As an extension of the Cloudbeds API License Agreement, you will comply with the following API Security Standards (“Security Standards”):

1. Security Audits

1.1 Audit. Cloudbeds reserves the right to periodically audit the systems to ensure compliance with the requirements of this Exhibit. Non-intrusive network and application security scans may be performed randomly without prior notice.

1.2 Audit After a Security Breach Incident. For purposes of these Security Standards, a “Security Breach” is defined as a breach of security of your facility, systems or site where Cloudbeds Content or Cloudbeds User Data has been acquired by an unauthorized person. In the event of a Security Breach, Cloudbeds may suspend or terminate your access to the API and Cloudbeds Content and Cloudbeds may conduct a security audit.

1.3 Cloudbeds Results and your Response. Cloudbeds will provide you with detailed results of any security audit performed by Cloudbeds pursuant to these Security Standards. You will be granted thirty (30) days to resolve any issues Cloudbeds has identified through a security audit. Should you fail to resolve such identified issues, Cloudbeds may immediately suspend or terminate your access to the API and Cloudbeds Content without notice.

2. Security Incidents and Response

2.1 Notification and Timing. You agree to immediately notify Cloudbeds in writing upon your discovery of a Security Breach. You agree to use commercially reasonable efforts to notify Cloudbeds of your detection of a Security Breach no more than twenty-four (24) hours after detection of a Security Breach. Notwithstanding the foregoing, under no circumstances will more than two (2) days pass between your detection of a Security Breach and Cloudbeds being notified.th

2.2 Notification Format. Your notification of a Security Breach in accordance with the requirements set forth above will take the form of an email to [email protected]. Such notification email will include: a problem statement, expected resolution time (if known), and the name and phone number of your representative that Cloudbeds can contact to obtain incident updates.

In the event of any security deficiency or intrusion involving the Application, Cloudbeds APIs or Data, you will make no public statements regarding such deficiencies or intrusions (e.g., press, blogs, social media, bulletin boards, etc.) without prior written and express permission from Cloudbeds in each instance.

3. Security Precautions: Best Practices.

You agree to adhere at all times to reasonable security practices, as specified in current industry literature on topics relevant to your interaction with Cloudbeds. In the event such best practices conflict with these Security Standards, you will comply with these Security Standards.

4. Data Security: Data Storage.

You agree to maintain reasonable safeguards to protect the security of all the information that you process, access, or store, whether provided by a Cloudbeds User to you or obtained from Cloudbeds through the API.

At no time will you collect or store Cloudbeds User passwords, credit card numbers, or financial information in any form. Cloudbeds Access Credentials[46] must be kept secret and confidential and under no circumstances be exposed to the public.

If Cloudbeds believes that Access Credentials have been compromised, Cloudbeds reserves the right to immediately terminate access and issue new Access Credentials to you.