SOC 2 Type II-Compliant SOC 2 TYPE II-COMPLIANT CONDUCT AND COMPLIANCE SOLUTIONS Behavox strictly adheres to SOC 2 Type II standards to deliver the industry’s most secure and trusted compliance and conduct risk mitigation. WHAT IS SOC 2 TYPE II COMPLIANCE? The American Institute of Certified Public Accountants (AICPA) System and Organization Controls (SOC) reports give assurance over control environments as they relate to the retrieval, storage, processing, and transfer of data. Completion of SOC 2 Type II reports attests to our commitment to the security, availability and privacy of our products and protection of customer data. Additional information can be found at: https://www.aicpa.org/ DUE DILIGENCE SECURITY RISK ASSESSMENT Customers can now request the Behavox CyberGRX validated report for their third-party supplier due diligence. The CyberGRX platform simplifies the risk assessment process for Behavox and customers by distributing all future updates of new assessments and audited controls from a single source. The customers also can monitor the risk scores and receive data breach alerts from the platform. THE ASSESSMENT DETAILS Methodology Third-party CyberGRX report provides a standardized vendor assessment survey, analysis and reporting based on the National Institute of Standards and Technology (NIST) SP 800-53 and International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001 frameworks. The assessment features five control groups: Strategic Operations Core Management Privacy The aforementioned groups include controls and sub-controls based on the following frameworks: SOC, ISO 27001, NIST 800-53, NIST 800- 171, NY-DFS, PCI DSS, FFIEC, SIG, and more Remote and On-Site Validation Remote and On-Site validation requires a third party to provide CyberGRX Analysts with evidence artifacts that support their assessment answers. This validation process proceeds as follows: Selection of Controls Evidence Request and Collection Evidence Submission Evidence Evaluation Framework Mapping Upon registration to CyberGRX platform our customers will be able to request the latest completed Risk Assessment report and map the assessment results to industry frameworks as well as custom frameworks to gain granular visibility into controls coverage. The mapped frameworks are including but not limited to the following: Cybersecurity Maturity Model Certification (CMMC) Level 5 National Institute of Standards and Technology (800.53 Revision 5 & CSF) Cloud Security Alliance (CSA-CCM & CAIQ) MITRE ATT&CK Framework California Consumer Privacy Act (CCPA) General Data Protection Regulation (GDPR) NYDFS Cybersecurity Regulation (23 NYCRR 500) Threat Profile: Accellion File Transfer Application Breach LogJam (CVE-2021-44228)