations. For our security we do not list these organizational security measures publicly. For specific details, please contact us at SOC@commvault.com. 3.5 Encryption. The SaaS Solution uses firewalls, zero-trust access controls, and encryption algorithms and keys to protect Customer Data, both in transit and at rest, and web-based access to account management interfaces by Commvault employees. Commvault uses end-to-end encryption of screen sharing for remote access, support, and real time communication. Integrity checks are conducted to monitor the completeness and correctness of the transfer of Customer Data. 3.6 Personal Data. Commvault has implemented an authorization policy for the input of personal data into memory, as well as the reading, alteration, and deletion of stored personal data including documentation and logging of material changes to account data and settings; segregation and protection of all stored personal data via database schemas, logical access controls and encryption; utilization of user identification credentials; physical security of data processing facilities; and session time outs. 3.7 Restricted Access. Commvault restricts access to Customer Data by individual appointment of system administrators; registration of access logs to the infrastructure securely retained; regular audits of system activity to assess compliance with assigned tasks, data controller’s instructions, and applicable laws, and maintenance of system administrators’ identification details (e.g. name, surname, function or organizational area) and responsibilities. 3.8. Business Continuity & Disaster Recovery Plan. Commvault has implemented measures to ensure Customer Data is protected from accidental destruction or loss by creating a business continuity and disaster recovery plan, maintaining global and redundant infrastructure, rapid failover capability, and full capacity disaster recovery sites and testing of disaster recovery centers. 3.9. Security Notification. Unless otherwise required by law, regulation or law enforcement, Commvault agrees to notify Customer of any Security Breach of Customer Data within seventy-two (72) hours following Commvault’s discovery thereof. “Security Breach” means an accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to unencrypted personal data.