Qodo Security Exhibit

Last Updated: September 29, 2024

1. Codium Ltd. and its affiliates, dba Qodo (the “Company”) implements and maintains commercially reasonable and appropriate physical, technical and organizational security measures to protect Customer Data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to Customer Data transmitted, stored or otherwise processed including (as appropriate): (i) the pseudonymization and encryption of Customer Data which constitutes personal data, as such term is defined under applicable privacy laws; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
2. To protect the Customer Data, Company implements the following measures:
   1. Information Security Program – Company maintains an information security program with the aim to identify reasonably foreseeable external and internal risks to the security of Codium’s network and minimize security risks through risk assessments and regular testing.
   2. Security Reviews – Company conducts periodic reviews of the security of its infrastructure and the adequacy of its information security program. Evidence of these reviews include annual SOC2 Type II reports prepared by a qualified 3rd party.
   3. Human Resources – Company provides that employees, contractors, partners, and vendors understand their data protection and security responsibilities. These responsibilities include maintaining the confidentiality, integrity and availability of the Customer Data processed by Company.
   4. Access Control – Company provides that only authorized users will have access to its information assets and to Customer Data. Users are only be provided with access to assets that they have been specifically authorized to use.
   5. Encryption – Company provides proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information; Company will provide that Confidential Information will be encrypted whenever extracted from their primary repository.
   6. Physical and Environmental Security – Company uses physical and environmental measures to prevent unauthorized physical access, damage to or disruption of the organization’s information and information processing facilities.
   7. Operational and Communication Security – Company maintains appropriate controls related to management of IT production including change management, capacity management, malware, backup, logging, monitoring and vulnerabilities management.
   8. Data Retention and Disposal – Information stored withing the service, such as logs and alerts will be retained according to Customer’s requirements. When no longer required, the information will be securely deleted.