Compliance and agreement

Asura is committed to protecting the privacy and security of customer and attendee information, including processes and
safeguards relevant to personal data.

The current primary product we use that stores personal data is Cvent Event Management Software.

Cvent has implemented a robust set of policies, procedures, and protocols to ensure that all data remains safe and
confidential, including using industry leading 256-bit encryption to secure all client data, both at rest and in transit, using
two-factor authentication, and more.

Cvent has demonstrated compliance with rigorous third-party security frameworks and standards including ISO
27001:2013, PCI DSS Level 1 and SSAE18 SOC 1 Type II, and will continue to seek additional certifications and
accreditations which are important to us and our customers.

On October 31, 2017, the US Department of Commerce approved Cvent’s Privacy Shield certifications. Cvent worked with
TRUSTe to review and verify compliance with the EU-US and the Swiss-US Privacy Shield frameworks.

Another way in which Asura will protect our clients is through the introduction of a Data Processing Agreement with each
of our clients and sub-processors. These agreements permit our clients to continue to transfer data to Asura and/or Cvent
without disruption and binds our sub processors to best practices for data processing.

Asura welcomes the new, robust requirements for data protection, security, and compliance that the EU GDPR brings. We
have closely analysed the requirements of the GDPR and are working with data privacy experts and legal counsel to
renew our processes, supplement our products, and update our contracts and documentation, all in order to support Asura
and its clients with the GDPR compliance.