Security Measures

Last updated: April 23, 2026

These Security Measures are incorporated into the Kyoso Data Processing Addendum (available at: /docs/legal/dpa) (the “DPA”), and they set out the measures that Kyoso will implement and maintain to secure Customer Personal Data. Unless expressly stated otherwise, capitalised terms used herein have the meanings set out in the DPA.

Kyoso is actively pursuing SOC 2 Type 2 certification and operates a continuous controls-monitoring program against the SOC 2 Trust Services Criteria. Once the Service Organization Controls 2, Type 2 Report (the "Audit Report") is issued, Kyoso will employ and maintain a data processing environment and internal controls that provide at least the same level of protection as evidenced by the controls described in Kyoso's then-current Audit Report. Without limiting the foregoing, Kyoso will, additionally (where applicable), implement the following:

• Data Security Controls. Data security controls which include at a minimum logical segregation of data, restricted (e.g. role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Customer Personal Data as and where appropriate to the data concerned.
• Logical Access Controls. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
• Password Controls. Password controls designed to manage and control password strength, expiration and usage.
• Physical and Environmental Security. Physical and environmental security of production resources relevant to the Services, which are maintained by the relevant Sub-Processor(s) (and their vendors) engaged from time-to-time by Kyoso to host those resources. Kyoso takes reasonable steps to ensure that such Sub-Processors provide appropriate assurances and certifications that evidence such physical and environmental security – including security of data centre, server room facilities and other areas containing Customer Personal Data designed to: (a) protect information assets from unauthorised physical access, (b) manage, monitor and log movement into and out of Sub-Processor facilities, and (c) guard against environmental hazards such as heat, fire and water damage.
• Operational Procedures. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems.
• Change Management. Change management procedures and tracking mechanisms designed to test, approve and monitor all material changes to technology and information assets applicable to the Services and Customer Personal Data.
• Incident Management. Incident management procedures designed to allow Kyoso to investigate, respond to, mitigate and notify of events related to technology and information assets applicable to the Services and Customer Personal Data. Notification procedure for timely disclosure in case of events affecting information assets applicable to the Services and Customer Personal Data or the systems processing them.
• Network Security. Network security controls that provide for the use of enterprise firewalls designed to protect systems from intrusion and limit the scope of any successful attack.
• Vulnerability Assessment and Threat Protection. Vulnerability assessment and threat protection technologies designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
• BC/DR. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.

Kyoso may update or modify these Security Measures from time to time provided that such updates and modifications do not materially decrease the overall security of Services, Customer Content and/or Customer Personal Data.