First Insight Compliance Statement

Security Statement

First Insight utilizes some of the most advanced technology for internet security available today. When you access InsightSUITE, your information is protected using both server authentication and encrypted data transmission. This ensures that your data is safe, secure, and available only to registered users in your company.

All First Insight user accounts must have a password with the following characteristics:

• Must be at least 8 characters long
• Contains at least 1 letter, 1 number, and 1 special character
• Is different from the user's last password

These additional password controls are also enforced:

• Each user’s password must be changed every 90 days.
• A user’s account will be locked after 5 consecutive failed login attempts. When this happens, the user must contact their First Insight Point of Contact to have their account unlocked.
• A user’s account will be locked if the user has not logged into InsightSUITE for 90 days. When this happens, the user must contact their First Insight Point of Contact to have their account unlocked.

InsightSUITE issues a session "cookie" only to record encrypted authentication information for the duration of a specific session. The session "cookie" does not include either the username or password of the user. InsightSUITE does not use "cookies" to store other confidential user and session information, but instead implements more advanced security methods based on dynamic data and encoded session IDs.

InsightSUITE is hosted in a secure server environment that uses a firewall and other advanced technology to prevent interference or access from outside intruders.

Your Responsibility Related to Security

Although First Insight takes great strides to provide a secure environment for sensitive product data, security is a shared responsibility between you and us. Each of us has a role to play in protecting your data. Customers must:

• Notify First Insight immediately when an employee who has access to InsightSUITE has left your company or requires a reduction in the level of access to InsightSUITE.
• Request additional user or Insight level permissions for their employees.
• Only transmit confidential data through approved and secure means.
• Comply with any copyright laws when obtaining product information about competitor products when performing white space analysis or competitive brand analysis.
• Not request information, from consumers in the surveys preceding the games, that violates privacy laws.
• Contact their Point of Contact any time they feel there has been a security breach.

Processing Integrity Statement

As it relates to Insight setup, monitoring, and analysis, First Insight believes in the notion of “garbage in-garbage out”. That is, if the product data being used to set up Insights is not appropriate, the results you receive from our predictive analytics will result in sub-optimal results. First Insight provides best practices for Insights to be set up to support high quality results and recommends that customers use these best practices.

Your product data is your intellectual property (IP). We will treat your data with the sensitivity it deserves. Only First Insight employees who are adequately trained on our security and processing integrity policies are authorized to handle your sensitive product data.

Your Responsibility Related to Processing Integrity

First Insight relies on you, our customer, to:

• Ensure that your product data used as Insight input or value drivers is accurate and abides by First Insight’s best practices.
• Review and validate consumer engagement links prior to distributing to respondents.
• Contact your Point of Contact any time you feel there has been a processing integrity breach.

Confidentiality Statement

First Insight takes the security of customer data very seriously. We have created a robust confidentiality policy to ensure that your data remains secure.

First Insight classifies data as critical when it contains personally identifiable information, non-public customer sales data, and InsightSUITE data containing customer specific information. Critical data is only stored on systems owned or administered by First Insight. Access to critical data is restricted via permissions based upon a given user's role; permissions are provided with only the minimal access necessary.

First Insight has developed an action plan to address breaches or potential breaches of confidentiality. When a confidentiality incident is reported, First Insight will first close any active breach and then conduct an investigation to determine the root cause of the incident.

This investigation will cover:

• Whether or not there was an actual breach of confidentiality; that is, whether or not confidential data was leaked to unauthorized parties
• The extent of any breach
• How the breach or potential breach occurred
• Any actions necessary to prevent a similar breach from occurring in the future

Upon completion of the investigation, First Insight will inform any customers affected by the incident with a detailed description of the incident and results of the associated root cause analysis.

Your Responsibility Related to Confidentiality

First Insight's services were designed with the assumption that certain controls would be implemented by the customer and/or end users. These controls should be in operation by the customer and/or end users to complement First Insight's controls. Recommended controls are for a customer or end user to:

1. Define their own data classification.
2. Maintain the confidentiality of their own data.
3. Only transmit confidential data through approved and secure means.
4. Report any breach or potential breach of confidentiality to their own defined points of escalation and First Insight, as appropriate.