DATA SECURITY

AUDI DATA SECURITY POLICY
This section defines the data security policy of AUDI. Our company takes the security and
privacy of our clients and business partners and their data very seriously. To ensure that we are
best protecting our corporate and client data from security breaches, we have created and
executed the following policy.
The major goals of this security policy are as follows:

To implement the technology and solutions aimed at protecting AUDI client’s data and all
Personally Identifiable Information (PII) within their systems
To provide industry recommended protections, that are within our control, for the prevention
of data breaches
To minimize interruptions to AUDI Data Center operations
To limit the extent of any disruptions to customer operations

  1. AUDI Data Center Profile
    All of the AUDI software applications hosted in our Level 5 secure data center are implemented
    with the technology and security protocols described below.
    1.1 General
    AUDI/AUDI provides Managed Hosting Services from a secure data center in Charlotte, North
    Carolina. Our facility provider, Peak 10, partners with our AUDI staff to monitor the
    performance, readiness and redundancy of our assets 24x7x365 and the center is protected by
    security guards and staffed at all times with data center monitoring personnel throughout the
    year.
    Peak 10 is a SSAE 16 Level II Certified and PCI Certified Data Center. These standards require
    strict adherence to control and change control for personnel. Our Security Audit is completed
    under SSAE 16 guidelines.
    Visitors to our headquarters and Data Centers are required to present valid government issued
    identification, must sign in and present a Peak 10-issued visitor badge, and can only access the
    center floor with this magnetic card visitor badge. In addition, they must punch in a valid code
    for the cipher lock and pass the biometric thumb print recognition in order to gain access. They
    are escorted by authorized personnel at all times and the completion of proper sign out
    procedures are also required. Video monitoring of external entryways is maintained. All servers
    are in locked rooms and locked cages.
    1.2 Data Center Security
    Our Peak 10 facility is engineered with a minimum of five levels of security:
    Level 1: Proximity card access with PIN is required to enter the building. (AUDI techs are not
    yet in the data center.)
    Level 2: Proximity card access with Biometric (fingerprint) scan is required to enter the data
    center. > Level 3: All hardware is secured in a locked steel mesh cabinet fitted with combination locks.
    Level 4: Video surveillance cameras are placed throughout the facility and monitored by onsite staff 24x7x365.
    Level 5: Strategically placed vibration detection devices alert Peak 10 personnel of any motion
    in the facility.
    1.3 Data Center Redundancy, Physical and Environmental
    Redundant ISPs: Our Peak 10 data center is engineered with three Internet Service Providers
    (ISPs), each capable of handing the entire Data Center traffic in the event all but one fail. For
    Charlotte, the providers are AT&T, Time Warner and X0 communications.
    Uninterruptible Power: Each Peak 10 data center is engineered with an uninterruptible power
    system and backup generator to deliver seamless power. In the event of a commercial power
    failure, our isolated UPS system will provide immediate backup power until our diesel
    generators take over the load and continue operation of the center.
    Redundant HVAC: Peak 10 utilizes best-in-class environmental units to control and monitor
    the temperature and humidity in each data center facility. The redundant HVAC system
    maintains the average temperature in each data center at 70 degrees Fahrenheit to ensure a
    consistent operating atmosphere for your mission critical technology infrastructure.
    Fire Suppression: Peak 10 data centers utilize dry-fire suppression systems that can be
    deployed manually, or by a sequence of three failures anywhere in a data center zone. Each Peak
    10 facility is also fully equipped with smoke and heat detection sensors as well as fire doors and
    handheld gas-based fire extinguishers.
    1.4 Intrusion Protection and other Protective Protocols
    The following hardware and software solutions are implemented as part of the AUDI Managed
    Hosting Services platform at our data center.
    Firewall: Our network is protected by a managed, Protect Point Firewall. The Firewall is
    managed 24/7 and is redundant to n+2 for each port. The Firewall is equipped with Silver Sky
    intrusion detection and threat isolation. Any perceived threat is isolated, blocked and vetted for
    authenticity or confirmed threat. Reports are generated for each threat trigger in real time.
    Network Intrusion Detection: We utilize 24/7 Host and Network Intrusion
    Detection/Prevention Systems (IDS/IPS) at Application, Network and Data Center levels. A
    scheduled program for updating attack signatures is maintained, and intrusion/alert logging is
    used.
    Virus Scanning and Detection: All of our hosted servers are set up and equipped with
    continuous virus scanning and scheduled updates to the virus signature files.
    Denial-of-Service Prevention: We take commercially reasonable steps to ensure against denialof-service outages including the utilization of a leading denial-of-service protection and
    mitigation service.
    Server Operating Systems: We implement a standard for hardening/securing all of our server’s
    operating systems (O/S) including a scheduled program for applying updates, patches and hot
    fixes to all server O/S’s.
    1.5 Strong Password EnforcementAccess to all Managed Hosting Services are controlled by secure password-protected access
    which is administered by our Technical Services Team who utilize our detailed password policy
    and enforce highly secure password protocols for the highest industry-recommended levels for
    access security to our systems.
  2. AUDI Application and Data Protection
    All of the AUDI software applications and solutions have been designed with the proper tools,
    features, and industry-standard protocols for protecting the hosted data and PII. Some of these
    are described below.
    2.1 Encryption
    Data is encrypted in transit and at rest via SSL 256-bit digital certificate encryption.
    2.2 Passwords
    AUDI applications are designed to support strong password protection and policies for the
    creation of all user accounts with access to sensitive data.
    2.3 Server architecture
    All AUDI hosting servers are equipped with dual quad core processors and shadow arrays with
    data mirroring.
  3. AUDI Application and Data Backup Procedures and Protection
    All of the AUDI software applications and solutions running under our Managed Hosting
    Services program in our secure data center receive constant monitoring and regular backup
    services to protect the system applications and data.
    3.1 Backups Performed throughout each Day
    Backups of the system “data” are captured periodically throughout each day using Dell
    Appasure.
    The O/S configuration is backed up every 12 hours.
    The application and application configuration are backed up every 12 hours.
    Our system is composed of a hard cluster of servers with options available for servers to have a
    redundant virtual server.
    Our platforms are N+2 redundant using MS Server 2008 R2 and MS Server 2012 operating
    systems with quad core servers and Hyper-V warm virtual servers available to back-up the hard
    servers.
    3.2 System and Data Monitoring
    We utilize a variety of different solutions for monitoring the performance and consistent
    operation of all AUDI systems, servers and networks.
    The Peak 10 data center provides round-the-clock on-site personal that monitor the overall
    health of the data center power, Internet, operation temperature, physical security of the Data
    Center as well as the up time of all servers within the AUDI server racks. Other support
    personnel can be called on 24/7 in the event that additional help is required either for a small-scale physical server issue where “hands on” support is required, or to provide help for large
    scale issues where assistance is needed from skilled network engineers
    AUDI maintains a large number of monitoring applications which virtually verify that all
    AUDI systems are running properly 24/7 without any issues. If potential problems are discovered
    by these applications, our technical services team members are notified immediately by email
    and text messages.
    Our systems are protected by a Protect Point Firewall. The Firewall is managed 24/7 and is
    redundant to n+2 for each port. The Firewall is equipped with Silver Sky intrusion detection and
    threat isolation.
    Our systems are protected via the utilization of a leading denial-of-service protection and
    mitigation service that monitors access to our systems 24/7.
    3.3 System and Data Restore and Recovery Procedures
    Within our secure data center, we have dedicated physical restore servers available at all times
    in place and ready to be used in the event of the need for restoration of system applications
    and/or data as part of our standard recovery procedures.
    We maintain a fully documented detailed set of data, system and disaster recovery plans inhouse. These are reviewed and tested regularly to ensure compliance and current viability. Due
    to the confidential and sensitive nature of the information contained within these plans they are
    not available for dissemination outside of the approved members of AUDI management and the
    technical services team.
    Audit Procedures
    Audi audits all researchers of public criminal records to insure quality.
    • Frequency is dependent on volume of request submitted to researcher.
    • A known result will be sent to researcher to test their reliability.
    • If a discrepancy is found then the researcher is contacted directly. Both results
    positive/negative are sent to researcher to determine result error. Typically spelling of
    name or wrong date of birth is issue. All communication is documented and placed into a
    specific folder.
    • Depending on outcome the relationship with that specific researcher will be terminated or
    a plan of action to perform more audits will be determined