FitBots – Data Security Policy

This is the Data Security Policy ("Policy") of FitBots, LLC (“FitBots,” “we”, “us,” and “our”). The objectives of this Policy include defining, documenting, and supporting the implementation and maintenance of the administrative, technical, and physical safeguards FitBots has selected to protect the personally-identifiable information and sensitive information (“Personal Data”) it collects, creates, uses, and maintains. This Policy has been developed in accordance with the requirements of the Massachusetts Data Security Regulation and other similar laws.

This Policy initially incorporates two of AstraZeneca’s information technology policies (the “AZ Policies”). During the first year after adoption of this Policy, FitBots will attempt to implement the AZ Policies for all processes and standards stated therein. By the end of the first year, FitBots will revise this Policy to adopt as many of the processes and standards in the AZ Policies where and when practical.

In the event of a conflict between this Policy and any legal obligation or other FitBots policy or procedure, the provisions of this Policy shall govern, unless the Information Security Coordinator specifically reviews, approves, and documents an exception (see Section 3 of this Policy).

1. Purpose. The purpose of this Policy is to:

1.1 Ensure the security, confidentiality, integrity, and availability of personal and other sensitive information FitBots collects, creates, uses, and maintains.

1.2 Protect against any anticipated threats or hazards to the security, confidentiality, integrity, or availability of such information.

1.3 Protect against unauthorized access to or use of FitBots-maintained personal and other sensitive information that could result in substantial harm or inconvenience to any customer or employee.

1.4 Define an information security program that is appropriate to FitBots's size, scope, and business; its available resources; and the amount of personal and other sensitive information that FitBots owns or maintains on behalf of others, while recognizing the need to protect both customer and employee information.

2. Scope. This Policy applies to all employees, contractors, officers, and directors of FitBots. It applies to any records that contain personal and other sensitive information (“Personal Data”) in any format and on any media, whether in electronic or paper form.

2.1 For purposes of this Policy, "Personal Data" includes without limitation an individual’s first and last name, or first initial and last name, in combination with any one or more of the following data elements, or any of the following data elements standing alone or in combination, if such data elements could be used to commit identity theft against the individual:

2.1.1 Social Security number, driver's license number, or other government-issued identification numbers, including any passport number, or tribal identification number.

2.1.2 Account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password that would permit access to the individual's financial accounts.

2.1.3 Any personally identifiable financial information or consumer list, description, or other grouping derived from personally identifiable financial information, where “personally identifiable financial information” includes any information:

2.1.3.1 A consumer provides FitBots to obtain a financial product or service.

2.1.3.2 About a consumer resulting from any transaction involving a financial product or service with FitBots.

2.1.3.3 Information FitBots otherwise obtains about a consumer in connection with providing a financial product or service.

2.1.4 Health information, including information regarding the individual's medical history or mental or physical condition, or medical treatment or diagnosis by a health care professional created or received by FitBots. “Health information” includes any information which identifies or for which there is a reasonable basis to believe the information can be used to identify the individual and which relates to the past, present, or future physical or mental health or condition of the individual, the provision of health care to the individual, or payment for the provision of health care to the individual.

2.1.5 Health insurance identification number, subscriber identification number, or other unique identifier used by a health insurer.

2.1.6 Biometric data collected from the individual and used to authenticate the individual during a transaction, such as an image of a fingerprint, retina, or iris.

2.1.7 Electronic mail (“email”) or other communications address with any required security code, access code, or password that would permit access to an individual's personal, medical, insurance, or financial account.

2.1.8 FitBots considers to be highly confidential information that, if accessed by or disclosed to unauthorized parties, could cause significant or material harm to FitBots, its customers, or its business partners.

3. Information Security Coordinator.

3.1 FitBots has designated a Chief Privacy Officer to implement, coordinate, and maintain this Policy, and who will also either serve as or supervise the "Information Security Coordinator".

3.2 The Information Security Coordinator shall be responsible for initial implementation of this Policy, including:

3.2.1 Assessing internal and external risks to Personal Data and maintaining related documentation, including risk assessment reports and remediation plans (see Section 4).

3.2.2 Coordinating the development, distribution, and maintenance of information security policies and procedures (see Section 5).

3.2.3 Coordinating the design of reasonable and appropriate administrative, technical, and physical safeguards to protect personal [and other sensitive] information (see Section 6).

3.2.4 Ensuring that the safeguards are implemented and maintained to protect Personal Data throughout FitBots, where applicable (see Section 6).

3.2.5 Overseeing service providers that access or maintain Personal Data on behalf of FitBots (see Section 7).

3.2.6 Monitoring and testing the information security program's implementation and effectiveness on an ongoing basis (see Section 8).

3.2.7 Defining and managing incident response procedures (see Section 9).

3.2.8 Establishing and managing enforcement policies and procedures for this Policy, in collaboration with FitBots human resources and management (see Section 10).

3.3 The Information Security Coordinator will also be responsible for employee, contractor, and (as applicable) stakeholder training, including:

3.3.1 Providing periodic training regarding this Policy, FitBots's safeguards, and relevant information security policies and procedures for all employees, contractors, and (as applicable) stakeholders who have or may have access to Personal Data;

3.3.2 Ensuring that training attendees formally acknowledge their receipt and understanding of the training and related documentation, through written acknowledgement forms.

3.3.3 Retaining training and acknowledgment records.

3.4 Reviewing the Policy and the security measures defined herein at least annually, or whenever there is a material change in FitBots's business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing Personal Data (see Section 11).

3.5 Defining and managing an exceptions process to review, approve or deny, document, monitor, and periodically reassess any necessary and appropriate, business-driven requests for deviations from this Policy or FitBots's information security policies and procedures.

3.6 Periodically reporting to FitBots management regarding the status of the information security program and FitBots's safeguards to protect Personal Data.

4. Risk Assessment.

4.1 As a part of developing and implementing this Policy, FitBots will conduct a documented risk assessment periodically or whenever there is a material change in FitBots's business practices that may implicate the security, confidentiality, integrity, or availability of records containing Personal Data.

4.2 The risk assessment shall:

4.2.1 Identify reasonably foreseeable internal and external risks to the security, confidentiality, integrity, or availability of any electronic, paper, or other records containing Personal Data.

4.2.2 Assess the likelihood and potential damage that could result from such risks, taking into consideration the sensitivity of the Personal Data.

4.2.3 Evaluate the sufficiency of relevant policies, procedures, systems, and safeguards in place to control such risks, in areas that include, but may not be limited to:

4.2.3.1 Employee, contractor, and (as applicable) stakeholder training and management.

4.2.3.2 Employee, contractor, and (as applicable) stakeholder compliance with this Policy and related policies and procedures.

4.2.3.3 Information systems, including network, computer, and software acquisition, design, implementation, operations, and maintenance, as well as data processing, storage, transmission, retention, and disposal.

4.2.3.4 FitBots's ability to prevent, detect, and respond to attacks, intrusions, and other security incidents or system failures.

4.3 Following each risk assessment, FitBots will:

4.3.1 Design, implement, and maintain reasonable and appropriate safeguards to minimize identified risks;

4.3.2 Reasonably and appropriately address any identified gaps.

4.3.3 Regularly monitor the effectiveness of FitBots's safeguards, as specified in this Policy (see Section 8).

5. Information Security Policies and Procedures.

5.1 As part of this Policy, FitBots will develop, maintain, and distribute information security policies and procedures in accordance with applicable laws and standards to relevant employees, contractors, and (as applicable) other stakeholders.

5.2 FitBots will establish policies regarding:

5.2.1 Information classification.

5.2.2 Information handling practices for Personal Data, including the storage, access, disposal, and external transfer or transportation of Personal Data. For the sanitation and disposal standard, FitBots adopts AZ Policy AZDoc0003955 version 3.0, entitled “ITSEC -Data Sanitization Standard” (the “AZ Sanitization Standard”).

5.2.3 User access management, including identification and authentication (using passwords or other appropriate means).

5.2.4 Encryption. For the encryption and transmission standard, FitBots adopts AZ Policy AZDoc0006090 version 2.0, entitled “ITSEC - Secure Electronic Data Transfer” (the “AZ Transfer Standard”).

5.2.5 Computer and network security. The AZ Transfer Standard shall apply to computer and network security as well.

5.2.6 Physical security.

5.2.7 Incident reporting and response.

5.2.8 Employee and contractor use of technology, including Acceptable Use and Bring Your Own Device to Work (BYOD).

5.2.9 Information systems acquisition, development, operations, and maintenance.

5.3 FitBots will detail the implementation and maintenance of FitBots's administrative, technical, and physical safeguards (see Section 6).

6. Safeguards.

6.1 FitBots will develop, implement, and maintain reasonable administrative, technical, and physical safeguards in accordance with applicable laws and standards to protect the security, confidentiality, integrity, and availability of Personal Data that FitBots owns or maintains on behalf of others, starting with the AZ Policies.

6.2 Safeguards shall be appropriate to FitBots's size, scope, and business; its available resources; and the amount of Personal Data that FitBots owns or maintains on behalf of others, while recognizing the need to protect both customer and employee information.

6.3 FitBots shall document its administrative, technical, and physical safeguards in FitBots's information security policies and procedures (see Section 5).

6.4 FitBots's administrative safeguards shall include, at a minimum:

6.4.1 Designating one or more employees to coordinate the information security program (see Section 3).

6.4.2 Identifying reasonably foreseeable internal and external risks, and assessing whether existing safeguards adequately control the identified risks (see Section 4).

6.4.3 Training employees in security program practices and procedures, with management oversight (see Section 3).

6.4.4 Selecting service providers that are capable of maintaining appropriate safeguards, and requiring service providers to maintain safeguards by contract (see Section 7).

6.4.5 Adjusting the information security program in light of business changes or new circumstances (see Section 11).

6.5 FitBots's technical safeguards shall include maintenance of a security system covering its network (including wireless capabilities) and computers that, at a minimum, and to the extent technically feasible, supports secure user authentication protocols, including:

6.5.1 Controlling user identification and authentication with a reasonably secure method of assigning and selecting passwords (ensuring that passwords are kept in a location or format that does not compromise security) or by using other technologies, such as biometrics or token devices.

6.5.2 Restricting access to active users and active user accounts only, including preventing terminated employees or contractors from accessing systems or records.

6.5.3 Blocking access to a particular user identifier after multiple unsuccessful attempts to gain access or placing limitations on access for the particular system.

6.6 FitBots’s technical safeguards may also include secure access control measures, including:

6.6.1 Restricting access to records and files containing Personal Data to those with a need to know to perform their duties.

6.6.2 Assigning unique identifiers and passwords (or other authentication means, but not vendor-supplied default passwords) to each individual with computer or network access that are reasonably designed to maintain security.

6.6.3 Encryption of all Personal Data traveling wirelessly or across public networks.

6.6.4 Encryption of all Personal Data stored on laptops or other portable or mobile devices. One current goal is to set a date and create an implementation plan to encrypt Personal Data stored on any other device or media, including data-at-rest.

6.6.5 Reasonable system monitoring for preventing, detecting, and responding to unauthorized use of or access to Personal Data or other attacks or system failures.

6.6.6 Reasonably current firewall protection and software patches for systems that contain (or may provide access to systems that contain) Personal Data.

6.6.7 Reasonably current system security software (or a version that can still be supported with reasonably current patches and malware definitions) that (1) includes malicious software ("malware") protection with reasonably current patches and malware definitions, and (2) is configured to receive updates on a regular basis.

6.7 FitBots's physical safeguards shall, at a minimum, provide for:

6.7.1 Defining and implementing reasonable physical security measures to protect areas where Personal Data may be accessed, including reasonably restricting physical access and storing records containing Personal Data in locked facilities, areas, or containers.

6.7.2 Preventing, detecting, and responding to intrusions or unauthorized access to Personal Data, including during or after data collection, transportation, or disposal.

6.7.3 Secure disposal or destruction of Personal Data, whether in paper or electronic form, when it is no longer to be retained in accordance with applicable laws or accepted standards.

7. Service Provider Oversight. FitBots will oversee each of its service providers that may have access to or otherwise create, collect, use, or maintain Personal Data on its behalf by:

7.1 Evaluating the service provider's ability to implement and maintain appropriate security measures, consistent with this Policy and all applicable laws and FitBots's obligations.

7.2 Requiring the service provider by contract to implement and maintain reasonable security measures, consistent with this Policy and all applicable laws and FitBots's obligations.

7.3 Monitoring and auditing the service provider's performance to verify compliance with this Policy and all applicable laws and FitBots's obligations.

8. Monitoring. FitBots will regularly test and monitor the implementation and effectiveness of its information security program to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or use of Personal Data. FitBots shall reasonably and appropriately address any identified gaps.

9. Incident Response. FitBots will establish and maintain policies and procedures regarding information security incident response (see Section 5). Such procedures shall include:

9.1 Notifying each person or entity required by and in accordance with applicable law.

9.2 Notifying AstraZeneca in the manner most recently specified by AstraZeneca, unless notification is expressly prohibited by applicable law.

9.3 Documenting the response to any security incident or event that involves a breach of security.

9.4 Performing a post-incident review of events and actions taken.

9.5 Reasonably and appropriately addressing any identified gaps.

10. Enforcement. Violations of this Policy will result in disciplinary action, in accordance with FitBots's information security policies and procedures and human resources policies.

11. Program Review. FitBots will review this Policy and the security measures defined herein at least annually, or whenever there is a material change in FitBots's business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing Personal Data. FitBots shall retain documentation regarding any such program review, including any identified gaps and action plans.

12. Effective Date and Revision History.

This Policy is effective as of November 21, 2017.

Prior versions of this Policy are listed below:

• November 10, 2017.