The purpose of this document is to provide a concise statement regarding Akamai Ireland Security practices as it applies to it’s Products, Services, Websites and Applications.

Akamai values the trust that our customers place in us and we take this responsibility to protect customer information seriously. We strive for complete transparency around our security practices, detailed below. These security practices and our ISO27001 accreditation offer our customers assurance that we are GDPR compliant.

Akamai follows a security model of defence in depth, not relying on any one control to ensure security of our customer data.

Our Privacy Notice outlines in detail the way we handle customer data, as well as the Technical and Organizational Measures on Akamai Privacy Trust Center.

Akamai’s information systems and technical infrastructure are hosted in ISO27001 certified data centres. Physical security controls at our data centres include 24x7 monitoring, cameras, visitor logs, entry requirements, and dedicated locked cages for Akamai hardware. The Information Security Management System (ISMS) that supports the development, deployment and operation of solutions for external customers by the Akamai Ireland teams is ISO27001 certified.

The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS PUB 140-2), is a U.S. government computer security standard used to approve cryptographic modules. Akamai Ireland has confirmation from NIST approved agency Corsec that AccessMyLAN and SIA Mobile are FIPS 140-2 compliant. Specifically AccessMyLAN’s and SIA Mobile’s use of FIPS-Approved cryptographic functions has been deemed compliant by Corsec’s “FIPS Verified” evaluation for FIPS 140-2 compliance.

AccessMyLAN and SIA Mobile’s Services are compliant with the Criminal Justice

Information Services (CJIS) by addressing the CJIS Security Policy Areas.

Moreover, many of the processes are documented, automated and audited in

line with the ISO27001 certification requirements.

Access to Akamai Ireland technology resources is only permitted through secure connectivity and requires multi-factor authentication. Our production password policy requires complexity, expiration, and lockout and disallows reuse. Akamai grants access on an as-needed basis, reviews permissions quarterly, and revokes access within 24 hours of employee termination.

Akamai Ireland maintains, reviews and updates its information security policies on an annual basis.

Employees must acknowledge policies on an annual basis and undergo additional training such as ISO27001 and GDPR Awareness training, Data Privacy Training, Secure Coding training and job specific security training as appropriate. The training schedule is designed to adhere to all specifications and regulations applicable to Akamai Ireland.

Akamai conducts background screening at the time of hire to the extent permitted or facilitated by applicable laws and countries. In addition, Akamai communicates its information security policies to all personnel, requires new employees to sign non-disclosure agreements, and provides ongoing privacy and security training. Confidentiality Agreements and Proprietary and Invention Agreements are included in our Employment Contracts which all staff sign prior to commencing work with us.

Akamai also has a dedicated Security & Compliance team and a Data Protection Officer, focussed Data Privacy, as well as application, network, and system security. This team is also responsible for security compliance, education, and security incident response.

Akamai Ireland maintains a documented vulnerability management program which includes periodic scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications. All production environments are regularly scanned using trusted thirdparty vendors. Critical patches are applied to servers on a priority basis and as appropriate for all other patches. We also conduct regular external penetration tests and remediate according to severity for any results found.

We encrypt Akamai Ireland System data in transit using secure cryptographic protocols. Aged data is also encrypted at rest.

Our development team employs secure coding techniques referencing the OWASP best practices. Developers are formally trained in secure application development practices upon hire and annually. Development, testing, and production environments are separated. All changes are reviewed and logged for audit and security purposes prior to deployment into the production environment.

All applications and systems deployed are subjected to Code and Vulnerability scans.

Application and infrastructure systems log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorized Akamai personnel. Logs are preserved in accordance with regulatory requirements.

On an annual basis Akamai Ireland undergoes a rigorous ISO27001 audit, carried out by an external, qualified assessor to confirm our compliance with the requirements of the Standard.

Akamai Ireland maintains an asset management policy which includes identification, classification, retention, and disposal of information and assets. Company-issued devices are equipped with full hard disk encryption and up-to-date antivirus software. Only company-issued devices are permitted to access corporate and production networks.

Akamai Ireland maintains security incident response policies and procedures covering the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation. These policies are reviewed regularly and tested bi-annually.

Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if

Akamai learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under applicable country level, state and federal laws and regulations, as well as any industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.

Akamai Ireland Enterprise Architecture mandates resilient architectures be deployed and maintained. These designs all take advantage of industry best practice around High Availability and Disaster Recovery.

Akamai Ireland’s Production systems are backed up using a process of full and incremental backups and these are verified regularly. Backups are encrypted and stored within the production environment to preserve their confidentiality and integrity and are tested regularly to ensure availability. These backups are also securely replicated to Disaster Recovery sites for use during Disaster Recovery invocation.

Information privacy law or data protection laws prohibit the disclosure or misuse of information about private individuals. Many countries have adopted comprehensive data protection laws. Some of the most significant laws include the General Data Protection Regulation (GDPR) designed to ensure that any personal data stored on EU citizens is safe. Breaches can lead to sanctions of up to €20 million or 4% of global annual turnover, whichever is the greater. In the United States the Health Insurance Portability and Accountability Act (HIPAA) imposes requirements related to the use and disclosure of Patient Health Information (PHI) and appropriate safeguards to protect PHI, individual rights, and administrative responsibilities.

Akamai Ireland is an ISO 27001 certified company and is compliant with the Health Insurance Portability and Accountability Act (HIPAA) which provides security provisions and data privacy, in order to keep patients’ medical information safe . Leading healthcare providers globally use Akamai products to protect and optimize their mobile experience across a range of cellular devices. Healthcare service providers leverage Akamai’s services to use and disclose Patient Healthcare Information (PHI) in a manner permissible under HIPAA.

Akamai Ireland complies with all relevant regional Data Protection legislation in all regions where we operate. Akamai maintains a Data Protection Policy which applies to all Personal Data collected, processed and stored by Akamai in relation to its staff, its service providers and its clients in the course of its business activities.The Data Protection Policy ensures any works undertaken in Akamai maintains focus on the rights of the Data Subject throughout the process lifecycle. The core principles covered in this policy include:

Additionally, Akamai is ready to handle Data Subject Access Requests, as well as having

all of the required Policies and Procedures in place to safeguard Personal Identifiable

Information. These include Data Retention Policies, Privacy Impact Assessments, Data

Protection Policy as well as all of our Information Security Management System which

covers a wide range of procedural activities designed to protect data throughout the

enterprise.