CRITICAL AXrVAULT Fechnelogies ‘Your nonstop route to proving como! Information Technology Change Management Policy (Revised March, 2015) Adoption and Declaration of Poliey Critical Technologies, Inc. ("Critical") and AirVault@!, a division of Critical Tec adopted this Infomation Technology Change Management Policy (the control and manage carefilly how hardware, software, and functionality changes are released into our production environment used by our clients to aceess and use various Critical Internet portals and Internet-relatec services (he “Servioes"), The purpose ofthis document isto define the practices and processes by which Critical maintains and updates its Production Systems hile meeting the service evel agreements between Citeal and its clients. ogies, has H. About Our Services Critical provides a robust, ate-oFthe art fully web-based document management and workflow service for its business clents. Critical does not offer its Services to consumers. Critical's clients are involved in a wide variety of industries including banking, credit unions, financial services, government, gaming, and aviation. Critical’ liens use our Services to store, manage, search, retrieve and route documents throughout theit organizations, and to their industry afiliates, vendors, and regulatory agencies. The information we menage for our clients is highly confidential to our liens, and often contains highly confidential personal and business information about our eles’ customers and employees. Moreover, our elients are materially nd operationally dependent on the Services we provide, and insist on “uptime” and reliability to fequal the highest standaids of the Software-ss-e-Service industry. Consequently, Critical controls and manages carfully the ways and means by which it introduces new hardware, software, and functionality to our Services so tht Cteal causes te least amount of disruption possible to clients dependent on our Production Systems and Services, ML Production Systems Defined & Policy Scope “The Policy covers changes made to existing Critical network equipment curently in production. For terms of this documest, "Production System(s)" are those systems which are accessed by clients and for which Crtsl receives payment for services on those systems, Systems that log access oF provide other tesary Tunetions are not considered Production Systems with regard 10 ‘change management procedures. Intemal Critical systems, such as emi and data access are also not covered by tis Policy " anvano aes Sven a Cel TessasCRITICAL Critical Technologies, Inc. Security Incident Management Policies and Procedures Version 20, Septomber 2018 Cita! Teemetoge, nc da AVouRCRITICAL hnelogies AYrVAUL DISASTER RECOVERY AND AIRVAULT SERVICE CONTINUITY PLAN FOR COMPANY OPERATIONS CENTERS (REVISED JANUARY, 2017)