RigoHR Security Exhibit

Last updated: 15 March, 2025

This Rigo Security Exhibit applies to the Covered Service and Covered Data. Capitalized terms used herein have the meanings given in the Agreement, including attached exhibits, that refers to this Exhibit.

Rigo maintains a comprehensive, written information security program that contains administrative, technical, and physical safeguards that are appropriate to (a) the type of information that Rigo will store as Covered Data; and (b) the need for security and confidentiality of such information.

Rigo’s security program is designed to:

• Protect the confidentiality, integrity, and availability of Covered Data in Rigo’s possession or control;
• Protect against any anticipated threats or hazards to the confidentiality, integrity, and availability of Covered Data;
• Protect against unauthorized or unlawful access, use, disclosure, alteration, or destruction of Covered Data;
• Protect against accidental loss or destruction of, or damage to, Covered Data; and
• Safeguard information as set forth in any regulations by which Rigo may be regulated.

Rigo’s security program includes:

1. Security Awareness and Training

Mandatory employee security awareness and training programs, which include:

1. Training on how to implement and comply with its information security program; and
2. Promoting a culture of security awareness.

2. Access Controls

Policies, procedures, and logical controls:

1. To limit access to its information systems to properly authorized persons;
2. To prevent those workforce members and others who should not have access from obtaining access; and
3. To remove access in a timely basis in the event of a change in job responsibilities or job status.

3. Physical and Environmental Security

Controls that provide reasonable assurance that access to Rigo infrastructure is limited to properly authorized individuals.

4. Security Incident Procedures

A security incident response plan that includes procedures to be followed in the event of any security breach of any application or system directly associated with the accessing, processing, storage or transmission of Covered Data.

5. Contingency Planning

Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage Covered Data or production systems that contain Covered Data.

6. Audit Controls

Technical or procedural mechanisms put in place to promote efficient and effective operations, as well as compliance with policies.

7. Data Integrity

Policies and procedures to ensure the confidentiality, integrity, and availability of Covered Data and to protect it from disclosure, improper alteration, or destruction.

8. Storage and Transmission Security

Security measures to guard against unauthorized access to Covered Data that is being transmitted over a public electronic communications network or stored electronically.

9. Secure Disposal

Policies and procedures regarding the secure disposal of tangible property containing Covered Data, taking into account available technology so that such data cannot be practicably read or reconstructed.

10. Assigned Security Responsibility

Assigning responsibility for the development, implementation, and maintenance of its information security program, including:

1. Designating a security official with overall responsibility; and
2. Defining security roles and responsibilities for individuals with security responsibilities.

11. Testing

Regularly testing the key controls, systems and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified.

12. Monitoring

Network and systems monitoring, including error logs on servers, disks and security events for any potential problems. Such monitoring includes:

1. Reviewing changes affecting systems handling authentication, authorization, and auditing;
2. Reviewing privileged access to Rigo production systems processing Covered Data; and
3. Engaging third parties to perform network vulnerability assessments and penetration testing on a regular basis.

13. Change and Configuration Management.

Maintaining policies and procedures for managing changes Rigo makes to production systems, applications, and databases processing Covered Data. Such policies and procedures include:

1. A process for documenting, testing and approving the patching and maintenance of the Covered Service;
2. A security patching process that requires patching systems in a timely manner based on a risk analysis; and
3. A process for Rigo to utilize a third party to conduct web application-level security assessments. These assessments generally include testing, where applicable, for:

1. Cross-site request forgery
2. Services scanning
3. Improper input handling (e.g. cross-site scripting, SQL injection, XML injection, cross-site flashing)
4. XML and SOAP attacks
5. Weak session management
6. Data validation flaws and data model constraint inconsistencies
7. Insufficient authentication
8. Insufficient authorization

14. Program Adjustments

Rigo monitors, evaluates, and adjusts, as appropriate, the security program in light of:

1. Any relevant changes in technology and any internal or external threats to Rigo or the Covered Data;
2. Security and data privacy regulations applicable to Rigo; and
3. Rigo’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information system.

15. Definitions

Unless otherwise defined below, all capitalized terms have the meaning given within the applicable Agreement and/or exhibits thereto.

“Covered Data” means (i) Customer Data, and (ii) any other electronic data or information submitted by or on behalf of Customer to a Covered Service.

“Covered Service” means any Service provided under an Order Form.

Download the printable file of this document