Security Addendum

This Security Addendum ("Addendum") describes the technical and organizational security measures that Aperture Technologies, Inc. ("Aperture") maintains in connection with the Service. This Addendum is incorporated by reference into the Terms of Service and any applicable Order Form between Aperture and Customer. Capitalized terms not defined herein have the meanings given in the Terms of Service.

1. Audits and Certifications

Aperture engages independent third-party auditors to conduct security assessments on at least an annual basis.

2. Hosting and Data Storage

The Service is cloud-based and hosted on Amazon Web Services ("AWS"). Customer Data is stored in the AWS region specified in the applicable Order Form. Alternative hosting regions are available upon request and subject to agreement in the Order Form. Customer Data is never stored on systems located at Aperture's corporate offices or employee-managed facilities. All production data resides exclusively within Aperture's cloud infrastructure.

3. Encryption

• At rest: All Customer Data is encrypted at rest using AES 256-bit encryption or a stronger algorithm.
• In transit: All Customer Data transmitted between Customer systems and the Service is encrypted using TLS 1.2 or a stronger protocol.
• Key management: Encryption keys are rotated on at least an annual basis. Key management is performed via hardware security modules ("HSMs"), and encryption keys are logically separated from the Customer Data they protect.

4. System and Network Security

• All Aperture personnel are assigned unique user identifiers. Shared or generic accounts are not permitted for access to systems that process Customer Data.
• Multi-factor authentication ("MFA") is required for all access to production systems and internal tools that process or store Customer Data.
• Passwords must meet complexity requirements and are managed through a centralized identity provider.
• All company-issued devices are encrypted, enrolled in an endpoint detection and response ("EDR") solution, and managed centrally.
• Threat detection systems are deployed across the production environment and updated with current signatures and indicators of compromise on a daily basis.
• Aperture engages an independent third party to perform penetration testing of the Service on at least an annual basis. Findings rated critical or high are remediated in accordance with the vulnerability management timelines below.
• Automated vulnerability scanning is performed continuously. Identified vulnerabilities are remediated according to the following timelines:
  • Critical: within 7 days
  • High: within 30 days
  • Medium: within 90 days
• Aperture conducts an OWASP-aligned web application security assessment on at least an annual basis.

5. Administrative Controls

• All Aperture personnel complete security awareness training at onboarding and on at least an annual basis thereafter.
• Engineers and personnel involved in software development receive secure development training covering secure coding practices, OWASP Top 10, and secure architecture principles.
• All personnel with access to Customer Data or Confidential Information are bound by written confidentiality agreements.
• Access to Aperture systems and Customer Data is revoked within one (1) business day of an employee's or contractor's departure from the organization.
• Aperture conducts quarterly reviews of privileged access to production systems and Customer Data to ensure compliance with the principle of least privilege.
• Background screening is conducted for all personnel in accordance with applicable law prior to granting access to Customer Data.
• Aperture maintains an external threat intelligence program to monitor for emerging threats, vulnerabilities, and indicators of compromise relevant to the Service and its infrastructure.

6. Session Isolation

The Aperture platform enforces per-pipeline session isolation. Each pipeline execution runs within an isolated session context with its own scoped data boundaries. Cross-client data access is architecturally impossible — isolation is enforced at the infrastructure and application layer, not merely by policy or access control rules. This design ensures that no pipeline execution can read, reference, or interact with data belonging to another Customer or pipeline session.

7. Vendors and Subprocessors

Aperture requires all vendors and subprocessors with access to Customer Data to maintain security standards that are consistent with or exceed the obligations set forth in this Addendum. Vendor security assessments are conducted prior to engagement and reviewed on a periodic basis. Aperture maintains a current list of subprocessors at runaperture.com/legal.

8. Physical Data Center Controls

Aperture's cloud service providers (including AWS) maintain the following physical and environmental controls, as validated by their SOC 2 Type II and ISO 27001 certifications:

• Controlled building access with multi-layered physical security, including badge access, biometric verification, and visitor management;
• Closed-circuit television (CCTV) monitoring and recording at facility entry points and critical infrastructure areas;
• Fire detection and suppression systems;
• Backup power and redundancy systems to maintain availability during infrastructure failures;
• Climate control and environmental monitoring to protect equipment from temperature, humidity, and other environmental hazards.

9. Incident Detection and Response

In the event of a confirmed security incident affecting Customer Data ("Security Incident"), Aperture will:

• Notify Customer within forty-eight (48) hours of confirming the Security Incident, via the designated email address specified by Customer in the applicable Order Form or account settings;
• Take reasonable steps to contain and mitigate the effects of the Security Incident;
• Preserve relevant logs and forensic evidence for a minimum of one (1) year following the Security Incident;
• Provide Customer with the following information, to the extent known at the time of notification and supplemented as additional information becomes available:
  • The nature and scope of the Security Incident;
  • The likely consequences of the Security Incident;
  • The status of Aperture's investigation; and
  • The measures taken or proposed to contain and mitigate the Security Incident.

10. Audit Logging

Aperture creates and maintains audit records for security-relevant events within the Service, including authentication events, access to Customer Data, administrative actions, and configuration changes. Audit logs are protected against unauthorized access, modification, and deletion. Audit records are retained for a minimum of one (1) year and a maximum of ten (10) years. Log integrity is maintained through tamper-protection mechanisms.

11. Customer Audit Rights

• Aperture will make available its current SOC 2 reports, penetration test executive summaries, and relevant certifications to Customer at no additional cost, subject to execution of a mutual non-disclosure agreement where not already in effect.
• Aperture will respond to up to one hundred (100) security-related questions from Customer per calendar year at Aperture's expense. Responses will be provided within a commercially reasonable timeframe.
• In the event of a confirmed Security Incident affecting Customer Data, Aperture will, at Aperture's cost, engage an independent forensic specialist to investigate the incident and provide Customer with a summary of findings and recommended remediation measures.

12. Customer Responsibilities

Customer is responsible for the following security obligations in connection with its use of the Service:

• Ensuring that its use of the Service complies with the authorized use terms set forth in the Terms of Service and the applicable Order Form;
• Maintaining the confidentiality and security of all access credentials, API keys, and authentication tokens issued to Customer and its authorized users;
• Ensuring that Customer's IT systems, devices, and software used to access the Service are current, properly configured, and maintained with up-to-date security patches.

13. Business Continuity and Disaster Recovery

Aperture maintains business continuity and disaster recovery plans designed to sustain critical operations during and following disruptive events, including infrastructure failures, natural disasters, and cybersecurity incidents. These plans are:

• Reviewed and approved by senior management on at least an annual basis;
• Tested on at least an annual basis, with results documented and remediation actions tracked to completion;
• Designed to address recovery time objectives, recovery point objectives, and communication protocols for the Service and its supporting infrastructure.