Trust at 3E

The 3E Information Security Program protects the integrity and confidentiality of information, products, and computing facilities. The Information Security Policy is based on the ISO 27000 and NIST 800-53 security frameworks covering: data security; communications security; software use and virus protection; intellectual property and privacy rights; encryption; backup, archival storage, and disposal of data; physical security; systems contingency planning and disaster recovery. Our AI platforms are governed by ISO 42001. These policies have been approved by management, have been communicated to the appropriate constituents and are regularly reviewed.

Cybersecurity risk assessments are performed quarterly by a third party to assess both internal and external threats and 3E’s current security posture. Inherent risk factors, as well as remediation recommendations are reported quarterly to the CEO and board of directors. 3E also leverages Rapid 7 Insight's threat assessment modules to perform risk assessment of internal assets, cloud and external scanning of websites. Annual SOC 2 audit certification ensures that 3E maintains a strong security posture.

3E is committed to maintaining the confidentiality, integrity, and security of personal information collected and processed during business interactions. 3E is compliant with GDPR and is annually certified under the EU-U.S, UK, and Swiss-U.S Data Privacy Framework and adheres to regional privacy regulations.

We implement strong encryption protocols to protect your data both in transit and at rest. All data transmitted through our platform is encrypted while in transit over HTTPS utilizing industry standard encryption technologies(RSA 2048,TLS 1.2).Databases are encrypted at rest and storage utilizing AES 256.

Yes. As a regular course of Information Risk Management, 3E conducts frequent scanning of the infrastructure for technical vulnerabilities. Scans are conducted against the public-facing infrastructure using the Rapid 7 Insight VM and CloudSec tools and against the entire on-prem and cloud infrastructure on a weekly basis. Discovered vulnerabilities are assigned a risk rating according to the Common Vulnerability Scoring System, and further analyzed to discover any false-positive designations, and the severity of the vulnerability risk based on the classification of the data associated with the system scanned. Third Party application penetration tests are performed on a rotational basis in accordance with the risk and classification of the system and data it processes.

Here3E handles all hosted data backups, including: Transaction logs every 20 minutes * Full SQL backups daily * Additional server backups daily/weekly depending on criticality *Backups are immutable and stored across on‑prem, AWS S3, and AWS Glacier with multi‑tier retention.

The majority of our platform applications support federated SSO (SAML 2.0 / OAuth/OpenID Connect). When SSO is not used, complex passwords are required. MFA for customers is handled via their own identity provider.

3E maintains a defined and structured Security Incident Response Plan (SIRP) designed to ensure business continuity, support security breach containment, and guide disaster recovery efforts. The plan applies to any serious technical event that could affect 3E’s ability to serve its customers. A high-level outline of the process deployed in the event of a serious technical incident (security, or otherwise) that could impact our ability to service our customers is as follows: 1. Event investigation 2. EOC Response Team notification, activate EOC, as required 3. Data source analysis (internal/external) 4. Event quantification 5. Response deployed 6. Recovery initiated 7. After action analysis and reporting

3E will use its best efforts to immediately report any actual loss, unauthorized disclosure or unauthorized use of clients confidential information within two (2) business days of the date that 3E (including any of its employees or agents except those causing the Breach) becomes aware of the breach or as soon as possible in the event of law enforcement directives as it pertains to their investigation or evidence gathering. The Service Provider report to the client will include the then known details of the Breach including what corrective action, if any, is being undertaken. 3E shall be responsible for investigating all unauthorized uses and disclosures of client’s Confidential Information maintained by Service Provider and reporting the findings of that investigation to the client.

Data is protected through strong encryption and strict access controls. All data is encrypted while in transit using HTTPS with industry‑standard RSA‑2048 and TLS 1.2, and at rest using AES‑256 encryption. Access to 3E systems and customer data is governed by least‑privileged access, with permissions limited to the minimum necessary and managed through a formal workflow for authorizing, modifying, and revoking access.