Security Policy.

Having considered the above Preliminary Matters and mutual agreements below, the Parties hereby agree as follows:

1. Cardholder Data Recommended Practices At a minimum, Provider should implement the practices set forth below:
   1. Provider should do the following:
      1. Maintain updated anti-virus software on all workstations engaged in credit card processing and remove any programs that the anti-virus software flags as potentially malicious.
      2. Restrict permission to install software on those computers to Provider’s business owner and/or trusted senior staff.
      3. Maintain up-to-date versions of operating systems (e.g., Microsoft Windows or Macintosh OS) and web browsers (e.g., Internet Explorer, Safari or Firefox), with all security updates and patches installed.
      4. Ensure that every individual that logs into the Services has a unique username and password that is known only by that individual.
      5. Only store credit card account numbers in encrypted credit card fields designed for that purpose.
      6. Destroy any hard copy documents that have Cardholder Data written on them.
   2. Provider should not do the following:
      1. Share the Provider’s account or password;
      2. Record Cardholder Data in notes, contact logs, or other unencrypted text fields within the Digital Properties;
      3. Record Cardholder Data in any locally installed software program, unless that program and Provider’s computer network meet all PCI requirements; or
      4. Email Guest’s credit card numbers, ask Guests to email credit card numbers to Provider, or record credit card track data.
2. Data Security At a minimum, Provider should implement the practices set forth below:
   1. Location and Backup. All Provider Data is located on secure servers, or backup directories that require access authentication.
   2. Firewalls. All secure servers are protected by multiple, redundant firewalls and intrusion detection and prevention systems that are regularly monitored and tested (details of firewall configuration are not shared publicly for maximum security).
   3. Encryption. TLS 1.2 or greater is employed to protect all data in transit across the internet.
   4. Qualified Security Assessor (QSA) Approved Scanning Vendor (ASV), delivers accurate vulnerability scanning and actionable reporting, that enables Xola to quickly rank risks and gauge compliance against PCI-DSS Standards. Vulnerability Assessments monitor the Xola network perimeter against threats to help protect Xola and our customers from hackers, data breaches, adware, spyware, pop-ups, browser exploits, and phishing attempts.
   5. PCI-DSS. Xola complies with the PCI DSS standards. We are dedicated to the six (6) PCI DSS best security practices for credit card protection, which include, but are not limited to:
      1. Maintaining a secure network;
      2. Protecting the Cardholder Data;
      3. Maintaining a Vulnerability Management Program;
      4. Implementing strong access control measures;
      5. Monitoring and testing production and development networks; and
      6. Maintaining an Information Security Program and policies.
   6. We recommend you adopt PCI DSS. Any merchant who accepts Visa, MasterCard, American Express, or Discover credit cards for payment is subject to the Payment Card Industry Data Security Standard (PCI DSS), which outlines credit card processing merchants’ responsibilities for the protection of Cardholder Data. We strongly recommend you follow the requirements of the PCI DSS when handling Cardholder Data. Please refer to the PCI DSS website for a complete list of all rules and restrictions that may apply: https://www.pcisecuritystandards.org/.
   7. Responsibility for Cardholder Data. If Provider uses the optional Integrated Merchant Account service to process payments, Xola is responsible for protecting Cardholder Data only after such Cardholder Data is encrypted and received by Xola’s server(s). Provider remains responsible for the proper handling and protection of Cardholder Data until such Cardholder Data is encrypted and received by Xola’s server(s).
3. Data Center SSAE 16 Type II and Type III Compliance Xola hosts Provider Data at multiple secure and redundant data centers in geographically diverse locations. Each data center is secured and monitored 24x7x365 by a staff of highly trained data center facility experts. The primary data center features:
   1. A Zone 4 earthquake-rated reinforced structure;
   2. Multiple redundant, enterprise switching hardware at every stage;
   3. A monitoring system providing real-time data on equipment operation, enabling instant identification of problems;
   4. Multiple paralleled N+1 UPS modules configured in redundant systems allow for A/B power configuration;
   5. 20 megawatts of expandable N+1 power backup utilizing generators;
   6. A Very Early Smoke Detection Alarm (VESDA) early smoke detection with pre-action dry pipe fire suppression systems;
   7. Multiple fiber route entrances to structures;
   8. Access control systems leveraging a biometric scan and personal identification number (PIN), with separate locks for all server cabinets; and
   9. The backup data center features the same facility specifications as the primary data center. The backup data center receives a backup of Provider data at least once per 24-hour period.
4. Physical and Personnel Security
   1. Physical Security Measures. Physical access to the primary data center and the backup data center is restricted by 24x7x365 on-site security and Network Operations Center staff. The facility is controlled by alarm systems with cameras on perimeter points of the building along with video and camera surveillance within the facility. Multi-level access authorization with man trap, biometric verification and security controlled access level assignments are used.
   2. Personnel Security Measures.
      1. Background Checks and NDA Agreements. Our technical or management personnel with access to Provider Data are subjected to background checks prior to hiring, and must sign non-disclosure and data security agreements that protect both Xola and Provider Data.
      2. Transfer Restrictions. Our personnel are not permitted to transfer Provider Data onto any hard drive, flash drive, mobile device, or other storage device, except those contained within either the primary data center or backup data center. Provider Data is not transferred to Xola corporate workstations.

Contact Us