Cybersecurity Compliance Framework –Crexendo has adopted System & Organizational Controls (SOC2) for the service organization responsible for Crexendo Hosted product and related corporate assets/entities. Implemented controls cover trust services criteria of security, availability, processing integrity, confidentiality, and privacy. Independent service auditors have been engaged to measure the efficacy of implemented controls.

Threat/Vulnerability Assessment & Remediation –Third party security advisors have been engaged to periodically execute internal and external vulnerability scans for deployed production and organizational assets to flag any known vulnerabilities within deployed third-party components including but not limited to operating systems, web server software, hypervisor software etc.

Similarly, penetration tests are conducted periodically to expose any vulnerabilities within the deployment environment and/or deployed software; including but not limited to open firewall ports beyond deployment design, use of ciphers deemed insecure etc.

Crexendo Information Security Policy defines time periods within which a particular severity (critical v/s major v/s minor) vulnerability needs to be addressed. Reported vulnerabilities, along with applicable resolution timeline and efforts are recorded within the internal problem tracking system and are tracked as part of quarterly security and privacy review sessions.

Continuous Monitoring – As part of the proactive security measures, Crexendo deploys EDR/XDR tools across employee workstations, and mines significant events coming from critical infrastructure assets within a SIEM software. Any threat or prevention notifications are sent to IT & Security team for further analysis and additional actions are performed as deemed necessary to maintain the integrity and security of the corporate and production environments.

Incident Response Plan – To be prepared for any natural or cybersecurity incident involving sensitive data breach across employees, customers, contractors, or vendors; and/or affecting service availability for the organization or customers, a comprehensive incident response plan along with disaster recovery & business continuity plan has been documented. The plan contains details on aspects including but not limited to – incident identification, operational playbook and responsibility matrix, communication and notification procedures, and reporting to legal/governing bodies based on severity of the incident. C level executives and the board are notified if warranted by the severity of the incident.

The plans are reviewed annually for enhancements and inter-department alignment. Tabletop exercises are conducted to measure the effectiveness of the plan and any findings are factored in towards further revisions of the plans.

Security Awareness – Employee awareness towards potential threats and how to steer clear of any phishing or social engineering attacks, is a critical element that governs efficacy of any cybersecurity measures. To that end, Crexendo subscribes to periodic security awareness training, and mock tests for all employees and contractors. Employees and contractors are evaluated for timely completion of the training, on corresponding quiz scores, and based on how they fare tackling mock phishing emails. Worse than minimum required scores trigger actions to guide the person towards better security awareness and thereby score. Disciplinary actions are in store for employees/contractors who still fail to secure the minimum required score.

While, we have a comprehensive cybersecurity and compliance program in place as an effort to counter the threats, and while we have not been subject to any cyberattacks that, individually or in the aggregate, have been material to Crexendo's operations or financial condition, there can be no guarantee that Crexendo will not experience such an incident in the future.