AWS GovCloud (US) Addendum

Mission Cloud Services, Inc. (“Mission”) has separately agreed to these Terms and Conditions (“Terms”) with Amazon Web Services, Inc. (“AWS”) in order to be able to manage your AWS GovCloud environment(s) on your behalf. You (“you,” “your,” or “Customer”) agree to be bound by these Terms and will defend, indemnify, and hold Mission harmless for any breach of these Terms and Conditions not caused directly by the actions or inactions of Mission.

1. AWS Security. AWS will implement reasonable and appropriate measures for AWS’s data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within AWS’s control and are used to provide the Services in the GovCloud Regions (referred to as the “AWS Network”) in accordance with the GovCloud Security Standards (as defined in Section 2). The GovCloud Security Standards are designed to: (i) help you secure Your Content/Customer Content (“Your Content”) against accidental or unlawful loss, access, or disclosure; (ii) implement the in- scope Federal Risk and Authorization Management Program (“FedRAMP”) and Department of Defense Cloud Computing Security Requirements Guide (“DoD SRG”) controls for the Services identified as FedRAMP compliant on the AWS Site (the “Services in Scope”), and (iii) maintain physical and logical access controls to limit access to the AWS Network by AWS personnel, including employees and contractors, to U.S. citizens, as defined by 8 U.S. Code §1401, et seq. (“U.S. Citizens”) ((i), (ii) and (iii) collectively the “Security Objectives”). During the term of the GovCloud Addendum, AWS will: (i) use commercially reasonable efforts to maintain FedRAMP and DoD SRG authorization at the then-current equivalent authorization for the then-current Services in Scope; and (ii) maintain an information security program designed to provide at least the same level of protection as evidenced by its FedRAMP and DoD SRG Authorizations to Operate (or its successor or equivalent, as reasonably determined by AWS) as of the Addendum Effective Date.

2. GovCloud Security Standards. AWS will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to: satisfy the Security Objectives; identify reasonably foreseeable and internal risks to security and unauthorized access to the AWS Network; and minimize security risks, including through risk assessment and regular testing. AWS will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following measures: (i) Network Security. The AWS Network will be electronically accessible to employees, contractors, and any other person as necessary to provide the Services. AWS will maintain access controls and policies to manage what access is allowed to the AWS Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. AWS will maintain corrective action and incident response plans to respond to potential security threats; (ii) Physical Security. (a) Physical components of the AWS Network are housed in nondescript facilities (the “Facilities”). Physical barrier controls are used to prevent unauthorized entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation or validation by human security personnel. Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the Facilities, and are continually escorted by authorized employees or contractors while visiting the Facilities. (b) AWS provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of AWS or its affiliates. (c) All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. AWS also maintains electronic intrusion detection systems designed to detect unauthorized access to the Facilities, including monitoring points of vulnerability with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited; and (iii) Continued Evaluation. AWS will conduct periodic reviews of the security of its AWS Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. AWS will continually evaluate the security of its AWS Network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.

3. Representations and Warranties. You represent and warrant that you: (i) are a U.S. Person, as defined by 22 CFR §120.62 (“S. Person”); (ii) will only assign a U.S. Person as your account owner for your AWS GovCloud (US) account; (iii) are opening an account on behalf of an organization that is a U.S. entity; (iv) are not subject to U.S. export restrictions or sanctions, and are not suspended or debarred from contracting with any U.S. government entities and (v) will, if required by the International Traffic in Arms Regulations (“ITAR”), have and maintain a valid Directorate of Defense Trade Controls registration and an effective compliance program to ensure compliance with applicable U.S. export control laws and regulations, including the ITAR. If requested by AWS, you agree to provide AWS with additional documentation and cooperation to verify the accuracy of the representations and warranties set forth in this Section.

4. Your Responsibilities. You are responsible for all physical and logical access controls beyond the AWS Network including, but not limited to, your account access, data transmission, encryption, and appropriate storage and processing of data within the GovCloud Regions. You are responsible for verifying that all End Users accessing Your Content in the GovCloud Regions are eligible to gain access to Your Content. The Services may not be used to process or store classified data. If you introduce classified data into the AWS Network, you will be responsible for all sanitization costs incurred by AWS or its Affiliates. Your liability under this provision is exempt from any limitations of liability.