Security Incident Response Exhibit

Fluentworks, Inc.

Last updated February 28, 2026
Version 1.0

This Security Incident Response Exhibit (“Exhibit”) is incorporated into and forms part of the Master Subscription Agreement / Terms of Service (“Agreement”) between Fluentworks, Inc. (“Fluent”) and Customer.

1. Definitions

“Security Incident” has the meaning given in the Agreement.

“Security Event” means a security-related event that does not constitute a Security Incident, including unsuccessful attempts such as pings, port scans, denial-of-service attacks, and unsuccessful login attempts, and other events that do not compromise the security, confidentiality, or integrity of Customer Data.

“Breach” (PHI). When used in the context of PHI, “Breach” has the meaning given in 45 C.F.R. § 164.402 and the Business Associate Agreement (“BAA”), if applicable.

2. Incident Classification

Fluent classifies Security Incidents and certain Security Events using the following severity levels:

  • Severity 1 (Critical): Confirmed unauthorized access to or exfiltration of Customer Data (including PHI where a BAA is in effect); ransomware affecting production systems; confirmed compromise of credentials enabling unauthorized access to Customer Data.
  • Severity 2 (High): Credible evidence of unauthorized access under investigation; vulnerability actively being exploited; confirmed improper disclosure of Customer Data that may not meet the threshold of a PHI Breach.
  • Severity 3 (Medium): Vulnerability identified with no evidence of exploitation; improper access by authorized personnel exceeding scope; configuration error that could expose Customer Data, with no evidence of unauthorized access.
  • Severity 4 (Low): Security Events such as unsuccessful attempts; minor policy violations with no data exposure; benign scanning activity with no resulting compromise.

3. Notification Timelines

Non-PHI Security Incidents (Severity 1–2). For a Security Incident involving Customer Data that is not PHI, Fluent will notify Customer without unreasonable delay and in no event later than seventy-two (72) hours after discovery, as provided in the Agreement.

PHI Breach (where a BAA is in effect). If the Security Incident constitutes a Breach of Unsecured PHI under the BAA, Fluent will notify Customer without unreasonable delay and in no event later than ten (10) business days after discovery, as provided in the BAA.

Severity 3 (Medium). Fluent will notify Customer within a reasonable time based on the circumstances, and no later than thirty (30) days after discovery, if the event is reasonably likely to be material to Customer’s security or compliance obligations.

Severity 4 (Low) / Security Events. Routine Security Events (including unsuccessful attempts) do not trigger individual notifications. This Exhibit constitutes standing notice that such Security Events occur in the normal course of operating internet-facing services. If a Security Event becomes a Security Incident (e.g., an unsuccessful attempt leads to unauthorized access), the applicable notification timeline above will apply.

4. Notification Content

Notifications will include, to the extent known at the time:

  • the nature and scope of the incident;
  • the types of data affected (and whether PHI is involved);
  • the date of the incident (if known) and the date of discovery;
  • whether the incident is ongoing or contained;
  • remediation and mitigation steps taken or planned; and
  • a point of contact for follow-up.

Fluent will provide supplemental information as it becomes reasonably available during the investigation.

5. Response Procedures

Investigation. Fluent will promptly investigate suspected Security Incidents and document findings. Fluent will preserve relevant evidence where appropriate and feasible.

Containment and remediation. Fluent will take reasonable steps to contain the incident, mitigate harm, and remediate the underlying cause.

Cooperation. Fluent will cooperate with Customer’s reasonable requests for information and coordination to support Customer’s compliance and notification obligations under applicable law and, where applicable, the BAA.

Root cause analysis. For Severity 1–2 Security Incidents, Fluent will provide a written summary of root cause and remediation actions within thirty (30) days after the incident is closed, subject to legal, security, or confidentiality constraints.

6. Customer Responsibilities

Customer will:

  • report suspected Security Incidents promptly to security@fluentworks.com;
  • cooperate reasonably with Fluent’s investigation and remediation efforts; and
  • be responsible for notifications to affected individuals and regulators as required by applicable law (with Fluent’s assistance as described in the Agreement, this Exhibit, and the BAA where applicable).

7. Contact

Security issues and suspected Security Incidents should be reported to: security@fluentworks.com.

For critical Severity 1 issues, Customer should mark the message subject line: “URGENT: SEV1 SECURITY INCIDENT”.