Hi Amy,

Thanks for the additional questions.

We actually have already completed a seperate Questionnaireseparate questionnaire for your InfoSec team, and have sent it to Nat. See attached(see attached).

We would like to get all security questions upfront in one pass. Can you confirm this is the total list? No more InfoSec questions?

In regards to answer themRegarding answers, we also need you to provide more clarification . See below for my comments.

- Physical and data security controls
Please refer to sections B.2, G.5 and C.1-3 in the Questionnairequestionnaire.

- Transaction procedures or data flows
Can you provide more clarification? NotIt is not clear what this question is about.

- Business continuity plans and test results or contingency arrangements
We are okokay to prepare some documentation for this.

- Third party audits or certifications [SSAE18 SOC audits(SOC2 Type 2 preferable), PCI certifications, Penetration tests, etc.] with management responses to deviations or exceptions found.
We will provide the ISO Cert and Statement of Applicability.
As for the SOC2, we can screen share the draft if you’d like while we wait for the final.

- Information Security Policy, Standards, Procedures, and Guidelines
We are okokay to put together a summary document for these.

- Any of the above information on the third party sub-vendor(s) that will access, store, or transmit Discovery data.
Are you referring sharing things like SOC2, polices, etc? We sign NDANDAs with our vendors and can’t just share their data. So, so none of the above information on the third party sub-vendors will access, store, or transmit Discovery data.

Please review and advise.

Regards,