Security addendum

Last updated: December 26, 2025

This Security Addendum (this “Security Addendum”) forms part of your Terms with Walter (the “Terms”). Capitalized terms used but not defined in this Security Addendum have the meanings set forth in the Terms.

The computing services utilized to offer the Service are cloud-based and provided to Walter via one or more cloud service providers and represent our “Cloud Environment.”

1. Definitions

In this Security Addendum:

1.1 “Audit Reports” has the meaning given in Section 10.1.

1.2 “Auditor” has the meaning given in Section 10.1.

1.3 “Cloud Environment” has the meaning given above.

1.4 “Content” means Input and Output collectively.

1.5 “Customer Data” means data provided by or on behalf of Customer in connection with the Service.

1.6 “Input” means input provided to the Service by or on behalf of Customer.

1.7 “Malicious Code” has the meaning given in Section 4.4.

1.8 “Security Incident” has the meaning given in Section 8.1.

1.9 “Third-Party Audits” has the meaning given in Section 2.1.

2. Walter audits and certifications

2.1 The information security management system used to provide the Service will be assessed by independent third-party auditors as described in the following audits and certifications (collectively, “Third-Party Audits”) on not less than an annual basis:

·   SOC 2 Type II

·   ISO/IEC 27001:2022

2.2 Third-Party Audit reports are made available to you as described in Section 11.1.

2.3 To the extent that Walter decides to discontinue a Third-Party Audit, Walter will adopt an equivalent, industry-recognized framework that is at least as comprehensive or effective in achieving substantially similar objectives.

3. Hosting location of Customer Data and Content

3.1 Customer Data and Content will be stored and processed by Walter and its vendors in data centers located in the geographic region specified on your currently operative Order Form or as otherwise agreed to in writing.

3.2 You may request to have your Customer Data and Content stored in a separate specific geographic region. Walter will use commercially reasonable efforts to do so where supported by our underlying cloud service provider(s) and where otherwise in compliance with applicable laws and regulations.

4. Encryption

4.1 Walter encrypts Customer Data and Content at rest using AES 256-bit (or better) encryption. Walter uses Transport Layer Security 1.2 (or better) for Customer Data and Content in transit over public or untrusted networks.

4.2 We rotate encryption keys at least annually and utilize hardware security modules to safeguard critical encryption keys. Walter logically separates encryption keys from Customer Data and Content.

5. System and network security

5.1 Walter personnel access to our Cloud Environment is with a unique user ID and is consistent with the principle of least privilege. As part of the user authentication process, Walter’s authentication systems validate that: (i) access is requested from company-owned devices that are enrolled in and managed by Walter’s mobile device management solution and are continuously scanned by device security posture technology; (ii) such access is protected by at least biometric authentication, a hardware security module, a device certificate, and behavioural analytics risk scoring technology; and (iii) access to any sub-processor systems is governed by Walter’s single sign-on provider. Access requires a secure connection, multi-factor authentication, and passwords meeting or exceeding reasonable length and complexity requirements.

5.2 Walter personnel will not access Customer Data or Content except (i) to provide or support the Service or (ii) to comply with the law or a binding order of a governmental body. Any such access by Walter personnel will be through time-limited, specific-purpose authorized access sessions, and Walter will maintain a permanent audit trail of the reasons for such access.

5.3 In accessing our Cloud Environment, our personnel will use company-issued laptops which utilize security controls that include encryption and that also include endpoint detection and response tools to monitor and alert for suspicious activities, malicious code, and vulnerability management as described in Section 5.7.

5.4 Our Cloud Environment leverages industry-standard threat detection tools with daily signature updates, which are used to monitor and alert for suspicious activities, potential malware, viruses and/or malicious computer code (collectively, “Malicious Code”). Walter does not have an obligation to monitor Customer Data or Input for Malicious Code.

5.5 Walter engages an independent third party to conduct penetration tests of the Service at least annually. Summary results of such penetration tests can be made available to you as described in Section 11.1 at your request, and contain, at a minimum: (i) name of penetration testing organization, (ii) date(s) of penetration test, (iii) scope of penetration test, (iv) mode of test / testing approach, and (v) brief summary of the findings.

5.6 Walter uses automated tools to scan publicly available vulnerability databases (e.g., National Vulnerability Database (NVD) or similar) for vulnerabilities in software that may be utilized by us. We score vulnerabilities according to an internal rating system that takes into account the likelihood of an exploit and the potential impact of an exploit, similar to CVSS. We timely address vulnerabilities. Those in the “critical” category are addressed within a maximum of 7 days, in the “high” category within 30 days, and in the “medium” category within 90 days.

5.7 Walter will engage a third party to conduct web application-level security assessments on the Service at least annually. Such assessments include tests for relevant security vulnerabilities identified in the Open Web Application Security Project (OWASP), including cross-site request forgery, cross-site scripting (XSS), SQL injection (SQLi), authentication and authorization vulnerabilities, and other.

5.8 Walter will maintain fully separate and isolated development, staging, and production environments for the Service, including logical segregation of systems and access controls, in order to reduce the risk of unauthorized access, cross-environment data exposure, or unintended changes to production systems.

5.9 Customer authentication and password storage. Walter does not permit Customers to authenticate end users to the Service using passwords. Authentication to the Service is supported only via single sign-on (SSO). As a result, Walter does not store end-user passwords or password hashes in production environments.

5.10 Password reset security. Any password reset or credential recovery process for access to Walter systems will require hardware multi-factor authentication.

5.11 Network segmentation and firewall controls. Walter segregates system components and environments into separate subnetworks, with firewalls between subnetworks and highly specific access control lists (ACLs) that are justified and documented. Changes to firewall rules and ACLs are subject to peer review and testing prior to implementation and are reviewed at least annually.

6. Administrative controls

6.1 Walter maintains security awareness and training programs for its personnel including at time of on-boarding and at least annually thereafter. Such security awareness training includes the following topics: (i) individual responsibilities in terms of information security and data privacy, (ii) understanding of our IT security policies and standards, (iii) guidance on how to protect information from existing and emerging cyber threats such as phishing emails, and (iv) requirements for maintaining the security of their devices, credentials, and accounts.

6.2 Walter trains all software developers on secure development practices appropriate to their role at least annually. Training content is adjusted depending on the evolving threat landscape and may include threat modeling, secure design principles, prevention of authentication and authorization bypass attacks, prevention cross-site scripting attacks, prevention of cross-site request forgery attacks, and prevention of the use of vulnerable libraries.

6.3 Walter personnel are required to sign confidentiality agreements and are required to acknowledge responsibility for reporting security incidents involving Customer Data and Content.

6.4 Walter removes access to critical systems (including systems containing Customer Data and Content) for all separated personnel within 1 day and removes access to all systems within 3 days. Walter additionally reviews the access privileges of its personnel to its Cloud Environment at least quarterly.

6.5 Walter reviews external threat intelligence, including U.S.-Cert vulnerability announcements and other trusted sources of vulnerability reports. U.S.-Cert announced vulnerabilities rated as critical or high are prioritized for remediation in accordance with Section 5.6.

6.6 Walter will conduct the following background screening checks for all personnel with access to Customer Data and Content, to the extent permitted under applicable law: (i) ID check and (ii) criminal record check.

6.7 Walter does not use ‘administrator’ or ‘root’ accounts. All access to systems that contain or have access to Customer Data and Content is by way of short-lived tokens issued by Walter’s security management system. These tokens expire in minutes, are pinned to individual workstations, and require multifactored authentication (minimum 4 factors) at every issuance.

7. Vendors and sub-processors

7.1 Walter ensures that any of its vendors that process Customer Data or Content maintain security measures consistent with our obligations under this Security Addendum.

7.3 Walter maintains a supplier security review process as required by the security frameworks to which Walter is certified and/or audited, including assessing supplier security requirements during procurement and periodically reviewing supplier access rights.

7.2 Walter maintains a list of sub-processors at: https://getwalter.com/legal/subprocessors.

8. Physical data center controls

8.1 Our Cloud Environment is maintained by one or more cloud service providers. We ensure that our cloud service providers’ data centers have appropriate controls as audited under their third-party audits and certifications. Each cloud service provider will have SOC 2 Type II annual audit and ISO 27001 certification, or industry-recognized equivalent frameworks. Such controls include:

·   Physical access to facilities is controlled at building ingress points.

·   Visitors are required to present ID and must be signed in.

·   Physical access to servers is managed by access control devices.

·   Physical access privileges are reviewed regularly.

·   Facilities utilize monitor and alarm response procedures.

·   Facilities utilize CCTV.

·   Facilities have adequate fire detection and protection systems.

·   Facilities have adequate back-up and redundancy systems.

·   Facilities have appropriate climate control systems.

8.2 Walter does not maintain physical offices other than for limited corporate and executive purposes. Under no circumstances is Customer Data or Content stored or hosted at such offices.

9. Incident detection and response

9.1 If Walter becomes aware of a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Content (a “Security Incident”), Walter will notify you without undue delay, and in any case, within 48 hours after becoming aware. You will be notified at the security notice email address indicated on your currently operative Order Form or as otherwise determined appropriate by Walter.

9.2 In the event of a Security Incident as described above, Walter will promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Any logs determined to be relevant to a Security Incident will be preserved for at least 1 year.

9.3 Walter will provide you with timely information about the Security Incident, including the nature and consequences of the Security Incident, the status of our investigation, and a contact point from which additional information may be obtained. Walter will also share information about the measures taken or proposed by Walter to mitigate or contain the Security Incident after the investigation into the Security Incident has concluded. Customer acknowledges that because Walter personnel may not have visibility to the content of Customer Data and Content, it may be the case that we are unable to provide detailed analysis of the type of Customer Data and Content impacted by the Security Incident. Communications in connection with a Security Incident will not be construed as an acknowledgment by Walter of any fault or liability with respect to the Security Incident.

10. Audit logging

10.1 Walter will create, protect, and retain information system audit records to the extent needed to maintain integrity, and will enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Actions of human information system users can be uniquely traced to those users.

10.2 Audit logs are retained for a minimum of 1 year, and may be retained up to a maximum of 10 years. Audit logs are protected against tampering.

11. Customer audit rights

11.1 Upon request, and at no additional cost to you, Walter will provide you and/or your appropriately qualified third-party representative (collectively, the “Auditor”) access to reasonably requested documentation evidencing our compliance with our obligations under this Security Addendum in the form of, as applicable, (i) Walter’s SOC 2 Type II audit report, plus relevant penetration test summaries and data flow diagrams, and (ii) a copy of our ISO 27001 certification as well as a statement of applicability (collectively with Third-Party Audits, “Audit Reports”). Where an Auditor is a third party, such third party will be required to execute a separate confidentiality agreement with Walter prior to any audit, penetration test, or review of Audit Reports, and Walter may object in writing to such third party if in Walter’s reasonable opinion the third party is not suitably qualified. Any such objection will require you to appoint another third party to review such Audit Reports. Walter is not responsible for any expenses incurred by an Auditor in connection with any review of Audit Reports.

11.2 Once a year, you may submit reasonable security questionnaires (not to exceed 100 questions total) and requests for updated security documentation, and Walter commits to provide results within a timely fashion and at Walter’s own cost.

11.3 In the event of a Security Incident involving Customer Data or Content, Walter commits that it will engage an independent forensic specialist or similar firm at its own cost, and to the extent that your Customer Data or Content is impacted, Walter will provide the results of such a report to you in a timely fashion.

11.4 Walter maintains tamper-proof audit logs that are stored separately from production systems to reduce the risk of alteration or loss.

12. Customer responsibilities

12.1 It is your responsibility to ensure that you are authorized to use any Input or Customer Data with the Service and that your usage complies with relevant legal and regulatory obligations.

12.2 You are responsible for managing and securing your methods to access the Service. User credentials must be kept confidential and may not be shared with unauthorized parties. A single account may not be shared among multiple persons. You must promptly report any suspicious activities related to your account(s) (such as when you reasonably believe that credentials have been compromised).

12.3 You are responsible for keeping your relevant IT systems (such as the browser you use to access the Service) up-to-date and appropriately patched.

12.4 Walter does not share Customer Data or Content between Customer workspaces.

13. Business continuity and disaster recovery

13.1 Walter maintains business continuity plans that detail how operations will be maintained during an unplanned disruption in service. This includes contingencies for business processes, assets, human resources, and business partners, and cover key information, system, and services. Continuity plans are approved by senior management and reviewed and tested annually.

13.2 Walter performs backups designed to support a recovery point objective (RPO) of five (5) minutes.