The tests may range in scope from tabletop exercises to full-scale simulations of real- life incidents. Based on the results of the testing, as well as experience from actual incidents, teams update and improve their plans to address issues and strengthen their response capabilities. ● Review and approval of the business continuity plan. At least annually, our executive staff reviews the business continuity plan and communicates changes to the rest of the team. Do you have a disaster recovery plan? To address information security requirements during a major crisis or disaster impacting RELAYTO operations, we maintain a disaster recovery plan. The RELAYTO Infrastructure/Security Team, which is composed of three specialized members from our development team, reviews this plan annually and tests selected elements at least annually. Relevant findings are documented and tracked until resolution. Our Disaster Recovery Plan (DRP) addresses both durability and availability disasters, which are defined as follows. A durability disaster consists of one or more of the following: ● A complete or permanent loss of a primary data center that stores metadata, or of multiple data centers that store file content ● Lost ability to communicate or serve data from a data center that stores metadata, or from multiple data centers that store file content An availability disaster consists of one or more of the following: ● An outage greater than 10 calendar days ● Lost ability to communicate or serve data from a storage service/data center that stores metadata, or from multiple storage services/data centers that store file content We define a Recovery Time Objective (RTO), which is the duration of time and a service level in which business process or service must be restored after a disaster, and a Recovery Point Objective (RPO), which is the maximum tolerable period in which data might be lost from a service disruption. We also measure the Recovery Time Actual (RTA) during Disaster Recovery testing, performed at least annually. RELAYTO incident response, business continuity, and disaster recovery plans are subject to being tested at planned intervals and upon significant organizational or environmental changes. In the event of a disaster, the estimated time for resumption of the Customer’s services for RTO is 12 hours and RPO is 30 minutes with a guaranteed maximum time for resumption of 12 hours. Disaster recovery backups are encrypted using the AES-256 protocol. 43 of 52