1. Benefits of the Platform Approach to Security

Secure-by-design architecture based on the shared responsibility model.

Framer is responsible for security of the cloud (global infrastructure).

Share-Holder is responsible for security in the cloud (the SaaS platform).

Customers are responsible for what goes in the cloud (your data, your users). Unified governance and compliance across the platform.

Share-Holders Security Program is based on the NIST Cybersecurity Framework and Share-Holder follows ISO/IEC 27001 standards.

2. The Shared Responsibility Model

Security and compliance is a shared responsibility between Share-Holder and its customers. Share-Holder manages the overall application infrastructure and customers manage the end-user security and access control to their individual system.

Customers should have controls in place to restrict access to the individuals for whom account access is required. Controls should include:

• approving individuals for access to accounts prior to setting up users in the system.

• revoking users’ log-in credentials when user access is no longer required or if user authentication credentials or other sensitive information has been compromised.

4. Share-Holder Responsibility

In addition to the physical and hardware security that Framer provides, Share-Holder also has a robust information security environment to ensure that the confidentiality, integrity and availability of customer data meets high standards and customer expectations.

Customer Responsibility

Customers share the responsibility of not only keeping their data secure, but also complying with applicable regulatory or privacy laws.

• Customers have full ownership of their user access controls.

• Customers manage their entire data input.

• Customers determine who can access their data.

5. Platform Capabilities for Customer Responsibilities

The platform includes capabilities to assist customers in their responsibility for managing end-user system access:

• Enforce strong passwords

• Configure password expiry

• Configure session timeout

• Challenge user accounts after multiple failed logins

• Easily delete or suspend user accounts

• Specifically identify permissible user IP addresses

• Use activity tracking to log access and system use

6. Regional Availability and Data Protections

Share-Holder is available in multiple regions to give customers options for where their data is stored, and to enable them to comply with data privacy location requirements.

7. Regional Data Storage

Data is stored and replicated across state-of-the-art data centers operated by Framer. Upon system setup, your platform data is stored in the data center region associated with the address listed in your Order Form. You may choose an alternative storage region to suit your physical, legal, security, or performance needs.

Data is encrypted during transmission and at rest (AES-256) within the regional data storage facility. All platform customer data, including data in backups, are stored exclusively in the single hosting region.

Data and Service Redundancy

All regional equipment is fully redundant, and data is replicated or backed-up to alternate regional locations in case of failure.

In addition to this real-time redundancy, we back up all customer data, including field data and attached documents that are stored in your account within the system. A full backup of the entire system database is run daily and retained for a one-year period.

Backups are kept for the purpose of restoring data integrity due to systemic or database failure, but not for the purpose of restoring user deleted data. As long as your subscription is active, your data will be backed up.

8. Data ownership

Customers own their data completely and are responsible for setting retention spans and for deleting unwanted content during the subscribed service and up to 30 days after termination or expiry of their subscription. Customers have a responsibility of ensuring their data is compliant with applicable policies, regulations, and laws. Share-Holder has the responsibility of ensuring the platform hosting customer data is secure.

Customers have several ways (authorized managers or administrators) to extract data at any time.

9. Terminating subscriptions

When you choose to terminate your subscription, Share-Holder will extend access to the system for an additional 30 days to copy or extract any data you wish to retain. Once you have extracted your data, you have the full ability and responsibility to delete any or all your remaining data in the system.

Upon written request, Share-Holder will destroy the customer system and all data content after the extract process. If 90 days has passed without written request to destroy the customer system, Share-Holder reserves the right to destroy the customer data to regain system resources.

10. Service Resiliency

Share-Holder is committed to delivering a world-class customer experience. Engineering teams actively monitor the platform for availability and performance to a 99.5%+ average uptime. To access current system status page please visit: https://Share-Holder.org/status/.

Share-Holder maintains a disaster recovery plan. While the customer impact of a physical or environmental threat to its corporate headquarters is considered low (since the vast majority of internal tooling is cloud-based), Share-Holder personnel's safety and availability is mission critical.

The maximum acceptable length of data loss for the platform (recovery point objective or RPO) is one hour, even in the event of disaster. Therefore, backup intervals are configured to allow for loss of customer data of one hour or less, depending on the time of system failure.

The targeted duration of time and a service level within which service must be restored after a disaster (recovery time objective or RTO) is currently 24 hours.

11. Data Privacy

Customer data is considered confidential information and is handled securely by Share-Holder personnel. Customer data is never copied to assets outside the production environment, including employee laptops.

Any troubleshooting that needs to be performed on customer data is performed in the customer’s environment. When Share-Holder personnel need access to a customer environment, a ticket is generated indicating that Support accessed the instance, why the interaction was necessary, and what work was performed.

Actions by Share-Holder personnel on a customer’s system are limited to resolving the customer needs, and nothing more. Once a customer is satisfied with the result, and the ticket is closed, access is removed. Share-Holder collects only the minimum personally identifiable information necessary from your licensed users for purposes of account set-up, access to product resources, and system administration.

12. Compliance

Platform Compliance

Share-Holder follows ISO/IEC 27001 standards to keep information assets secure by implementing an Information Security Management System (ISMS). This provides a systematic approach for managing risk across Share-Holder staff, processes, and IT systems.

Shared Management Model

Cloud computing is fundamentally different from traditionally on-premises computing. In the traditional model, organizations are typically in full control of their technology infrastructure located on-premises (e.g., physical control of the hardware, and full control over the technology stack in production). In the cloud, organizations leverage resources and practices that are under the control of the cloud service provider, while still retaining some control and responsibility over other components of their IT solution. As a result, managing security and privacy in the cloud is often a shared responsibility between the cloud customer and the cloud service provider. The distribution of responsibilities between the cloud service provider and customer also varies based on the nature of the cloud service (IaaS, PaaS, SaaS).

13. Platform Security Controls

Share-Holders Platform security is founded on the controls that are built into the service to protect customer data. Management regularly assesses risk, monitors the controls, evaluates potential threats, and uses this information to update the controls framework from policies and procedures to encryption protocols.

14. Data Encryption

Strong encryption is used to protect all data in transit and at rest.

Encryption in transit is achieved via the industry- standard TLS (Transport Layer Security) protocol supporting only the strongest encryption algorithms, including AES (Advanced Encryption Standard) with up to 256-bit key lengths.

Meet compliance requirements for regulations, such as GDPR, CCPA, PCI-DSS, HIPAA, and more. Satisfy audit requirements and avoid fines. Transparent data encryption (TDE) stops would-be attackers from bypassing the database and reading sensitive information directly from storage by enforcing data-at-rest encryption in the database layer. Encrypt individual data columns, entire tablespaces, database exports, and backups to control access to sensitive data.

By using TLS version 1.3, an encrypted communication channel between the end-user web browser and the platform is established, ensuring the confidentiality and integrity of all data transmissions from end-to-end.

The AES encryption algorithm is widely recognized and approved by organizations worldwide as an industry standard in government, military, and commercial applications.

All emails from our platform are transmitted via TLS-encrypted channels, when available.

Password Management

User passwords are never stored in clear text format. A strong cryptographic algorithm is used to generate irreversible strings known as password hashes. The algorithm also uses a unique long random value known as a salt, which is different for each user and ensures protection against attacks based on pre-computation of password hashes.

Password Attempts

When signing in to our platform or generating a token to use in another application, users have up to five attempts to enter your password. After five attempts, reCAPTCHA displays. reCAPTCHA is a service that protects websites from spam and abuse, and requires you to enter a series of characters or numbers to prove you are human.

Session expiry

A session is a period of activity between a user logging in and out of an application. Sessions are global to all platform modules. Your session expires if you are inactive for the duration of time set by an Account Admin.

Anti-malware Protections

Files uploaded to the platform are scanned for malware to protect users.

Event Monitoring

All product systems are monitored 24/7 for security and availability. In the event of any service interruption, alerts are delivered via e-mail, text message, and phone call to system administrators and management.

Security and performance are monitored using sophisticated third-party monitoring tools. Security and performance requirements are reviewed on a weekly basis and any issues noted that potentially impact customers are documented and resolved.

Privileged Access

Share-Holder follows the principle of least privilege for internal administration. Employees who require administrative access must be requested via a ticketing system. The request requires the approval from management before access is granted.

Share-Holder administrative access is protected with a combination of network restrictions, username/password, multi-factor authentication, and private keys. Session limits for inactivity are set to 15 mins.

All access is tracked and monitored for suspicious activity. Administrative access to all applications is granted to employees only based on user job responsibilities. Access to all production system and internal applications is removed upon termination of employment.

Secure Software Development Life Cycle (SSDLC)

At all phases in the application development process, security is a top priority. Share-Holder builds security into the platform.

Secure coding best practices are strictly followed. Common application layer vulnerabilities, including all OWASP Top 10 vulnerabilities, are explicitly addressed at all stages of the SDLC using industry standard counter-measures, such as explicit sanitization of all user input, use of parameterized queries, and use of secure libraries. All code changes are controlled, approved and must go through strict peer review and Quality Assurance (QA) testing prior to production deployment.

Segregation of duties

Procedures, controls, and monitoring are in place to ensure that a separation of duties exist between the define, design, build, test, and deploy phases of the software lifecycle. Third-party monitoring tools are used for development, test, and production to detect run-time errors and monitor performance so multiple stakeholders are informed on deploy or error.

Penetration testing

In addition to internal security testing, Share-Holder uses 3rd party independent penetration testing to check for security vulnerabilities. These tests are performed by an organization specializing in software security, and are used to probe the environment for vulnerabilities, such as cross-site scripting, SQL Injection, session and cookie management. Exploitable vulnerabilities are resolved in a timely basis based on severity and impact.

Web scans and testing

Platform source code is maintained in a repository exclusively for source code management. The source code repository is a complete copy of the source code. Vulnerability scans are performed to identify security flaws within the source code and

15. Incident Management

Share-Holder has a robust platform Incident Response Plan to promptly and effectively manage incidents that minimize impact to the platform.

There is a Security Incident Response Team (SIRT) that is responsible for responding, managing, and conducting security investigations, including all aspects of communication such as deciding how, when, and to whom the findings shall be reported.

16. Incident Response Plan

Preparation - activities that enable the SIRT to respond to an incident: policies, tools, procedures, training, effective governance, and communication plans.

Preparation also implies that the affected groups have instituted the controls necessary to recover and continue operations after an incident is discovered. Post-mortem analyses from prior incidents form the basis for continuous improvement of this stage.

Detection & Investigation - the discovery of the event with security tools or notification by an inside or outside party about a suspected incident and the declaration and initial classification of the incident. Investigation includes completing an Incident Log to keep track of all incident activities.

Share-Holder monitors and investigate all events and reports of suspicious or unexpected activity and tracks them in an internal ticketing system. Investigation is the phase where SIRT personnel identify and determine the priority, scope, and root cause of the incident.

Containment - the triage phase where the affected host or system is identified, isolated or otherwise mitigated, and when affected parties are notified and investigative status established.

This phase includes sub-procedures for seizure and evidence handling, escalation, and communication. All evidence will be handled in accordance with local evidence handling procedures and legal requirements.

Remediation & Eradication - the post-incident repair and recovery of affected systems and or data, communication and instruction to affected parties, and analysis that confirms the threat has been contained.

Apart from any formal reports, the post-mortem will be completed at this stage as it may impact the remediation and interpretation of the incident.

Recovery - the analysis of the incident for its procedural and policy implications, the gathering of metrics, and the incorporation of “lessons learned” into future response activities and training.

Post-incident Activities - activities within the recovery stage include “Lessons Learned.” Lessons Learned allows the SIRT to identify any weaknesses in the plan and the supporting policy and or process and to put in place remedial actions to mitigate any further such incident.

During lesson learned, the SIRT will review the incident and examine all associated artefacts to identify any root cause. Lessons learned are documented and used to improve the plan.

17. Generative AI Usage Principles

AI Safety and Ethics Task Force

Share-Holder is committed to responsible AI deployment. Share-Holder maintains an AI Safety and Ethics task force comprised of Information Security, Legal, Product, Engineering, and Executive Leadership knowledge. This task force meets regularly to actively ensure our use of AI technologies meets the highest ethical and safety standards.

18. Generative AI Use

Share-Holder is exploring ways to use Generative AI and Large Language Models (LLM) to enhance the value that our products provide customers.

By default, the AI models we employ are not trained on the data you have entrusted our software products to protect. Any deviation from this principle requires your explicit consent and would always be your company's choice. Furthermore, any content produced by our company's generative AI is labelled, allowing users to readily identify AI-generated content.

As with all Share-Holder product functionality, controls are in place to ensure the logical separation of customer data and no third parties are provided access to your data without your prior consent.