EverFi Technology Information Information

Table of Contents

Adult Data & Security Due Diligence…………………………………………………...3

Student Privacy………………………………………………………………………………....9

Disaster Recovery and Business Continuity Policy............................................11

Information Security – Executive Summary Report…………...........................14

Adult Data & Security Due Diligence

Adult Data and Security Due Diligence

Information security is an integral part of the technology process at EverFi, and our engineering staff is committed to developing secure applications and maintaining an intrusion-free corporate environment.

About EverFi EverFi is a digital learning company that provides financial education for learners of all ages. We provide a white-label platform to hundreds of financial institutions across the United States. Our partners in turn provide this digital education to their customers/members, employees, or sometimes non-profit partners with whom they have relationships. We work with hundreds of financial institutions and understand the security and privacy concerns and processes that this industry requires. We are headquartered in Washington DC and have 200+ employees.

Data Collection EverFi collects the minimum amount of information needed to fulfill its educational mission and provide a quality user experience. Requests to collect additional data are reviewed with executive oversight.

Data that is collected falls into the following categories: Profile Data – Depending on what each partner specifies, this may or may

not include Personally Identifiable Information (PII). The EverFi Platform will be functional without collecting PII, but some of our partners prefer to collect so that additional data about users can be collected. Additional data may include First and Last Name, Email, ZIP code, etc. These data fields are all optional and can be customized for each partner.

Course Progress + Knowledge Check Data Web Analytics – EverFi uses Google Analytics to measure web performance.

The data is all reported in aggregate and does not contain PII. Attitudinal and Behavioral Change Note: since this is an educational platform, we never collect financial data

about each user. We do not need or want financial account information for any reason.

Cookies The EverFi platform uses cookies. These cookies maintain the user’s session as they traverse the application and courses. The information on these cookies is encrypted and consists of opaque information such as sessionID, userID, enrollmentID. As noted above, the EverFi platform also uses Google Analytics strictly for the purposes of tracking web traffic, trends, browser usage, etc. Google Analytics uses HTTP

Cookies to "remember" what a user has done on previous pages / interactions with the website. These cookies are anonymous.

Important: Google Analytics does not collect any personal information about your website users. Read the Google Analytics privacy document for more details.

Data Sharing and Usage EverFi has strict policies with respect to data sharing. We do share data with each partner about aggregate usage, including the number of users and activity on the platform. For partners that choose to collect PII, we share individual user progress and registration fields for that user (for example, email, first name, last name, etc). EverFi also uses this data to improve and update the platform. For example, we look at which modules have the highest abandonment rates and work to reduce those rates. We also may do research about users’ attitudes and behavior across our platform; this research is done in aggregate and does not involve any individual users. EverFi will never share user lists or email with anyone beyond the partner, and will not contact users without the permission of the partner. It should be noted that the EverFi platform does have the ability to send emails (for example, if we collect an email address at registration, we send a “Welcome Email” from EverFi that contains a reminder link to the learning portal). It should also be noted that EverFi provides technical customer support, and if a user contacts us for help, we may email or call them to resolve their technical issue.

Data Access Controls Access to EverFi’s databases is closely guarded. Only a few senior developers have access to the production system and each individual with access is a full time EverFi employee. Furthermore, all employees at EverFi undergo a background check prior to employment. Since we work with financial institutions, as well as students at colleges and K-12 schools, it is imperative that we do these checks for our employees.

Secure Data Storage and Transport EverFi application data is directly managed by EverFi Engineering, but leased through Heroku services, a subsidiary of Salesforce.com. Heroku utilizes ISO 27001 and FISMA certified data centers managed by Amazon. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as

other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. You can find the certifications and other details for ways Heroku and Amazon protect EverFi and EverFi customer data in Heroku’s data security policy. Furthermore, for additional security, EverFi is using Heroku’s Private Spaces, which firewall off our application and data into its own dedicated runtime environment. More information on Heroku’s Private Spaces can be found here: https://www.heroku.com/private-spaces. Additionally, EverFi’s database is encrypted at rest. As noted, our infrastructure is deployed on Amazon AWS. By leveraging an industry-leading cloud hosting provider, EverFi and its customers enjoy the benefits of the substantial shared investment and ongoing monitoring that a high level of security demands.

Physical security of the equipment Industry-leading Access Control Full control of the data and backups (data can be deleted at the discretion of

EverFi) Recurring Industry Recognized Security Audits

o ISO 27001 o SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II) o PCI Level 1 o FISMA Moderate o Sarbanes-Oxley (SOX) o Amazon’s SOC 3 documentation is available to public. All others

require following Amazon’s request process and can be attained upon request.

Penetration and Vulnerability Monitoring and Response (including proactive blocking)

Network Security such as Firewalls, DDoS detection and mitigation, Detectors for Spoofing and Sniffing, Port Scan blocking

Secure Data Backup Disaster Recovery Click on link to view AWS’ certifications and compliance information.

For more information about Amazon Web services, check out: http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf EverFi also enforces Transport Layer Security (TSL) for transport layer security both for transport among internal applications as well as between the EverFi platform and third parties (such as Single Sign On). This secures data during transmission in an Internet environment.

Intrusion Detection and Prevention EverFi contracts WhiteHat Security (https://www.whitehatsec.com/) to do weekly scans of our software looking for the latest exploits. We remediate any Sev1s immediately, and quickly address Sev2 and 3 as part of our bi-weekly release process. EverFi can provide a recent report from WhiteHat upon request. Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor, which will not deliver traffic to an interface that it is not addressed to. Heroku utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.

Password Protection and Access Role EverFi takes special precautions to protect passwords. All passwords are encrypted with a 1-way hash and salted. User passwords are irretrievable even for EverFi engineers. User roles are based on “Need to Know” principle.

Archival Policy EverFi conducts a significant amount of year-over-year comparative analysis at the aggregate and partner levels. This analysis is a critical component of EverFi’s value proposition as it tests the efficacy of EverFi’s programs on the critical topics they address. Customers have the right to request that their data be deleted from the active and archived data sets. This data will be fully expunged and irretrievable to EverFi. Additionally, EverFi reserves the right to delete data for any reason and without notice.

Disaster Recovery To prevent or minimize outages, Data center staff monitor electrical, mechanical and life support systems and equipment so issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment. AWS is multi-region, so in the case of any catastrophic failure, the process would be to fail over to a different region. For additional information see: https://aws.amazon.com/security This type of infrastructure provides protection against many of the traditional causes of downtime for company hosted and operated systems. Heroku’s Disaster Recovery capabilities can be found here.

Contingency and Support Escalation Plans: The EverFi application is continuously monitored by New Relic and real-time alerts are provided based on system performance, response times, and error thresholds. A critical alert initiates the support escalation process, whereby EverFi engineering works in close contact with the service providers to restore the affected system(s) and minimize downtime.

EverFi database is continuously backed-up via Heroku. Additionally, scheduled backups occur:

Main database Follower database (hot backup) Nightly off-site backups

EverFi can rebuild the application with up-to-date data in the event of a catastrophic downtime event. If there are questions about the EverFi Security policies and practices, a deep-dive meeting can be scheduled with our Security Team. Please contact your EverFi Representative to set this up.

Student Privacy

Student Privacy

EverFi takes student privacy very seriously and complies with two specific pieces of legislation protecting student privacy: - Family Education Rights and Privacy Act (FERPA) – Mandated by the

Department of Education to protect privacy¬ of education records while still allowing for effective use of data.

- Children’s Online Privacy Protection Act (COPPA) – Mandated by the FTC to protect children under 13 from unfair or deceptive uses of personal information.

EverFi collects a very narrow set of Personally Identifiable Information (PII), referred to as “Directory Information” under FERPA and only uses PII for core business practices: troubleshooting technical issues and presenting teachers with reports for individual students (such as rosters and scores).

PII Related Data Stored by EverFi:

Date of Birth is requested (to support COPPA compliance) but is only stored as an over/under 13 flag.

If a student is flagged as over 13, email is optional and first name and last name are required.

If a student is flagged as under 13, email is not collected and first name and first initial of last name (1 character only) is required.

In each case names are used only to help teachers identify students in their classrooms. Thus, teachers can direct students to register with ID #s instead of names if they prefer.

Disaster Recovery and

Business Continuity Policy

Disaster Recovery/Business Continuity Policy

1. Overview

It is important to realize that having a contingency plan in the event of a disaster gives EverFi a

competitive advantage and is necessary to provide the best customer service for our customers.

This policy requires management to financially support and diligently attend to disaster

contingency planning efforts. Disasters are not limited to adverse weather conditions. Any event

that could likely cause an extended delay of service should be considered.

2. Purpose

This policy defines the requirement for a baseline disaster recovery plan to be developed and

implemented by EverFi, Inc. that will describe the process to recover IT Systems, Applications and

Data from any type of disaster that causes a major outage.

3. Scope

This policy is directed to both internal IT and Engineering who program and maintain our cloud

platform. This policy is solely to state the requirement to have a disaster recovery plan, it does not

provide requirement around what goes into the plan or subplans.

4. Policy 4.1 Business Continuation

EverFi’s staff is distributed across North America. EverFi’s learning platform and systems are all

cloud­based and hosted outside of EverFi’s offices. In the advent of a catastrophe in, EverFi staff

will be able to continue working without hinderance.

4.2 Disaster Recovery EverFi’s application and databases run on a distributed cloud architecture using Amazon Web

Services managed by Heroku. This infrastructure methodology provides protection against many

of the traditional causes of downtime, such as a disaster in a specific geographic region. Amazon’s

security and Heroku’s Security/Disaster Recovery capabilities can be found at:

https://aws.amazon.com/security/and https://www.heroku.com/policy/security. As a further protection, the write ahead logs for the database are archived every 60 seconds to

insure an absolute minimum data loss in the event of a disaster.

In addition to the main database, EverFi keeps a ‘follower database’, which is a hot backup that

can be immediately used in case of failure of the main database.

EverFi’s backup policy includes:

Daily backups retained for 7 days Weekly backups retained for 8 weeks Monthly backups retained for 12 months

The backups are kept off­site as part of best practices.

EverFi utilizes additional contingency and support escalation plans as follows:

EverFi’s application infrastructure is continuously monitored by a secure third party service with

real­time alerts based on system performance, response times, and error thresholds.

A critical alert will initiate the support escalation process, whereby EverFi engineering works in

close contact with the service providers to restore the affected system(s) and minimize

downtime.

EverFi annually tests our ability to rebuild the application with fully up­to­date data.

5. Policy Compliance

5.1Compliance Measurement The Information Security Officer will verify compliance to this policy through various methods,

including but not limited to, periodic walk­thrus, video monitoring, business tool reports, internal

and external audits, and feedback to the policy owner.

5.2Exceptions Any exception to the policy must be approved by the EverFi Sec

Information Security - Executive Summary

Report

Copyright © 2002-2016 WhiteHat Security, Inc. All Rights Reserved

Executive Summary Report

Executive Summary Report

EverFi

Report As Of Monday, September 12, 2016

Prepared By don@everfi.com

Report Description The Executive Summary report provides a high-level understanding of the security profile of your assets, giving you an overview of vulnerabilities across all the assets you select. This report

shows you a summary of vulnerabilities by assets and by vulnerability class, as well as showing

your overall security profile. For those customers using both Sentinel and Sentinel Source, this report will cover both dynamic and static test results. For detailed findings, please see the

vulnerability detail reports.

The Executive Summary is intended for non-technical managers and executives.

Notes

Sites are assessed using dynamic analysis, and vulnerabilities are rated by their severity levels. For descriptions of dynamic analysis and severity levels, please see the Appendix.

Report Filtered By Vulnerability Status: Open

Assets Sites: 1

The Index of Content can be found on the last page

Issue Summary - Open Vulnerabilities

WhiteHat Security - Executive Summary Report Page 2 of 9

This table displays a breakdown of each site’s vulnerabilities.

Sites: Vulnerability Count

Site Name Site Priority Urgent Critical High Medium Low Informational

http://everfi-staging.net 5 0 0 0 1 1 6

Total 0 0 0 1 1 6

WhiteHat Security - Executive Summary Report Page 3 of 9

Issue Summary

This graph summarizes your sites' vulnerabilities and includes the vulnerability count for each vulnerability level.

Sites: Summary of Vulnerabilities

WhiteHat Security - Executive Summary Report Page 4 of 9

Issue Summary

This graph summarizes your site's top 10 most severe open vulnerabilities by class and includes the vulnerability count for each class.

Sites: Top 10 Vulnerabilities by Class

WhiteHat Security - Executive Summary Report Page 5 of 9

Issue Summary

This graph summarizes your sites' vulnerability history and includes the vulnerability count that fall into each month.

Sites: Vulnerability History

WhiteHat Security - Executive Summary Report Page 6 of 9

Appendix - Vulnerability Level Definitions (by Severity)

Severity is defined as the potential business impact if a specific vulnerability is exploited. The levels of severity are based on the same conditions

factored into the PCI Security Scan report ratings, but the definitions below are clarified for Web application security concerns.

The Severity is scored between 0 and 5:

Urgent Critical High Medium Low Informational

5 4 3 2 1 0

Severity ratings are defined below:

Rating Description

Urgent

Attacker can assume remote root or remote administrator roles; exposes entire host to attacker; backend database,

personally identifiable records, credit card data; full read and write access, remote execution of commands; example Weakness

Class: Insufficient Authorization; example Attack Classes: SQL Injection, Directory/Path Traversal

Critical

Attacker can assume remote user only, not root or admin; exposes internal IP addresses, source code; partial file-system

access (full read access without full write access); example Weakness Class: Insufficient Authentication; example Attack

Classes: Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Abuse of Functionality

High Exposes security settings, software distributions and versions, database names; example Weakness Classes: Information

Leakage, Predictable Resource Location; example Attack Class: Content Spoofing

Medium Exposes precise versions of applications; sensitive configuration information may be used to research potential attacks against

host

Low General information may be exposed to attackers, such as developer comments

Informational No actual exposure: a failure to comply with best practices for security.

WhiteHat Security - Executive Summary Report Page 7 of 9

Appendix - Assessment Methodology for Dynamic Analysis

WhiteHat Security combines a proprietary vulnerability scanning engine with human intelligence and analysis from its Threat Research Center to deliver

thorough and accurate assessments of web applications with its Sentinel Service.

WhiteHat Sentinel dynamic scanning services are all based on a continuously evolving top of class scanning engine with manual verification of all

vulnerabilities to ensure quality results. WhiteHat's model allows customers to keep all sites covered at all times with minimal investment of personnel,

while having access to the worlds largest team of web application security experts who keep on top of the latest web security issues, manage security

assessments for customers, and provide support and information. With Premium service the security experts in the Threat Research Center also

perform business logic assessments of sites, which may uncover additional issues which cannot be found through automatic scanning. This combination

provides the highest quality of security assessments in the industry with high scalability and ease of use, to keep customers on top of their risk posture

and help them secure their assets.

WhiteHat Security - Executive Summary Report Page 8 of 9

About WhiteHat Security

WhiteHat Security is the leading provider of application risk assessment and management services that enable customers to protect critical data, ensure

compliance, and narrow windows of risk. By providing accurate, complete, and cost-effective application vulnerability assessments as a software-as-a-

service, we deliver the visibility, flexibility, and guidance that organizations need to prevent web attacks.

Deloitte, SC Magazine, the San Jose/Silicon Valley Business Journal, Gartner and the American Business Awards have all recognized WhiteHat Security

for our remarkable innovations, executive leadership and our ability to execute in the application security market.

To learn more about WhiteHat Security and how our solutions can support your applications throughout the entire software development lifecycle,

please visit our website at www.whitehatsec.com.

About WhiteHat Security

Issue Summary 2

Appendix - Vulnerability Level Definitions (by Severity) 6

Appendix - Dynamic Analysis Assessment Methodology 7

About Whitehat 8