EQUITY ADMINISTRATION SOLUTIONS, INC. THE … USA, LLP, a New York limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited b y guarantee,

STRICTLY PRIVATE AND CONFIDENTIAL

EQUITY ADMINISTRATION SOLUTIONS, INC. THE DEVELOPMENT AND SUPPORT OF THE EQUITY MANAGEMENT SYSTEM REPORT ON CONTROLS PLACED IN OPERATION AND TESTS OF OPERATING EFFECTIVENESS FOR THE PERIOD OCTOBER 1, 2009 THROUGH SEPTEMBER 30, 2010

This report was issued by BDO USA, LLP, a New York limited liability partnership and the U.S. member of BDO International Limited, a UK company limited by guarantee.

Table of Contents

I. INDEPENDENT SERVICE AUDITOR’S REPORT ........................................................ 2

II. INFORMATION PROVIDED BY INDEPENDENT SERVICE AUDITORS ............................... 4 INTRODUCTION ............................................................................................. 4 CONTROL ENVIRONMENT, RISK ASSESSMENT, AND MONITORING .................................... 4 CONTROLS AND TESTS OF OPERATING EFFECTIVENESS ............................................... 5

III. EQUITY ADMINISTRATION SOLUTIONS, INC.’S DESCRIPTION OF CONTROLS .................. 6 COMPANY OVERVIEW ...................................................................................... 6 CONTROL ENVIRONMENT .................................................................................. 6 PERSONNEL POLICIES AND PROCEDURES .............................................................. 6 POLICY FOR TRAINING ................................................................................... 6 ORGANIZATIONAL STRUCTURE ......................................................................... 7 OTHER CONSIDERATIONS ................................................................................ 7

RISK ASSESSMENT .......................................................................................... 7 MONITORING ................................................................................................ 7 INFORMATION AND COMMUNICATION ................................................................... 7 DESCRIPTION OF THE EQUITY MANAGEMENT SYSTEM ............................................... 7 DESCRIPTION OF EASI’S COMPUTERIZED INFORMATION SYSTEMS ................................. 8 COMMUNICATION ......................................................................................... 8

USER ORGANIZATION CONTROLS ........................................................................ 8 CONTROL OBJECTIVES, CONTROLS, AND TESTS OF OPERATING EFFECTIVENESS ................. 9 CONTROL OBJECTIVE 1 – PHYSICAL SECURITY ..................................................... 10 CONTROL OBJECTIVE 2 – ENVIRONMENTAL SECURITY ............................................ 12 CONTROL OBJECTIVE 3 – NETWORK SECURITY ..................................................... 14 CONTROL OBJECTIVE 4 – INTERNET APPLICATION SECURITY .................................... 17 CONTROL OBJECTIVE 5 – LOGICAL SECURITY ...................................................... 18 CONTROL OBJECTIVE 6 – EMS SOFTWARE DEVELOPMENT ........................................ 25 CONTROL OBJECTIVE 7 – DATA BACKUP ............................................................ 28

IV. OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION ........................... 29 DISASTER RECOVERY AND CONTINUITY PLANNING .................................................. 29

Tel: 415-397-7900 Fax: 415-397-2161 www.bdo.com

One Market, Suite 1100 Spear Tower San Francisco, CA 94105

BDO USA, LLP, a New York limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms.

I. INDEPENDENT SERVICE AUDITOR’S REPORT Equity Administration Solutions, Inc. We have examined the accompanying description of the controls of Equity Administration Solutions, Inc. (EASi) applicable to the development and support of the Equity Management System. Our examination included procedures to obtain reasonable assurance about whether: (1) the accompanying description presents fairly, in all material respects, the aspects of EASi’s controls that may be relevant to a user organization's internal control as it relates to an audit of financial statements, (2) the controls included in the description were suitably designed to achieve the control objectives specified in the description, if those controls were complied with satisfactorily, and user organizations and subservice organizations applied the controls contemplated in the design of EASi’s controls, and (3) such controls had been placed in operation as of September 30, 2010. EASi uses a subservice organization to house the Equity Management System production servers and a second subservice organization to house the corporate servers. The accompanying description includes only those controls and related control objectives of EASi, and does not include controls and related control objectives of the subservice organizations. Our examination did not extend to controls of the subservice organizations. The control objectives were specified by the management of EASi. Our examination was performed in accordance with standards established by the American Institute of Certified Public Accountants and included those procedures we considered necessary in the circumstances to obtain a reasonable basis for rendering our opinion. In our opinion, the accompanying description of the aforementioned controls presents fairly, in all material respects, the relevant aspects of EASi’s controls that had been placed in operation as of September 30, 2010. Also, in our opinion, the controls, as described, are suitably designed to provide reasonable assurance that the specified control objectives would be achieved if the described controls were complied with satisfactorily and user organizations and subservice organizations applied the controls contemplated in the design of EASi’s controls. In addition to the procedures we considered necessary to render our opinion as expressed in the previous paragraph, we applied tests to specific controls, listed in Section III, to obtain evidence about their effectiveness in meeting the control objectives, described in Section III, during the period from October 1, 2009, to September 30, 2010. The specific controls and the nature, timing, extent, and results of the tests are listed in Section III. This information has been provided to user organizations of EASi and to their auditors to be taken into consideration, along with information about the internal control of user organizations, when making assessments of control risk for user organizations.

3

I. INDEPENDENT SERVICE AUDITOR’S REPORT (Continued) In our opinion, the controls that were tested, as described in Section III, were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the control objectives specified in Section III were achieved during the period from October 1, 2009, to September 30, 2010. The relative effectiveness and significance of specific controls at EASi and their effect on assessments of control risk at user organizations are dependent on their interaction with the controls and other factors present at individual user organizations. We have performed no procedures to evaluate the effectiveness of controls at individual user organizations. The description of controls at EASi is as of September 30, 2010, and the information about tests of the operating effectiveness of specific controls covers the period from October 1, 2009, to September 30, 2010. Any projection of such information to the future is subject to the risk that, because of change, the description may no longer portray the controls in existence. The potential effectiveness of specific controls at EASi is subject to inherent limitations and, accordingly, errors or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that: (1) changes made to the system or controls, (2) changes in processing requirements, or (3) changes required because of the passage of time may alter the validity of such conclusions. The information included in Section IV of this report is presented by EASi to provide additional information to user organizations and is not a part of EASi’s description of controls. The information in Section IV has not been subjected to the procedures applied in the examination of the description of the controls in Section III, and accordingly, we express no opinion on it. This report is intended solely for use by the management of EASi, its user organizations, and the independent auditors of its user organizations.

BDO USA, LLP November 12, 2010

Section II

4

II. INFORMATION PROVIDED BY INDEPENDENT SERVICE AUDITORS Introduction This report is intended to provide information to the management of EASi, its user organizations, and the independent auditors of its user organizations about EASi’s controls applicable to the development and support of the Equity Management System. This report is also intended to provide information about the operating effectiveness of controls that were tested. This report, when combined with an understanding of the controls at user organizations, is intended to assist auditors in planning and assessing the control risk of the audit of the user organizations’ financial statements that may be affected by controls at EASi. The examination was performed in accordance with the American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards No. 70 (SAS 70), Service Organizations, as amended. Our testing of the controls of EASi was restricted to the control objectives and the related description of controls specified by the management of EASi in Section III and was not extended to controls in effect at user organizations and subservice organizations. It is each user organization’s responsibility to evaluate this information in relation to the internal control structure in place at each user organization and subservice organization in order to assess the total internal control structure. If an effective internal control structure is not in place at user organizations, EASi’s controls may not compensate for such weaknesses. As this description is intended to focus on the processes and controls that may be relevant to the internal control structure of user organizations, it does not encompass all aspects of the services provided or controls performed by EASi. The report was designed to cover the standard processes and controls followed by EASi. Unique processes, controls or specific user organization situations not described in the report are outside the scope of this report. Control Environment, Risk Assessment, and Monitoring The control environment, risk assessment, and monitoring represent the collective effect of various elements in establishing, enhancing, or mitigating the effectiveness of specific controls. In addition to tests of specific controls described in Section III, our procedures included a review of relevant elements of EASi’s control environment, risk assessment, and monitoring. Our review of the control environment, risk assessment, and monitoring included the following procedures to the extent we considered necessary: (a) a review of the organizational structure including the segregation of responsibilities and personnel policies; (b) discussions with management, operations, administrative, and other personnel who are responsible for developing, ensuring adherence to, and for applying controls in the performance of their assigned duties; (c) observations of personnel in the performance of their assigned duties; and (d) inspection of selected documentation. The control environment, risk assessment, and monitoring were considered in determining the nature, timing, and extent of the testing of the operational effectiveness of controls relevant to achievement of the control objectives.

Section II

5

Controls and Tests of Operating Effectiveness Our tests of the operating effectiveness of controls included such tests as were considered necessary in the circumstances to evaluate whether those controls, and the extent of compliance with them, were sufficient to provide reasonable, but not absolute, assurance that the specified control objectives were achieved during the period from October 1, 2009 to September 30, 2010. Our tests of the operating effectiveness of controls were designed to cover a representative number of activities throughout the period from October 1, 2009 to September 30, 2010, for each of the controls listed in Section III, which are designed to achieve the specified control objectives. In selecting particular tests of the operating effectiveness of controls, we considered: (a) the nature of the controls being tested, (b) the types and competence of available evidential matter, (c) the control objectives to be achieved, (d) the assessed level of control risk, and (e) the expected efficiency and effectiveness of the test. The description of BDO USA, LLP’s tests of operating effectiveness and results of those tests are presented in Section III of this report along with EASi’s description of controls. The description of the tests of operating effectiveness and the results of those tests are the responsibility of BDO USA, LLP and should be considered information provided by BDO USA, LLP.

Section III

6

III. EQUITY ADMINISTRATION SOLUTIONS, INC.’S DESCRIPTION OF CONTROLS

Company Overview EASi is a software development firm located in Pleasanton, California. EASi offers web-based stock plan administration software. The Equity Management System (EMS) combines financial reporting with record keeping. EASi delivers a self service software solution that requires a web browser for enterprise wide access. Features include:

• Over 175 SFAS 123R reports, with full A240 and FAS109 support to the journal entry level • Full date sensitivity allowing restatement of prior periods • Real time, historical reporting with GAAP expensing • Support for Options, Restricted Stock Units (RSUs,) Restricted Stock Awards (RSAs,) Stock

Appreciation Rights (SARs,) and Performance Awards • User and date stamping of transactions allowing auditing of backdating • Self Service “Roles” that allow preferred broker & transfer agent access • Integrated Employee Stock Purchase Plan (ESPP) with online employee enrollment,

contribution changes and roll forward features • Global mobility tracking • Unlimited user definable tax jurisdictions • Hosted (web based) or non-hosted (intranet) availability.

Control Environment

Personnel Policies and Procedures An Employee Handbook is provided to all employees. The Employee Handbook includes policies on ethical standards, conflict of interest, confidential information, recognizing and reporting conflicts, electronic communications, whistle blowing, and performance reviews. Employees must electronically accept the end user license agreement which deals with certain terms and conditions of the employment relationship. In addition, employees are required to sign the “Confidential Information, Invention Assignment, and Arbitration Agreement” which addresses confidential information and conflict of interest. Performance evaluations are conducted on a periodic basis by the employee's manager using a performance evaluation form which includes quality of work, quantity of work, dependability, initiative, organizational and team relationships and goals. The performance evaluation form is signed by the employee and the manager to document the review was completed.

Policy for Training EASi’s employee training consists principally of on-the-job training, supplemented by in-house training classes and external seminars. Employees are encouraged to obtain professional certifications and designations (e.g., Certified Equity Professional).

Section III

7

Organizational Structure EASi is organized into the following teams that are applicable to the development and support of EMS:

• Business Development and Sales - responsible for identifying potential user organizations, communicating the product’s features to potential user organizations, initiating contracts with new user organizations, and negotiating agreements for custom enhancement projects.

• Customer Support - responsible for assisting in setting up new user organizations on EMS,

responding to user organizations calls and educating the user organizations on the functionality of EMS.

• Quality Assurance - responsible for testing the EMS program changes.

• Product Development - responsible for creating the business requirements documents that

provide guidance for the Engineering team in the development of EMS.

• Engineering - responsible for programming the EMS changes.

• Information Technology (IT) - responsible for the maintenance of computer equipment, the network infrastructure, database, and to provide help desk services to employees.

Other Considerations EASi maintains insurance coverage for general and technology professional liability.

Risk Assessment EASi does not have a formal documented risk assessment policy in place. However, weekly management meetings are held to identify and monitor risks related to the development and support of EMS. For any significant risks identified, management implements the appropriate measures to monitor and manage the risks.

Monitoring EASi management and supervisory personnel monitor the quality of internal control performance via frequent observance, interaction, and performance of their assigned duties. To assist them in monitoring, EASi uses a ticketing system to log and track cases submitted by user organizations. Metrics reports detailing system availability and tracking of cases are reviewed weekly by EASi management, and action is taken as necessary.

Information and Communication

Description of the Equity Management System EMS is a web-based application which is developed and supported by EASi. EMS is designed to offer user organizations the ability to track and account for equity awards. EMS is accessed by EASi personnel and user organizations via the Internet through application processing servers

Section III

8

housed at the third party Datapipe colocation facility in San Jose, California. EASi is responsible for overall EMS hardware and software support, including technical assistance and system monitoring.

Description of EASi’s Computerized Information Systems EASi maintains two data centers. The EMS production servers are housed at the Datapipe colocation facility in San Jose, California. The EMS development, quality assurance, testing, and disaster recovery servers were housed at the EASi corporate office data center until September 2010. As of September 20th, 2010, these servers were moved to the CyberTrails colocation facility in Phoenix, Arizona. EASi has a Local Area Network (LAN) installed at the office which is used by employees for Internet and email access, file and print sharing, and general information. The LAN servers function as the domain controllers, file and print, and Quality Assurance (QA) database server. Windows 2000/2003 Server is the primary operating system.

Communication EASi uses various methods of communication to help ensure that employees understand their individual roles and responsibilities as they relate to the development and support of EMS and to help ensure that information is communicated on a timely basis. These methods include job descriptions, training, and management and departmental meetings. EASi has implemented various methods of communication with its user organizations to help ensure they understand their individual roles and responsibilities as they relate to the development and support of EMS and to help ensure information is communicated on a timely basis. These methods include user organization training, access to the status of customer support requests via the website, release notes issued to the user organization and a service agreement that is required to be signed by EASi and the user organization.

User Organization Controls The controls within EASi cover only a portion of the overall internal control structure of each user organization. It is not feasible for the control objectives to be solely achieved by EASi. Therefore, each user organization’s internal control structure must be evaluated in conjunction with EASi’s controls and related testing detailed in this section and take into account the related user organization controls identified under each control objective. In order for user organizations to rely on the controls reported on herein, each user organization must evaluate its own internal control structure to determine if the identified user organization controls are in place. The user organization controls listed in this section do not purport to be and are not a complete list of the controls, which provides a basis for the assertions underlying the financial statements of user organizations.

Section III

9

Control Objectives, Controls, and Tests of Operating Effectiveness The management of EASi has specified the control objectives and has identified the controls that are designed to achieve the stated control objectives. BDO USA, LLP, the service auditor, has determined the nature, timing, and extent of testing to be performed. Details of the tests of the operating effectiveness and the results of those tests performed are contained in this section of the report and are the responsibility of BDO USA, LLP and should be considered information provided by BDO USA, LLP.

Section III

10

CONTROL OBJECTIVE 1 – Physical Security Controls provide reasonable assurance that physical access to the EASi corporate office and

data center is restricted to authorized personnel. The EMS production servers are housed at a colocation facility in San Jose, California. All servers in the corporate data center were migrated from the corporate office to the CyberTrails colocation facility in Phoenix, Arizona as of September 20th, 2010. The controls of these subservice organizations are not in the scope of this report. The EASi corporate office is located in Pleasanton, California. Access to the EASi corporate office and data center requires a key. The EASi corporate data center is also restricted via a finger print scanner and may be accessed using the key or the finger print scanner. Visitors are required to sign a visitor’s log upon arrival and are escorted into the office. For new or additional access requests, the manager completes and signs a facility access form authorizing EASi corporate office and data center access. The Office Manager provides the EASi corporate office and data center key, if required. Only the CTO or VP of Engineering may authorize access to the collocation facilities. For terminated employees and other access removals, the Office Manager collects the EASi corporate office and data center key, if provided. The Office Manager signs and dates the facility access form confirming that the key(s) was returned. The Office Manager maintains a key log detailing the employees with EASi corporate office and data center access. The Office Manager reviews the key log annually to verify that access to the EASi corporate office and data center and colocation data centers is restricted to authorized personnel.

Controls Specified by EASi Tests of Operating Effectiveness Performed by BDO USA, LLP

1.1 Access to the EASi corporate office requires a key. Access to the EASi corporate data center is restricted via key or a finger print scanner.

Observed that the entrances to the EASi corporate office and data center required a key for access, and that the EASi corporate data center may also be accessed using a finger print scanner.

1.2 Visitors are required to sign a visitor’s log upon arrival and are escorted into the office.

Inquired with EASi personnel and corroborated the control procedure described. Inspected the visitor log and determined that the visitors were required to sign a visitor’s log upon arrival and observed that the visitors were escorted into the office.

1.3 For new or additional access requests, the manager completes and signs a facility access form authorizing EASi corporate office and data center access. Only the CTO or VP of Engineering may authorize access to the collocation facilities.

Inquired with EASi personnel and corroborated the control procedure described. For a selection of new access rights granted during the reporting period, inspected the Request for Access to Facility form and determined that access to the corporate office and data center was properly approved.

Section III

11

CONTROL OBJECTIVE 1 – Physical Security (Continued) Controls provide reasonable assurance that physical access to the EASi corporate office and

data center is restricted to authorized personnel.


1.3 For new or additional access requests, the manager completes and signs a facility access form authorizing EASi corporate office and data center access. Only the CTO or VP of Engineering may authorize access to the collocation facilities. (Continued)

The operating effectiveness of this control related to the authorization of physical access to the EASi corporate data center and collocation facilities could not be tested other than by inquiry as there were no new personnel that required data center or colocation facility access to be granted during the reporting period.

1.4 For terminated employees and other access removals, the Office Manager signs and dates the facility access form confirming that the key(s) was returned.

Inquired with EASi personnel and corroborated the control procedure described. For a selection of employees whose access was disabled during the reporting period, inspected the facility access form and determined that the Office Manager signed and dated the forms providing evidence of the control procedure performed.

1.5 The Office Manager reviews the key log annually to verify that access to the EASi corporate office and data center and colocation data centers is restricted to authorized personnel.

Inquired with EASi personnel and corroborated the control procedure described. Inspected the key log noting the Office Manager’s signature providing evidence of the control procedure performed.

Results of Tests Performed

No relevant findings or exceptions noted.

Section III

12

CONTROL OBJECTIVE 2 – Environmental Security Controls provide reasonable assurance that environmental devices are installed to protect

the EASi corporate office and data center. The EMS production servers are housed at a colocation facility in San Jose, California. All servers in the corporate data center were migrated from the corporate office to the CyberTrails colocation facility in Phoenix, Arizona as of September 20th, 2010. The controls of these subservice organizations are not in the scope of this report. The fire detection system at the EASi corporate office is built around a monitoring system which detects smoke during the early stages of combustion. The system is the first line of defense, monitoring the air and ceiling space for signs of smoke. Visual and audio alarms are installed in the EASi corporate office and data center that will sound and illuminate a light-emitting diode (LED) when the fire alarm is activated. The fire detection system is maintained by office building management. A water extinguishing system is used to protect the EASi corporate office and data center from fire hazards. The water extinguishing system in the EASi data center is a dry pipe system. The water extinguishing system and fire extinguishers are maintained by the office building management. Air conditioning (AC) units protect the EASi corporate office and data center from heat and humidity variations. The AC units are maintained by office building management. The EASi corporate data center is also equipped with redundant Uninterruptible Power Supply (UPS) systems to protect the computer equipment from electrical power surges and loss of data from sudden power outages. The UPS systems are configured to provide conditioned uninterruptible power to critical electrical loads for up to 20 minutes, and to allow for a controlled shutdown, if necessary.


2.1 Visual and audio alarms are installed in the EASI corporate office and data center.

Inquired with EASi personnel and corroborated the control procedure described. Observed the visual and audio alarms installed in the EASI corporate office and data center.

2.2 A water extinguishing system protects the EASi corporate office and data center from fire hazards.

Inquired with EASi personnel and corroborated the control procedure described. Observed the water extinguishing system installed in the EASi corporate office and data center.

2.3 AC units protect the EASi corporate office and data center from heat and humidity variations.

Inquired with EASi personnel and corroborated the control procedure described. Observed the AC units in the EASi corporate office and data center and determined that they were operating.

Section III

13

CONTROL OBJECTIVE 2 – Environmental Security (Continued) Controls provide reasonable assurance that environmental devices are installed to protect

the EASi corporate office and data center.


2.4 The EASi corporate data center is equipped with redundant UPS systems.

Inquired with EASi personnel and corroborated the control procedure described. Observed the UPS systems in the EASi corporate data center and determined that they were operating.



Section III

14

CONTROL OBJECTIVE 3 – Network Security Controls provide reasonable assurance that connections to the Internet or other networks are

protected from unauthorized access. Network based security measures, including industry standard firewalls and diagnostic logs, are used to protect the EASi network. The firewalls reside on the network and analyze the data and packets routed through the network to the EASi applications. The firewall rules are configured by the Network Administrator based on the concept of least privilege meaning unless specifically granted, access is denied. The Network Administrator reviews the diagnostic log maintained by the firewall on a weekly basis and records the results of these reviews in a spreadsheet. Administrator access to the firewall is restricted to IT department personnel. Access to the firewalls requires a user to enter a user ID and password. Firewall password complexity is configured to industry best practices to the extent supported by the device. The EASi network can also be accessed via wireless. The wireless router utilizes WPA encryption. Wireless network access is restricted to preapproved media access control (MAC) addresses. Antivirus software is used to protect the servers and workstations from malicious code or viruses. Virus signature definition files are automatically updated weekly. Virus scans are also scheduled daily. The Network Administrator reviews the antivirus software weekly to verify that the weekly updates and daily virus scans completed successfully.


3.1 Firewalls reside on the EASi network. Inquired with EASi personnel and corroborated the control procedure described. Inspected the network diagram and firewalls configurations and determined that firewalls were installed at the EASi corporate office and the collocation facilities.

3.2 The Network Administrator reviews the diagnostic log weekly that is maintained by the firewall.

Inquired with EASi personnel and corroborated the control procedure described. For a selection of weeks, inspected the spreadsheet noting the Network Administrator sign-off and notes providing evidence of the control procedure performed. The operating effectiveness of this control for the new colocation facility could not be tested other than by inquiry as the colocation facility went live on September 26, 2010 and there were no occurrences of the log review from September 26 to September 30, 2010.

3.3 Administrator access to the firewall is restricted to IT department personnel.

Inquired with EASi personnel and corroborated the control procedure described.

Section III

15

CONTROL OBJECTIVE 3 – Network Security (Continued) Controls provide reasonable assurance that connections to the Internet or other networks are

protected from unauthorized access.


3.3 Administrator access to the firewall is restricted to IT department personnel. (Continued)

Inspected the firewall user listing and organization chart, and reviewed the listing with EASi personnel to determine whether access was restricted to the IT department. See Results of Tests Performed-1

3.4 Access to the firewalls requires a user to enter a user ID and password.

Inquired with EASi personnel and corroborated the control procedure described. Observed the logon prompts for the firewalls and determined that a user ID and password were required for access.

3.5 Firewall password complexity is configured to industry best practices to the extent supported by the device.

Inquired with EASi personnel and corroborated the control procedure described. Inspected the firewall password configurations and determined that password security parameters were applied as allowed by the system.

3.6 Antivirus software is used to protect the servers and workstations from malicious code or viruses.

Inquired with EASi personnel and corroborated the control procedure described. Observed the antivirus software on a selected server and workstation and determined that the antivirus software was installed.

3.7 Virus signature definition files are automatically updated weekly.

Inquired with EASi personnel and corroborated the control procedure described. Inspected the virus signature definition files and determined that the files were configured to automatically update weekly.

3.8 Virus scans are scheduled daily. Inquired with EASi personnel and corroborated the control procedure described. Inspected the scan setting and determined that virus scans were scheduled daily.

3.9 The Network Administrator reviews the antivirus software weekly to verify that the weekly updates and daily virus scans completed successfully.

Inquired with EASi personnel and corroborated the control procedure described. For a selection of weeks, inspected the spreadsheet noting the Network Administrator sign-off and notes providing evidence of the control procedure performed.

Section III

16

CONTROL OBJECTIVE 3 – Network Security (Continued) Controls provide reasonable assurance that connections to the Internet or other networks are

protected from unauthorized access.


3.9 The Network Administrator reviews the antivirus software weekly to verify that the weekly updates and daily virus scans completed successfully. (Continued)

The operating effectiveness of this control for the new colocation facility could not be tested other than by inquiry as the colocation facility went live on September 26, 2010 and there were no occurrences of the log review from September 26 to September 30, 2010.

3.10 The wireless router utilizes WPA encryption. Inquired with EASi personnel and corroborated the control procedure described. Inspected the wireless router configuration and determined that WPA encryption is utilized.

3.11 Wireless network access is restricted to preapproved MAC addresses.

Inquired with EASi personnel and corroborated the control procedure described. Inspected the wireless router configuration and observed that wireless network access is restricted to preapproved MAC addresses.


1. Access to two firewall administrator accounts is shared by two IT personnel. No additional relevant findings or exceptions noted.

Section III

17

CONTROL OBJECTIVE 4 – Internet Application Security Controls provide reasonable assurance that connections to the http://www.easiadmin.com website are adequately protected from unauthorized access and that data transferred is

secured. The website hosted by EASi is located at:

• https://www.easiadmin.com To protect against disclosure to third parties, the above website transmits data utilizing Hypertext Transfer Protocol Secure (HTTPS) using Secure Socket Layer (SSL) encryption which enables 128-bit encryption when communicating with Internet browsers. In addition, EASi uses Network Solutions Certificate Authority as the trusted certificate authority to inform user organizations that the website (www.easiadmin.com) is authentic. Users are authenticated against EMS server upon login. Users are required to enter a user ID and password to access to EMS.


4.1 The website transmits data utilizing HTTPS using SSL encryption which enables 128-bit encryption when communicating with Internet browsers.

Inquired with EASi personnel and corroborated the control procedure described. Observed the https://www.easiadmin.com website and determined that 128-bit SSL encryption was used.

4.2 EASi uses Network Solutions Certificate Authority as the trusted certificate authority to inform user organizations that the website (www.easiadmin.com) is authentic.

Inquired with EASi personnel and corroborated the control procedure described. Observed the https://www.easiadmin.com website and determined that a valid certificate has been issued to EASi by Network Solutions Certificate Authority for the website.

4.3 Users are required to enter a user ID and password to access to EMS.

Inquired with EASi personnel and corroborated the control procedure described. Observed the logon procedure and determined that users are required to enter a user ID and password to access EMS.



Section III

18

CONTROL OBJECTIVE 5 – Logical Security Controls provide reasonable assurance that logical access: (1) to the network, EMS and

related systems is restricted to authorized EASi personnel and (2) EMS is restricted to users authorized by the user organization.

The IT department is responsible for assigning and maintaining access rights to the network, EMS and the EMS database. EASi Personnel Access Authorization To authorize network administrator or EMS System Administrator access or EMS database access (as applicable), the CTO or VP of Engineering completes and signs an access authorization form. The Network Administrator sets up the access as authorized. Network administrator and EMS database access are restricted to IT department personnel. Access to the System Administrator function within EMS is restricted to the Customer Support department. To authorize network, remote or EMS access (as applicable), the CTO, VP of Engineering, or the Office Manager completes and signs an access authorization form. The Network Administrator sets up the access as authorized. EASi Personnel Access Disablement/Deletion For terminated employees, the Office Manager notifies the Network Administrator to disable/delete the terminated employee’s access (as applicable). The Network Administrator disables/deletes the terminated employee’s access and notifies the Office Manager. The Office Manager completes and signs the network access form to acknowledge that the terminated employees’ access was disabled/deleted. User Listing Review The network, remote, EMS System Administrator, network administrator, and EMS database access listings are reviewed annually by the VP of Engineering to verify that the access is restricted to authorized personnel. Network, Remote, EMS System Administrator, Network Administrator and EMS Database Access Network and remote access is restricted to authorized EASi personnel. Access to the EASi network requires a user to enter a user ID and password. Password security parameters for the network include the following requirements:

• Minimum password length – 7 characters • Password expiration – 45 days • Password history is maintained for 24 passwords • Password complexity – enabled • Account lockout after 5 unsuccessful logon attempts with an automatic 30 minute reset

Remote network access is through Virtual Private Network (VPN) client software. The Network Administrator sets up the user with network access under the VPN user group. The user must open the VPN client software, install a secure policy file (at first logon only) provided by the Network

Section III

19

CONTROL OBJECTIVE 5 – Logical Security (Continued) Controls provide reasonable assurance that logical access: (1) to the network, EMS and


Administrator, and then logon using their network user ID and password. The logon information is passed through a VPN encrypted tunnel to the firewall which uses the Active Directory server to authenticate the user’s VPN access. EMS System Administrator access is restricted to EASi Customer Support. Network administrator access is restricted to IT department personnel. Direct access to the EMS database is restricted to IT department personnel and requires a user to enter a user ID and password. EMS Access EMS access is restricted to authorized EASi personnel and users authorized by the user organization. Access to EMS requires a user to enter a user ID and password. Password security parameters for EMS include the following requirements:

• Minimum password length – 7 alphanumeric characters • Password expiration – 45 days • Password history is maintained for 15 passwords • Idle session time out – 45 minutes of inactivity • Account lockout after 5 unsuccessful logon attempts with an administrator reset required

Upon successful logon, users are provided access to a drop down list of companies for which the user has access. The user may only access data for the companies that EASi has provided access to the user. User Organization EMS Access Authorization Access to user organization accounts (i.e., SOA and Security / Group Admin) is provided by default to EASi Customer Support personnel with no specific authorization required. User organization EMS access authorization is described below. Prior to EASi Version 5.0 (Prior to 03/01/10): To authorize user organization Stock Option Administrator (SOA) access, the authorized user organization representative emails the EASi customer service representative (CSR). An EASi CSR with EMS System Administrator access sets up the user organization’s SOA access and provides a logon ID and temporary password to the SOA. To authorize additional SOA or user access, the SOA sends an email to the EASi CSR. An EASi CSR with EMS System Administrator access sets up the SOA or user access and provides a logon ID and temporary password to the SOA/user and to the SOA to confirm the access was setup. The SOA has the ability to reset passwords for current user IDs and lockout current user ID.

Section III

20



Effective as of Version 5.0 (This version was made available as of 03/01/10): Each user organization assumes responsibility for setting up and maintaining access within its own organization by requesting EASi Customer Support to set up Security/Group Administrator access for the organization. The Security / Group Administrators are then responsible for the creation of SOA and lower roles for the given user organization. The Security /Group Administrator has the ability to: 1. Add new users 2. Update user information 3. Grant users additional roles 4. Delete users 5. Unlock user access 6. Reset user passwords To authorize new or additional user organization Security/Group Administrator access, the authorized user organization contact emails the EASi CSR. An EASi CSR with EMS System Administrator access sets up the user organization’s Security/Group Administrator access and provides a logon ID and temporary password to the Security/Group Administrator. The Logon ID and password are provided to the Security/Group Administrator via a telephone call. User Organization EMS Access Disablement/Deletion Prior to EASi Version 5.0 (Prior to 03/01/2010): To delete user organization EMS access, the authorized user organization representative or SOA notifies the EASi CSR. Upon notification, the EASi CSR deletes the SOA /user’s EMS access and confirms to the requestor that the access was deleted. Effective as of Version 5.0 (Beginning 03/01/10): To delete a user organization’s Security/Group Administrator access, the authorized user organization representative or Corporate Officer notifies the EASi CSR. Upon notification, the EASi CSR deletes the Security/Group Administrator’s access and confirms to the requestor that the access was deleted. The end user access for user organization users is deleted by the respective user organization’s Security/Group Administrator.

Section III

21



Controls Specified by EASi Tests of Operating Effectiveness Performed

by BDO USA, LLP

EASi Personnel Access Authorization 5.1 To authorize network administrator, EMS application administrator or EMS database access, the CTO or VP of Engineering completes and signs an access authorization form.

Inquired with EASi personnel and corroborated the control procedure described. For a selection of new network administrator, EMS application administrator or EMS database access rights granted during the reporting period, inspected access authorization forms to determine whether the CTO or VP of Engineering signed the forms providing evidence of the control procedure performed. See Results of Tests Performed-1

EASi Personnel Access 5.2 Network administrator and EMS database access are restricted to IT department personnel. EMS application administrator access is restricted to the Customer Support department.

Inquired with EASi personnel and corroborated the control procedure described. Inspected the network administrator and EMS database user listings and the organization chart and reviewed the listings with EASi personnel to determine whether access was restricted to the IT department. See Results of Tests Performed-2 Inspected the EMS System Administrator user listing and the organization chart; reviewed the listing with EASi personnel; and determined that access was restricted to the Customer Support department.

EASi Personnel Access Authorization 5.3 To authorize network and remote access, the manager completes and signs an access authorization form.

Inquired with EASi personnel and corroborated the control procedure described. For a selection of new access rights granted, inspected access authorization forms noting manager sign-offs providing evidence of the control procedure performed.

EASi Personnel Access Disablement/Deletion 5.4 To delete the access of a terminated employee, the Office Manager completes and signs the access authorization form to acknowledge that the terminated employee’s access was disabled/deleted.

Inquired with EASi personnel and corroborated the control procedure described. For all employees whose access rights were removed during the reporting period, inspected the network, remote, EMS, and EMS database user listings and determined that terminated employees were not listed.

Section III

22




by BDO USA, LLP

5.4 To delete the access of a terminated employee, the Office Manager completes and signs the access authorization form to acknowledge that the terminated employee’s access was disabled/deleted. (Continued)

For all employees terminated during the reporting period, inspected access authorization forms and determined that the manager completed and signed the forms providing evidence of control performed.

User Listing Review 5.5 The network, remote, EMS System Administrator, network administrator and EMS database access listings are reviewed annually by the VP of Engineering to verify that the access is restricted to authorized personnel.

Inquired with EASi personnel and corroborated the control procedure described. Inspected the access audit log noting the VP of Engineering’s sign-off providing evidence of the control procedure performed.

Network Access 5.6 Password security parameters for the network include the following requirements:

• Minimum password length – 7 characters

• Password expiration – 45 days • Password history is maintained for 24

passwords • Password complexity – enabled • Account lockout after 5 unsuccessful

logon attempts

Inquired with EASi personnel and corroborated the control procedure described. Observed the network password configuration and determined that the stated parameters were applied.

Network and Remote Access 5.7 Access to the EASi network requires a user to enter a user ID and password.

Inquired with EASi personnel and corroborated the control procedure described. Observed the EASi network prompt and determined that a user ID and password were required for access.

Remote Access 5.8 Remote network access is through VPN client software.

Inquired with EASi personnel and corroborated the control procedure described. Observed the remote configuration and determined that remote network access was through VPN client software.

Section III

23




by BDO USA, LLP

Remote Access 5.9 The user must open the VPN client software, install a secure policy file (at first logon only) provided by the Network Administrator, and then logon using their network user ID and password.

Inquired with EASi personnel and corroborated the control procedure described. Observed the VPN logon process and determined that users must install a secure policy file (at first logon only) provided by the Network Administrator and then logon using their network user ID and password.

EMS Database Access 5.10 Access to the EMS database requires a user to enter in a user ID and password.

Inquired with EASi personnel and corroborated the control procedure described. Observed the EMS database logon prompt and determined that a user ID and password were required for access.

EMS Access 5.11 Access to EMS requires a user to enter a user ID and password.

Inquired with EASi personnel and corroborated the control procedure described. Observed EMS logon prompt and determined that a user ID and password were required for access.

EMS Access 5.12 Password security parameters for EMS include the following requirements:

• Minimum password length – 7 alphanumeric characters

• Password expiration – 45 days • Password history is maintained for 15

passwords • Idle session time out – 45 minutes of

inactivity • Password complexity – enabled • Account lockout after 5 unsuccessful

logon attempts with administrator reset required

Inquired with EASi personnel and corroborated the control procedure described. Observed EMS password configuration and determined that the stated parameters were applied.

EMS Access 5.13 Upon successful logon, users access a screen with a drop down list of companies for which the user has access. The user may only access data for the companies to which they have been provided access by EASi.

Inquired with EASi personnel and corroborated the control procedure described. Observed a selection of users logon to EMS and determined that users were only able to view companies for which he/she was provided access by EASi.

Section III

24




by BDO USA, LLP

User Organization EMS Access Authorization 5.14 To authorize user organization Stock Option Administrator (SOA) or Security / Group Admin access, the authorized user organization contact emails the EASi CSR. To authorize additional SOA or user access, the SOA sends an email to the EASi CSR.

Inquired with EASi personnel and corroborated the control procedure described. For a selection of SOAs/users requiring EMS access, inspected the email and SOA user listing or contract and determined the email was received from an authorized user organization contact or the SOA.

5.15 EASi SOA or Security / Group Admin access to user organization accounts is restricted to EASi Customer Support personnel.

Inspected the EMS SOA user listing and the organization chart; reviewed the listings with EASi personnel; and determined that access was restricted to the Customer Support personnel.

User Organization EMS Access Disablement/Deletion 5.16 Upon notification, the EASi CSR deletes the Security / Group Admin, SOA and/or User EMS access.

Inquired with EASi personnel and corroborated the control procedure described. For a selection of users requiring EMS access to be deleted, inspected the EMS user listing and determined that the users were not listed.


1. For 1 of 3 new hires selected, evidence does not exist to substantiate management's approval of the user’s network administrator access.

2. The password to an EMS database administrator account is shared by two IT personnel. No additional relevant findings or exceptions noted.

User Organization Controls

1. User organizations should provide authorization to EASi to add or modify EMS user access. 2. User organizations should delete or provide notification to EASi to delete EMS user access

on a timely basis. 3. User organizations should perform periodic reviews of EMS SOA and user access to verify

that access is restricted to authorized personnel.

Section III

25

CONTROL OBJECTIVE 6 – EMS Software Development Controls provide reasonable assurance that EMS software changes are tested and approved

prior to being implemented into the production environment. EMS software development (e.g., new functionality, major and minor enhancements, bugfixes and hotfixes) is performed by EASi. EASi follows a standard Software Development Life Cycle (SDLC) methodology composed of four phases: Define, Design and Development, Test, and Release. Define The management team reviews, prioritizes and schedules new functionality, major, minor enhancements, bugfixes and hotfixes. Design and Development Business Requirements Documents (BRDs) and Functional Design Specifications (FDSs) are created for new functionalities and major and minor enhancements. New functionalities and major and minor enhancements are tracked in the Engineering Project Tracking System. BRDs are reviewed and approved by the Engineering or the Product Management team. Bug and hotfixes do not require BRDs or FDSs, but are tracked in the Engineering Project Tracking System. EASi has implemented segregated development, testing, and production environments. EASi uses a source code management (SCM) system to maintain version control over source code. The SCM system serves as a master library for all source code. The source code is checked out of the SCM into the programmer’s development environment to ensure the correct version of the software is modified and to alert other programmers that changes are in progress. The programmer makes the required changes and performs unit testing in the development environment. The source code is then checked-in to the SCM system upon completion of the successful unit testing to be included in future builds. Test Once the Engineering department completes development and testing of the new functionality, major or minor enhancement, or bug or hotfix, QA testing can be performed. QA testing can be performed by the EASi Quality Assurance or Customer Support groups or by Partners or Customers depending on the item(s) being tested. Once testing is complete and the expected results are achieved, the QA personnel, Customer Support Representative, Partner or Customer, as appropriate, approve the change to be deployed to the production environment. Release The VP of Engineering coordinates with the database administrator (DBA), network administrator, QA Manager, and VP of Operations to implement the changes into the production environment. Access to implement changes into the EMS production environment is restricted to users with network administrator access. Access to implement changes into the EMS database production environment is restricted to users with EMS database administrator access. Changes are implemented into the production environment during off-peak hours and/or periods of low activity.

Section III

26

CONTROL OBJECTIVE 6 – EMS Software Development (Continued) Controls provide reasonable assurance that EMS software changes are tested and approved

prior to being implemented into the production environment.

Release notes are provided to the user organization detailing the changes made to EMS. A back out plan is put in place for all releases to allow the IT department to restore the production environment to the prior version if a problem occurs with the release.


6.1 BRDs are reviewed and approved by the Engineering or the Product Management team.

Inquired with EASi personnel and corroborated the control procedure described. For a selection of software changes, inspected the Engineering Project Tracking System noting the VP of Engineering’s approval providing evidence of the control procedure performed.

6.2 EASi has implemented segregated development, testing and production environments.

Inquired with EASi personnel and corroborated the control procedure described. Observed the environments and determined that separate development, testing and production environments have been implemented.

6.3 EASi uses a SCM system to maintain version control over the program source code.

Inquired with EASi personnel and corroborated the control procedure described. Inspected the SCM configuration and determined that SCM system is used to maintain version control. For a selection of software changes, inspected the SCM system and determined that the changed source code was stored in the SCM system.

6.4 Write access to the SCM system is restricted to the IT and Engineering departments.

Inquired with EASi personnel and corroborated the control procedure described. Inspected the SCM system user listing and the organization chart, and reviewed the listing with EASi personnel to determine whether access is restricted to the IT and Engineering departments. See Results of Tests Performed-1

6.5 EMS application changes are tested by the EASi Quality Assurance or Customer Support groups, or by Partners or Customers depending on the item(s) being tested.

Inquired with EASi personnel and corroborated the control procedure described. For a selection of software changes, inspected the tracking tool noting testing performed by QA, Customer Support, or Customer/Partner providing evidence of the control procedure performed.

Section III

27

CONTROL OBJECTIVE 6 – EMS Software Development (Continued) Controls provide reasonable assurance that EMS software changes are tested and approved

prior to being implemented into the production environment.


6.6 Once testing is complete and the expected results are achieved, the QA personnel, Customer Support Representative, Partner or Customer as appropriate approve the change to be deployed to the production environment.

Inquired with EASi personnel and corroborated the control procedure described. For a selection of software changes, inspected the email noting QA, Customer Support, or Partner approvals providing evidence of the control procedure performed.

6.7 Access to implement changes into the EMS production environment and the EMS database production environment is restricted to authorized IT personnel.

Inquired with EASi personnel and corroborated the control procedure described. Inspected the Network Administrator user listing and the organization chart and reviewed the listing with EASi personnel to determine whether access was restricted to authorized IT personnel. See Results of Tests Performed-2


1. Three QA personnel share access to one SCM system account which has write access. 2. Two EMS database server administrator accounts are shared by two IT personnel. No additional relevant findings or exceptions noted.

User Organization Controls

1. User organizations are responsible for notifying EASi of issues or requesting enhancements requiring software development.

2. User organizations are responsible for validating the accuracy of their data as presented / reported by EASi.

Section III

28

CONTROL OBJECTIVE 7 – Data Backup Controls provide reasonable assurance that data files and libraries are backed up at

appropriate intervals and are independently stored. The EMS production servers are housed at the Datapipe colocation facility in California and are backed up to the corporate file server daily (Monday through Friday) through VPN. Corporate and colocation facility data is also backed up to an external tape drive at the corporate location daily (Monday through Friday). As of September 20th, 2010, the corporate servers were removed from the EASi corporate office and now reside at the CyberTrails colocation facility in Phoenix, Arizona. On a daily basis, a full backup of the EMS database is performed. Failed backup jobs are investigated and resolved by the DBA. A full restoration of the EMS database is performed is also performed on a daily basis. Failed refresh jobs are investigated and resolved by the DBA. Redundant Array of Independent Disks (RAID) - 1 is used on all systems that house critical production data.


7.1 The EMS production servers housed at the Datapipe colocation facility in California are backed up to the corporate file server on a daily basis (Monday through Friday) through VPN.

Inquired with EASi personnel and corroborated the control procedure described. Inspected the backup schedule configuration and determined that the schedule has been established as described.

7.2 Corporate and production data is also backed up to an external tape drive at the corporate location on a daily basis (Monday through Friday).

Inquired with EASi personnel and corroborated the control procedure described. Inspected backup schedule configuration and determined that corporate and colocation data is backed up to an external tape drive at the corporate location.

7.3 Failed backup jobs are investigated and resolved by the DBA.

Inquired with EASi personnel and corroborated the control procedure described. For all failed backups logged during the period, inspected the IT operational log noting the DBA’s notes providing evidence of the control procedure performed.



Section IV

29

IV. OTHER INFORMATION PROVIDED BY THE SERVICE ORGANIZATION

Disaster Recovery and Continuity Planning EASi places a high value on providing continuity of service to its user organizations. The ability to restore system data after the interruption of services, corruption of data, or failure of computer services is vital for the ability to continue providing services to users. EASi’s production system is hosted by Datapipe, one of the nation’s premier data centers. Datapipe uses the highest standards for designing and building each data center to withstand natural disasters, security breaches (physical and cyber), power outages, and networking and computing failures. Such measures, among others, include mechanical systems with multiple levels of redundancy; a superior cooling system that ensures climate temperatures do not affect computing power; an advanced continuous power supply (CPS) system that protects against degraded commercial power and interruptions; a Very Early Smoke Detection Alarm (VESDA) that continuously samples the air for dangerous particles; biometric authentication; and around-the-clock surveillance. EASi has developed processes to protect data and provide backup access to systems in case of unplanned events. The EASi disaster recovery and business continuity plan is described below.

Backup of Data for Restoration To ensure that the mission critical production data is available for use in the event of a production system failure or disaster, the following schedule of data backup and duplication controls are in place: • Daily Production Database Backup: Two types of database backups are performed daily.

o An Oracle full level 0 “hot” backup of the entire production database is performed nightly at 7:00 PM to disk. The backup files are then written to tape.

o An Oracle full export of the entire production database is performed at 5:00 PM and then again at 8:00 PM nightly to disk. The backup files are then written to tape, copied to the production file server and then copied to the corporate file server where they are again written to tape. These backup Oracle export files are used to refresh the Operations verification and research database at the EASi corporate office as a test of “restorablility” of the backup file.

• Daily Duplication of Colocation Duplication to Corporate Network: A duplication of the latest

backup each day is made to a file server in the corporate network on a daily basis at 1:00 AM. • Daily Corporate Data Backup: A backup of key corporate data is automatically generated and

sent to a separate file server on a daily basis. • Daily Source Code Backup: A backup copy of the source code is automatically generated and

sent to a separate file server on a daily basis. Source code is also backed-up on a quarterly basis to a third party software escrow service.

Section IV

30

Loss of Primary Database Server Currently EASi has implemented two hot standby databases, one at a colocation facility in California and a second at a colocation facility in Arizona. The hot standby databases are updated with the production database (Oracle) archive logs every 15 to 30 minutes depending on the time of day and activity on the database and network. In the event service from the primary database server housed in the production colocation facility is unavailable, the switch is made to the backup hot standby database server housed in the production colocation facility. • All sites and services pointing to the primary database will be shutdown and a maintenance

page displayed on the EASi Website. • The EASi application will be redirected to connect to the backup hot standby database instead

of the primary database. • All Oracle archive logs will be applied. • All sites and services will be restarted and point to the backup hot standby database. • Approximate elapsed time is expected to be 30 to 60 minutes depending on the nature of

failure and the archive log activity at the time of failure.

Total Loss of Colocation Facility Services In the event service from the production colocation facility in California is completely unavailable, the switch is made to the hot standby database located at the backup colocation facility in Arizona. • All sites and services at the backup colocation facility will be activated and configured as

needed for production operation. • The EASi application will be redirected to connect to the hot standby database at the backup

colocation facility. • All Oracle archive logs will be applied. • All sites and services will be started at the backup colocation facility. • Approximate elapsed time is expected to be 60 to 120 minutes depending on the nature of

failure and the archive log activity at the time of failure. Overall time is also based on the domain reconfiguration required.

Business Resumption EASi has developed a business resumption plan for its corporate office. The majority of EASi personnel, and all Customer Service personnel, have high speed Internet connections from their homes. This enables EASi personnel to access the corporate network remotely using VPN over the Internet. Systems utilized by Customer Service department to support user organizations are Internet based and available remotely. All corporate documents are stored on servers in the colocation facility in Arizona and available remotely via the Internet.

Datapipe Colocation Facility Datapipe serves as EASi’s production colocation facility. Datapipe's specially trained staff and network engineers at its San Jose data center actively manage and maintain the facility 24 hours a day, 7 days a week, 365 days a year using sophisticated systems.

Section IV

31

Datapipe Colocation Facility (Continued)

• SAS 70 Type II audited data center • PCI Level 1 service provider certified • Entire structure meets Bellcore network equipment building systems requirements • Carrier neutral facility fed by multiple Tier 1 providers, via redundant MPOE fiber vaults • Datapipe network featuring redundant fiber sources, aggregate switches and core routers • VESDA smoke detection systems, above and below raised floor • Dual interlock pre-action dry-pipe fire suppression system (two events required to activate) • California Category Four earthquake compliant • 24/7 on-site building and network monitoring and security staff • Colocation exterior radius structure meets Level III explosion resistance security standards • Three factor security • Visitors are escorted by authorized personnel at all times • 24 hour internal and external video surveillance, 60 day minimum retention policy • Multiple mantraps with reinforced walls • Facility fed by multiple power grids • Pre-negotiated one hour advanced notice contact for any pending rotating block outages • Uninterruptible power supply (UPS) system N+2 architecture • Five generators rated at 1.8 megawatts each with 20,000 gallons of fuel capacity using N+N

architecture • Contracted fuel suppliers on call 24 hours a day, seven days a week

CyberTrails Colocation Facility CyberTrails serves as EASi’s backup colocation facility for production as well as hosting EASi’s development and test environments. CyberTrails provides technologically advanced data center space and services for secure and reliable server hosting and colocation in Phoenix, Arizona. The facility offers state-of-the-art connectivity, power, security and environmental services.

• SAS 70 Type II audited data center in Phoenix, Arizona • 24 x 7 onsite operations personnel • Redundant power, cooling, and network access • Biometric access and card access to building • CCTV monitoring • Power for full cabinets ranging from 20 amps (1.9 kw) to 60 amps (5.7 kw) • Secure suites are available with solid core doors adds another layer of protection