DSPP-09-2025 The Players Impact (The Players Legacy LLC, d.b.a. The Players Impact) Data Security and Privacy Principals 1. Definitions Capitalized terms used herein have the meanings given below or if not defined below, the meanings given in the applicable written contract between The Players Impact and Client for the The Players Impact Services Client – is the entity to which The Players Impact is providing the The Players Impact Services under a The Players Impact Services Document. Components – are the application, platform, or infrastructure elements of a The Players Impact Service that The Players Impact operates and manages. Content – consists of all data, software, and information the Client or its authorized users provide, authorize access to, or input to The Players Impact Services. DSPP – is this The Players Impact Data Security and Privacy Principals document. The Players Impact Software Services – are “as a service” The Players Impact offerings that The Players Impact makes available via a network. The Players Impact Services Document – is a Transaction Document and any other document that is incorporated into a written contract between The Players Impact and a Client that addresses details of a specific The Players Impact Service. The Players Impact Services – are (a) The Players Impact Software Services, (b) other The Players Impact service offerings, including infrastructure or application service offerings that The Players Impact delivers and dedicates to or customizes for a Client, and (c) any other services, including consulting, maintenance, or support, that The Players Impact provides to a client. Security Incident – is an unauthorized access and unauthorized use of Content. Transaction Document – is a document that details the specifics of transactions, such as charges and a description of and information about a The Players Impact Software Service or other The Players Impact Service. Examples of Transaction Documents include statements of work, service descriptions, ordering documents and invoices for a The Players Impact Software Service or other The Players Impact Service. There may be more than one Transaction Document applicable to a transaction. 2. Overview The technical and organizational measures provided in this DSPP apply to The Players Impact Services (including any Components) only where The Players Impact has expressly agreed to comply with the DSPP in a written contract between The Players Impact and Client. For clarity, those measures do not apply where Client is responsible for security and privacy or as specified below or in a The Players Impact Services Document. DSPP-09-2022 a. Client is responsible for determining whether a The Players Impact Service is suitable for Client’s use and implementing and managing security and privacy measures for components that The Players Impact does not provide or manage within the The Players Impact Services. Examples of Client responsibilities for The Players Impact Services include Client end-user access control and application level security configuration for a software as a service offering that The Players Impact manages for a Client or an application service offering that The Players Impact delivers to a Client. b. Client acknowledges that The Players Impact may modify this DSPP from time to time at The Players Impact’s sole discretion and such modifications will replace prior versions as of the date The Players Impact publishes the modified version. Notwithstanding anything to the contrary in any written contract between The Players Impact and Client, the intent of any modification will be to: (1) improve or clarify existing commitments, (2) enable The Players Impact to appropriately prioritize its security focus to address evolving data and cybersecurity threats and issues, (3) maintain alignment to current adopted standards and applicable laws, or (4) provide additional features and functionality of The Players Impact Services. c. In the event of any conflict between this DSPP and a The Players Impact Services Document, the The Players Impact Services Document will prevail and if the conflicting terms are in a Transaction Document, they will be identified as overriding the terms of this DSPP and will only apply to the specific transaction. 3. Data Protection a. The Players Impact will treat all Content as confidential by not disclosing Content except to The Players Impact employees, contractors, and suppliers (including subprocessors), and only to the extent necessary to deliver the The Players Impact Services. b. Security and privacy measures for each The Players Impact Service are implemented in accordance with The Players Impact’s security and privacy by design practices to protect Content processed by a The Players Impact Service, and to maintain the availability of such Content pursuant to the applicable written contract between The Players Impact and Client, including applicable The Players Impact Services Documents. c. Additional security and privacy information specific to a The Players Impact Service may be available in the relevant The Players Impact Services Document or other standard documentation to aid in Client’s initial and ongoing assessment of a The Players Impact Service’s suitability for Client’s use. Such information may include evidence of stated certifications and accreditations, information related to such certifications and accreditations, data sheets, FAQs, and other generally available documentation. The Players Impact will direct Client to available standard documentation if asked to complete Client-preferred security or privacy questionnaires. 4. Security Policies a. The Players Impact will maintain and follow written IT security policies and practices that are integral to The Players Impact’s business and mandatory for all The Players Impact employees. The The Players Impact Head of Technology will maintain responsibility and executive oversight DSPP-09-2022 for such policies, including formal governance and revision management, employee education, and compliance enforcement. b. The Players Impact will review its IT security policies at least annually and amend such policies as The Players Impact deems reasonable to maintain protection of The Players Impact Services and Content. c. The Players Impact will maintain and follow its standard mandatory employment verification requirements for all new hires. In accordance with The Players Impact internal processes and procedures, these requirements will be periodically reviewed and include, but may not be limited to, criminal background checks, proof of identity validation, and additional checks as deemed necessary by The Players Impact. d. The Players Impact employees will complete The Players Impact’s security and privacy education annually and certify each year that they comply with The Players Impact’s confidentiality, and security policies. Additional training will be provided to any persons granted privileged access to Components that is specific to their role within The Players Impact’s operation and support of the The Players Impact Services, and as required to maintain compliance and accreditations stated in any relevant The Players Impact Services Document. 5. Security Incidents a. The Players Impact will maintain and follow documented incident response policies consistent with National Institute of Standards and Technology, United States Department of Commerce (NIST) guidelines or equivalent industry standards for computer security incident handling and will comply with the data breach notification terms of the applicable written contract between The Players Impact and Client. b. The Players Impact will investigate Security Incidents of which The Players Impact becomes aware, and, within the scope of the The Players Impact Services, The Players Impact will define and execute an appropriate response plan. Client may notify The Players Impact of a suspected vulnerability or incident by submitting a request through the incident reporting process specific to the The Players Impact Service (as referenced in a The Players Impact Services Document) or, in the absence of such process, by submitting a technical support request. c. The Players Impact will notify Client without undue delay upon confirmation of a Security Incident that is known or reasonably suspected by The Players Impact to affect Client. The Players Impact will provide Client with reasonably requested information about such Security Incident and the status of any The Players Impact remediation and restoration activities. 6. Physical Security and Entry Control a. The Players Impact will maintain appropriate physical entry controls, such as barriers, card[1]controlled entry points, and surveillance cameras to protect against unauthorized entry into The Players Impact managed facilities. b. The Players Impact Software Services are hosted exclusively on Microsoft’s Azure Infrastructure Platform and as such, adheres to the physical security practices DSPP-09-2022 defined by Microsoft here: https://docs.microsoft.com/en[1]us/azure/security/fundamentals/physical-security 7. Access, Intervention, Transfer and Separation Control a. The Players Impact will maintain a documented security architecture for Components. The Players Impact will separately review such security architecture, including measures designed to prevent unauthorized network connections to systems, applications, and network devices, for compliance with its secure segmentation and isolation standards prior to implementation. b. The Players Impact may use wireless networking technology in its maintenance and support of the The Players Impact Services and associated Components. Such wireless networks will not provide direct access to The Players Impact Software Services networks. The Players Impact Software Services networks do not use wireless networking technology. c. The Players Impact will maintain measures for a The Players Impact Service that are designed to logically separate and prevent Content from being exposed to or accessed by unauthorized persons. The Players Impact will maintain appropriate isolation of its production and non-production environments, and, if Content is transferred to a non-production environment, for example to reproduce an error at Client’s request, security and privacy protections in the non-production environment will be equivalent to those in production. d. The Players Impact will encrypt Content not intended for public or unauthenticated viewing when transferring Content over public networks and enable use of a cryptographic protocol, such as HTTPS, SFTP, or FTPS, for Client’s secure transfer of Content to and from the The Players Impact Services over public networks. e. The Players Impact will encrypt Content at rest if and as specified in a The Players Impact Services Document. If a The Players Impact Service includes management of cryptographic keys, The Players Impact will maintain documented procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access, and use. f. Consistent with industry standard practices, and to the extent natively supported by each Component, The Players Impact will maintain technical measures enforcing the timeout of inactive sessions, lockout of accounts after multiple sequential failed login attempts, strong password or passphrase authentication, password change frequency, and secure transfer and storage of such passwords and passphrases. g. Logs in which The Players Impact Personnel access and activity are recorded will be retained in compliance with The Players Impact’s records management plan. The Players Impact will maintain measures designed to protect against unauthorized access, modification, and accidental or deliberate destruction of such logs. h. The Players Impact will securely sanitize physical media intended for reuse prior to such reuse, and will destroy physical media not intended for reuse, consistent with NIST guidelines for media sanitization. 8. Service Integrity and Availability Control DSPP-09-2022 a. The Players Impact will: (1) perform security and privacy risk assessments of the The Players Impact Services, (2) perform security testing and vulnerability assessments of the The Players Impact Services before production release , (3) enlist a qualified independent third party to perform penetration testing of the The Players Impact Software Services, on a schedule deemed appropriate by The Players Impact based on services deployed, (4) perform automated vulnerability scanning of underlying Components of the The Players Impact Services against industry security configuration best practices, (5) remediate identified vulnerabilities from security testing and scanning, based on associated risk, exploitability, and impact, and (6) take reasonable steps to avoid disruption to the The Players Impact Services when performing its tests, assessments, scans, and execution of remediation activities. b. The Players Impact will maintain measures designed to assess, test, and apply security advisory patches to the The Players Impact Services and associated systems, networks, applications, and underlying Components within the scope of the The Players Impact Services. Upon determining that a security advisory is applicable and appropriate, The Players Impact will implement the patch pursuant to documented severity and risk assessment guidelines, based on Common Vulnerability Scoring System ratings of patches, when available. Implementation of security advisory patches will be subject to The Players Impact change management policy. c. The Players Impact will maintain an inventory of all information technology assets used in its operation of The Players Impact Services. The Players Impact will continuously monitor and manage the health, including capacity, and availability of The Players Impact Services and underlying Components d. Each The Players Impact Service will be separately assessed for business continuity and disaster recovery requirements through appropriate business impact analysis and risk assessments intended to identify and prioritize critical business functions. Each The Players Impact Service will have, to the extent warranted by such risk assessments, separately defined, documented, maintained, and annually validated business continuity and disaster recovery plans consistent with industry standard practices. Recovery point and time objectives for a The Players Impact Service, if provided for in the relevant The Players Impact Services Document, will be established with consideration given to the The Players Impact Service’s architecture and intended use. Physical media intended for off-site storage, if any, such as media containing backup files, will be encrypted prior to transport.