Technical and Organizational Security Measures will include, but not be limited to, the following:

(a)  Access Control: limiting access of Affirm Data to authorized personnel with a bona fide need-to-know; maintaining a documented access approval process; revoking such access within twenty (24) hours in cases of personnel transfer or termination, and performing
regular audits of user accounts to remove unnecessary access and privileges;
strictly segregating Affirm Data from Vendor Data so that it is not commingled
with any other types of information;

(b)  Awareness and Training: providing appropriate privacy and information security training to Vendor’s employees with access to Affirm Data, including annual refresher training;
providing developers with appropriate secure development training such as OWASP
Top 10;

(c)   Audit and Accountability: monitoring systems for unauthorized activity; generating, reviewing, as well as protecting such audit logs from unauthorized modification or disclosure;

(d)   Assessment, Authorization, and Monitoring: maintaining a process for periodically evaluating the effectiveness of its security controls; undergoing third-party penetration
tests at least annually;

(e)  Configuration Management: establishing secure baseline configurations for the system(s) according to the principle of least functionality; maintaining a process for change control and conducting security impact analyses when appropriate;

(f)   Contingency Planning: performing regular system- and user-level backups and affording such information the same protections as the original; maintaining, regularly
testing, and providing appropriate training for, a contingency plan;

(g)   Identification and Authentication: uniquely identifying all users; enforcing multi-factor authentication for access to Affirm Data; modifying vendor default authenticators; establishing strong authentication mechanisms; and protecting authenticators from
unauthorized disclosure and modification;

(h)  Incident Response: maintaining, regularly testing, and providing appropriate training for, an incident response plan with respect to the breach of Affirm Data;

(i)   Maintenance; Media Protection; Physical and Environmental
Protection: implementing appropriate security at facilities where Affirm Data can be accessed, including physical access controls, video surveillance, environmental safeguards, and controls to protect hardware and media during transport and/or maintenance from unauthorized access or modification; securely sanitizing media before reuse;

(j)   Personnel Security: implementing appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks
consistent with applicable law for all employees with access to Affirm Data;

(k)  Risk Assessment: conducting
periodic risk assessments and upon significant changes to the IT environment;
implementing processes and mechanisms to identify and remediate technical
vulnerabilities;

(l)   System and Services Acquisition:
establishing a system development life cycle which incorporates security and
privacy requirements; ensuring that externally managed systems meet
organizational requirements;

(m) System and Communications Protection: implementing boundary protections at managed interfaces of the system, including industry recognized strong password requirements, firewalls and subnets, and limiting traffic that with documented business need; using Strong Cryptography for all Affirm Data when such data is transmitted
over a network, whether via email, file transfer protocol, or other means of
electronic exchange as well as when such data is stored in any media,
including, but not limited to, any laptop computer and USB storage peripherals;

(n)  Known Security Defects Remediation:
repairing any Known Security Defect by implementing malicious code protection
at system entry and exit points; monitoring and responding to attacks and
indicators of potential attacks on the system; validating information inputs;
implementing secure error handling; securely disposing of Affirm Data.
Remediation of Known Security Defects must adhere to the following schedule:

Severity Level Remediation Response Time

Critical Issue is remediated within five (5) business days.

High Issue is remediated within ten (10) business days.

Medium Issue is remediated within one (1) month.

Low Issue is remediated within six (6) months.

(o)  Supply Chain Risk Management: establishing security requirements with Subprocessors that are equal to or more restrictive than those in this DPA; establishing breach notification requirements with Subprocessors that conform to those in this DPA; assessing the security of Subprocessors before onboarding those Subprocessors; and assessing the security of Subprocessors annually thereafter.