Bloomboard, Inc. will comply with 14 security requirements for each customer deployment to protect customer information and resources. This includes maintaining internal security processes, requiring nondisclosure agreements for employees, restricting access to information on a need-to-know basis, securing customer proprietary information, assuring reliability of customer information processing, maintaining proprietary markings, complying with data movement arrangements, using secure website technology, ensuring secure disposal of storage devices, not using customer data without authorization, timely implementation of security updates, enforcing complex authentication, securing network connections, and reporting any unauthorized access or misuse of customer information within one day.

1. SECURITY POLICY
Bloomboard, Inc. will comply with the following security requirements for each customer
deployment.
1. Maintain an internal security process governing the protection of its own information
resources and the resources of others
under its control.
2. Ensure that all of BBIÕs employees and representatives are covered by a binding
nondisclosure agreement.
3. Ensure that only persons with an approved need to know are allowed to access information
belonging to the Client, ClientÕs
customer or customer proprietary information, including establishing and maintaining controls
that allow a person to access
only the specific customer information and information resources required to perform the work
specified in the Terms and
Conditions <app.bloomboard.com/tac.html> (ÒTermsÓ).
4. Secure and protect ClientÕs proprietary information, ClientÕs employee proprietary
information, and other Client information
resources from unauthorized or improper use, theft, accidental or unauthorized modification,
disclosure or destruction.
5. Assure the reliability and integrity of all Client information and information resources under its
control and of the
information processing activities performed with or for the Client.
6. Maintain the proprietary nature and if necessary, the proprietary marking of any Client, Client
employee, or ClientÕs
customer proprietary information.
7. Comply with agreed upon arrangements for the movement of information and data between a
Client and BBI and between
BBI and Users. This also includes either the return of proprietary information to the Client or the
complete destruction of
proprietary information by shredding or burning or if no other mutually agreed upon means is
specified.
8. Use secure web site technology at a level of at least 3-DES encryption or equivalent for
collection of user registration
information, including passwords.
9. Ensure computer storage devices, e.g., hard or floppy disks, magnetic tape, or optical disks,
containing Client, or ClientÕs
customer data are not disposed of or otherwise presented to others unless all Client and
ClientÕs customer proprietary data has
been completely obliterated. This includes media used to transmit data and to create backups.

2. 10. Not use or transfer Client, or ClientÕs customer, information or data for any purpose not
authorized in the Terms between the
Parties.
11. Implement security changes, security patches and security upgrades in systems,
applications and software in a timely manner
and commensurate with the threat. However, security changes, security patches or security
upgrades shall be implemented
within ninety (90) days of their release unless the Client agrees to a delay in implementation
within forty-five (45) days of
their release.
12. Ensure that authentication mechanisms are complex and not easily overcome. There shall
be no known way to bypass the
authentication mechanism and obtain entry into the system.
13. Ensure that Internet and other public (including public switched telephone) network
connections are designed, implemented
and maintained so as to secure and protect information and data, and system operation during
the life of the Terms. This
includes, but is not limited to, non-repudiation, authentication, authorization, and monitoring
issues. The Parties agree that
no Internet or other public network connections shall be implemented unless agreed to in writing
by the Client prior to
implementation. Authentication for remote access, e.g., in-dial, ISDN, wireless or other public
switched network access for
maintenance or administrative purposes are to use individually identified and a secure access
key.
14. Report to Client, within one working day of discovery, any known or suspected unauthorized
access, use, misuse, disclosure,
destruction, theft, vandalism, modification, or transfer of Client, or ClientÕs customer,
proprietary information.