1. Overview

At Socially Determined, Inc. ("Socially Determined"), the security and integrity of our platform, SocialScape, and the services we provide are of utmost importance. To maintain a high level of trust and security, we require that all third-party vendors providing technology services to Socially Determined adhere to strict security and compliance standards. This document outlines the terms for engaging third-party vendors in a manner that ensures compliance with both HITRUST CSF and NIST Cybersecurity Framework (NIST CSF) standards.

2. Third-Party Vendor Assessment and Security Accreditation

Socially Determined conducts thorough assessments of all third-party vendors providing services to ensure their security posture aligns with Socially Determined's Information Security Management Program (ISMP). Vendors are expected to comply with industry-recognized security practices and provide sufficient documentation to demonstrate their compliance.

Third-party vendors must provide one or more of the following as part of the onboarding process:

• HITRUST Certification Letter: Evidence that the vendor has undergone a successful HITRUST assessment and achieved certification.
• SOC 2 Type II Report: A current SOC 2 Type II report detailing the vendor’s controls related to security, availability, processing integrity, confidentiality, and privacy.

Security Assessment: Vendors without an external accreditation must complete a security assessment provided by Socially Determined. This assessment evaluates the vendor’s adherence to security controls aligned with the HITRUST CSF and NIST CSF.

3. Ongoing Compliance and Monitoring

Vendors engaged with Socially Determined are required to maintain their compliance with the security standards agreed upon during onboarding. This includes providing updated accreditation reports (e.g., SOC 2 Type II or HITRUST letters) annually or upon request. Vendors who fail to maintain these standards will be subject to reassessment, and appropriate corrective actions may be taken, including suspension or termination of services.

Socially Determined may conduct periodic reviews and audits of third-party vendor security practices, which may include reviewing vendor security documentation, interviewing key personnel, or assessing implemented security controls.

4. Information Security Management Program (ISMP) Requirements

As part of our ISMP, Socially Determined ensures that third-party services are compliant with our security, privacy, and risk management policies. Vendors must align with the following ISMP requirements:

• Data Protection: Vendors must implement robust data protection measures, including encryption in transit and at rest, access controls, and monitoring.
• Incident Response: Vendors must have an incident response plan in place and notify Socially Determined immediately of any security incidents that could affect our systems or data.
• Access Management: Vendors are responsible for ensuring that access to SocialScape or Socially Determined's systems is restricted to authorized personnel only, using least privilege and role-based access controls.
• Risk Management: Vendors must demonstrate that they perform regular risk assessments, vulnerability scans, and penetration testing to identify and mitigate potential security threats.

Any subcontractors or partners used by the third-party vendor that have access to SocialScape or Socially Determined data are subject to the same security and compliance requirements outlined in this document. The third-party vendor is responsible for ensuring that subcontractors meet all relevant standards and for providing proof of their compliance upon request.

6. Breach Notification and Remediation

In the event of a data breach or any security incident involving Socially Determined or SocialScape data, the third-party vendor must notify Socially Determined within 24 hours of discovering the incident. The vendor must work with Socially Determined to mitigate the effects of the breach, remediate vulnerabilities, and prevent further unauthorized access.

7. Termination of Services

Failure to adhere to these terms may result in the suspension or termination of the vendor’s relationship with Socially Determined. Socially Determined reserves the right to terminate services if the vendor is found to be non-compliant with HITRUST CSF, NIST CSF, or Socially Determined's ISMP requirements.

8. Updates to Terms

Socially Determined reserves the right to update these Third Party Services Terms as needed to reflect changes in regulations, standards, or business requirements. Vendors will be notified of any significant changes to these terms.