EXHIBIT C

Information security policy (SOC2 Type 1 compliance)

The Provider maintains a formalized information security policy to comply with various regulatory and business requirements. This security policy protects all sensitive and confidential data stored, accessed, or transmitted by our software platform, including its applications, components, infrastructure, and underlying code.

The Provider has designed a risk assessment program to assess the organization’s enterprise-level risk at least annually or upon significant changes to the environment. This program is designed to identify and assess threats to and vulnerabilities in systems and in service.

The Provider takes responsibility for implementing appropriate technical and organizational safeguards to ensure the protection of sensitive information. Employees of the Company are required to read and accept the terms of a confidentiality agreement upon hire that states they are prohibited from disclosing any company data from the systems and system components to which they have access.

The Provider maintains strict control access to restrict private information to privileged users. These users are required to abide by their assigned responsibilities related to their elevated access.

The Provider has established a Data Handling, Retention, and Disposal Program to manage information in accordance with applicable laws, regulations, policies, and standards. This program establishes a formal data retention schedule and implements a data classification standard to ensure the confidential data is secured.

The Provider retains sensitive and confidential data only for as long as necessary to fulfill its purposes unless otherwise required by law or to meet legal and client contractual obligations.

The Provider segments its network to prevent direct or unauthorized connections between an external network and its information systems, in particular confidential data in cloud environments.

The Provider maintains a vulnerability management program to ensure the confidentiality, integrity, and availability (CIA) of the organization’s information systems landscape, which includes all critical system resources. The program includes internal and external scans, penetration testing, and issue remediation for the purposes of identifying, detecting, classifying, prioritizing, remediating, validating, and continuously monitoring vulnerabilities.

The Provider conducts independent third-party penetration tests at least annually on any systems with Confidential data or with a critical risk rating to identify security vulnerabilities.