Information Security Policy

Replug implements comprehensive organizational and technical measures, referred to as"Security Practices," to safeguard the information that you provide, known as "Customer Information" (including but not limited to original URLs, shortened links, tracking data, analytics, account credentials, and any associated metadata or content like CTAs). These measures are designed to prevent loss, misuse, unauthorized access, or disclosure of your data. The effectiveness of these security measures is continually assessed, taking into consideration the sensitivity of the data we collect, process, and store, the evolving state of technology, the costs involved in implementation, and the nature, scope, context, and specific purposes of the data processing activities undertaken by Replug.

In this context, "Replug Services" encompasses all services offered by Replug, as detailed in the terms of the agreement that governs your use of Replug Services. Any capitalized terms not defined in this Security Practices document are as defined in the agreement.

Replug has appointed a designated security lead and/or a dedicated security team. This function is tasked with the development, implementation, and ongoing maintenance of Replug's Security Practices.

All employees and contracted personnel of Replug are required to adhere strictly to internal policies concerning the confidential treatment of Customer Information.

• They undergo security and privacy training relevant to their roles during onboarding and receive refresher training periodically (e.g., annually).
• All personnel must acknowledge and agree to information security policies emphasizing the confidentiality, integrity, availability, and resilience of the systems and services utilized in delivering Replug Services.
• Replug enforces strict controls to limit personnel access to Customer Information, ensuring such access is granted only on a need-to-know basis to authorized individuals for legitimate operational purposes.
• Where permitted by law and appropriate for the role's sensitivity, Replug performs pre-employment screenings.

Replug maintains robust access control policies covering onboarding, offboarding, and role changes.

• These policies include regular access reviews, limitation and control of administrative privileges, and mechanisms to mitigate risks from inactive sessions.
• Segregation of duties is implemented where appropriate to minimize conflicts and security risks.
• An inventory of critical systems and user accounts with privileged access is maintained.
The principle of "least privilege" and "need to know" access are enforced.
• Controls may be implemented to limit concurrent login sessions or excessive login attempts.
• Comprehensive password policies are enforced, requiring minimum complexity, mandatory changes upon initial login or reset, and periodic rotation with restrictions on reuse.

Access to critical internal systems used by Replug personnel is secured through multi-factor authentication. Replug also makes MFA available to its customers to enhance the security of their accounts.

Replug utilizes single sign-on technology internally where appropriate to streamline and secure access.

Replug systems (including servers, firewalls, and critical applications) are configured to log relevant events to secure, centralized systems to facilitate security monitoring, analysis, and reviews.

• This logging environment captures data related to security, access, availability, and performance. Logs are analyzed for security-related events using monitoring tools and are reviewed by the security team.
• Replug employs intrusion detection systems (network and/or host-based) and Web Application Firewalls (WAF) to proactively monitor for and protect against unauthorized intrusions.

Replug utilizes network security measures, including firewalls and security groups. Network ports not essential for the delivery of Replug Services are blocked at the infrastructure level.

Replug performs regular vulnerability scanning on its production infrastructure and uses commercially reasonable efforts to remediate identified vulnerabilities posing a significant risk. Company-issued endpoint devices (like laptops) are managed with security measures such as screen lockouts and full disk encryption.

The infrastructure supporting Replug Services is designed for fault tolerance and high availability, consistent with our Service Level Agreement (SLA) commitments, ensuring reliable link management and redirection.

Customer Information is redundantly stored across multiple physical locations within Replug’s hosting provider's data centers to ensure resilience.

• Replug implements robust backup and restoration procedures designed for recovery from significant disruptions.
• Operational teams are alerted to system failures. Backups are performed regularly, and restoration procedures are tested periodically (e.g., quarterly) to verify effectiveness.

Replug utilizes leading cloud infrastructure providers to host the Replug Services. These providers maintain state-of-the-art physical and environmental security measures for their data centers and typically hold certifications such as ISO 27001, SOC 1/2/3, and PCI DSS.

Replug maintains internal security policies and procedures, potentially aligned with recognized frameworks. These govern operations, ensuring secure handling of credentials (e.g., using salted hashing for passwords), maintenance of access logs, and avoidance of logging sensitive data like plain-text passwords.

New features and significant changes to the Replug platform undergo a security review process. Code is subject to testing and peer review before deployment. Security considerations are integrated into the product development lifecycle.

Replug maintains policies and procedures for responding to security incidents. In the event of an unauthorized disclosure of Customer Information under Replug's control, Replug will notify affected customers promptly and without undue delay, consistent with legal and contractual obligations.