Security Addendum

1. Security Program Overview

SlymeLab maintains an information security program designed to:

• Protect confidentiality, integrity, and availability of Customer Data
• Prevent unauthorized access, disclosure, alteration, or destruction
• Support incident detection and response

2. Access Control

• Least privilege: Access granted based on role and need-to-know
• Authentication: Strong authentication practices for administrative access; MFA enforced where supported
• Review: Periodic access reviews and prompt removal of access upon role change or termination
• Logging: Administrative actions logged where feasible

3. Data Encryption

• In transit: Encryption used for data transmitted over public networks (e.g., TLS)
• At rest: Encryption used for stored Customer Data in production systems where feasible and appropriate
• Key management: Keys are protected with access controls; rotation practices applied where appropriate

4. Secure Development and Change Management

• SDLC controls: Security considerations integrated into development (code review, testing)
• Dependency hygiene: Reasonable efforts to track and patch known critical vulnerabilities
• Environment separation: Separation between production and non-production environments where feasible
• Change control: Changes to production follow a documented process including testing/rollback where appropriate

5. Vulnerability Management

• Regular vulnerability scanning (or equivalent control) for critical systems where feasible
• Prioritization and remediation based on severity and risk
• Security patches applied within reasonable timeframes relative to criticality

6. Monitoring and Logging

• Systems monitored for availability and security signals where feasible
• Logs collected for key events (authentication, admin access, service errors) subject to system design
• Alerts and escalation paths for suspected security issues

7. Incident Response

• Documented incident response process including triage, containment, remediation, and lessons learned
• Breach notification: Customer notified without undue delay after SlymeLab becomes aware of a Personal Data Breach involving Customer Data, consistent with the DPA and applicable law
• Post-incident review for material incidents

8. Business Continuity and Backup

• Backups performed for critical systems where applicable
• Reasonable measures to support service continuity and recovery after disruptions
• Backup retention and restoration practices aligned to operational needs

9. Physical Security

Where Customer Data is hosted with third-party infrastructure providers, SlymeLab relies on their physical security controls (e.g., controlled facility access, surveillance, environmental safeguards) consistent with industry norms.

10. Personnel Security and Training

• Confidentiality obligations for personnel with access to Customer Data
• Security awareness training provided periodically, appropriate to role
• Background checks may be conducted where lawful and appropriate for roles

11. Subprocessor Security

SlymeLab requires Subprocessors to implement security measures appropriate to the services they provide and to protect Customer Data under written terms.

12. Customer Responsibilities

Customer is responsible for:

• Its account configuration, access management, and user permissions
• Ensuring it does not submit sensitive/regulated data unless expressly agreed
• Securing endpoints and networks used to access the Services
• Maintaining the confidentiality of credentials and API keys

13. Updates to This Addendum

SlymeLab may update security measures to maintain or improve overall protection, provided updates do not materially reduce the security of the Services.

Contact: contact@slymelab.com