Xerox® Litigation ServicesKeeping Your Data Secure

Xerox® Litigation Services’ clients benefit from stringent security protocols employed to protect their data on the OmniX™ review platform. OmniX is a powerful, feature-rich, cloud-based platform used for e-discovery document reviews. Leveraging our state-of-the-art SSAE 16 Type II-compliant data centers and data management experts, we employ comprehensive security measures to minimize risk and protect your data.

Protecting your data is critical to managing risk. We ensure complete security from the moment your data is collected and loaded to the OmniX review platform through production and completion of your case. Our robust technology infrastructure and comprehensive security measures address system and database access control, intrusion prevention and detection, virus scanning and patch deployment, as well as seamless system and data redundancy.

OmniX Platform Access All of our systems, including user access controls, have been architected to support strict security guidelines. New users are granted access only at the documented request of an authorized requester, designated by the client, following the chain of authority established at the outset of the client relationship. Prior to execution, all requests are inspected and subject to QA review. A dedicated client services team maintains records and accounts.

Each user is assigned a unique user name and password. All initial passwords are randomly generated and must be changed upon first user login. OmniX passwords are managed in the Oracle® database and are hashed with the Oracle 10g encryption algorithm. We also offer clients RSA SecurID two-factor authentication and IP address restriction. Administrative control of systems is determined by a least-privileges access model and is strictly limited based on job requirements.

Xerox® Litigation Services Security Capabilities Brief

Data Encryption The OmniX platform utilizes 256-bit AES SSL encryption to further protect your data during transmission, exceeding standards for cloud-based security. Documents are also encrypted when stored at rest.

Third-Party Audits We have an SSAE 16 Type II SOC 1 report issued annually by an independent auditing firm. In addition, we engage an independent third party on an annual basis to perform network penetration and application vulnerability testing and report any potential issues discovered. Each year, a different agency is selected to perform this examination to ensure a fresh perspective. We then evaluate and remediate any reported issues prior to a re-assessment to confirm that the potential vulnerabilities have been eliminated. Reports are available to clients upon request.

Audit Trail We utilize industry best practices to provide end-to-end audit capabilities and create a documented chain of custody for all client data. All application data access is logged to two locations—one inside a protected Oracle database and another off site in an application log. All internal and client actions (logins, document views, coding edits, updates, etc.) are logged and the logs are archived daily. Our Operations Group is responsible for processing and managing documents and data. All actions taken by this group are tracked and logged throughout the operational process and are driven by internal checklists to ensure rigorous quality control. This creates an accurate and comprehensive chain of custody that provides historical information about each document processed and loaded onto the review platform. We have successfully substantiated chain of custody for multiple clients in dispute situations.

©2013 Xerox Corporation. All rights reserved. Xerox®, Xerox and Design® and OmniX™ are trademarks of Xerox Corporation in the United States and/or other countries. 02/13 BR5762 CIASE-141

For more information on Xerox® Litigation Services, visit www.xerox-xls.com, call 877.273.3887 or email info@xls.xerox.com.

About Xerox® Litigation Services. Xerox® Litigation Services, the e-discovery division of Xerox Corporation, is the trusted partner of global corporations and law firms, delivering end-to-end technology-driven services, software and consulting expertise that reduce cost and risk and streamline the e-discovery process from identification to production. Tens of thousands of end users rely on our cloud-based OmniX™ document review platform, Viewpoint™ e-discovery software, CategoriX automated document classification technology and supporting services for more efficient and defensible e-discovery.

Intrusion Detection and Monitoring Services Our Network Operations Center (NOC) monitors all network, server and application activity in real time. Events and incidents are collected and displayed on a console that is monitored on-site 24x365. Appropriate staff is immediately alerted of any suspicious activity. The NOC is responsible for tracking, escalating and reporting on system issues. Proactive system alerts such as server temperature monitoring, redundant power distribution alerts and redundant storage path alerts also assist in identifying potential failures.

Software and hardware error escalation is coordinated by the NOC, which is responsible for monitoring, analyzing and reporting on a variety of proactive and reactive alert systems used to verify uninterrupted operation of OmniX™ and its related internal services, storage, servers and databases. NOC personnel are on site at our data centers 24x365. For all reported or detected incidents, the NOC analyzes the available information with respect to current operating status and directs the incident to our operational group(s) best suited to resolve the problem. If necessary, the NOC can trigger the SPOC (Single Point of Contact) system that designates an on-call representative from each of our operational groups that can work to resolve any reported problem after business hours.

Physical Site Three fully staffed shifts, augmented by professional security guards, provide 24x365 coverage. The facility is equipped with dual camera systems to monitor all ingress and egress points, the data center and stairwells. Zoned keycard access is required with segregated security levels and two-factor biometric access controls for essential staff in high sensitivity areas. The keycard access system logs all employee access to the facility. Guests visiting our facilities are required to sign in, display an identification badge and are escorted at all times.

Data CentersOur state-of-the-art data centers maximize the protection of client data. The facilities are geographically and environmentally isolated and contain more than 5,500 square feet of server space. Designed to handle high volume and high throughput, the facilities have more than three petabytes of storage capacity. Biometric access is required to gain entry; the buildings are staffed by security 24x365. Multiple network connectivity paths exist between the primary and secondary sites; a SONET ring provides fault-tolerant transmission between the two locations. Electronic processing takes place simultaneously at both facilities.

Redundant Backup Three database tiers, three storage tiers and a fault-tolerant application server cluster provide fully redundant backup. Multiple Internet connections are configured to provide network failover capabilities. For offline backups, we employ a high performance IBM® tape library. Client data is stored in the library on tapes that are dedicated to each client matter—facilitating rapid export and restore capabilities, while meeting data segregation requirements.

Disaster Recovery We have an extensive disaster recovery and business continuity plan, developed to restore vital business functions in case of a service-impacting event. The following strategies have been adopted to ensure expedient resumption of normal operations.

• Hot Site: Client data is replicated in real time to a secondary facility with equivalent processing power to the main site. Processing resumes at the backup facility with the current data already in place and ready to run.

• Rapid Issue Escalation: A proven combination of staffed system monitoring and automated alerts provides immediate notification to response teams of a site incident. Our proactive client services team is tasked with communicating any service-impacting event to clients.

• Regular Testing: Full site failover capabilities are regularly tested to validate that service redundancy features remain current and available.

Why Xerox? We utilize comprehensive security controls to ensure complete security from the moment client data enters our facility. Once in our environment, our clients know exactly where and how their data is managed at all times. Combined with our preventive and reactive security measures, clients are assured that their data is in safe hands. We work with clients on an individual basis to address specific security requirements.

Xerox® Litigation Services