Telnyx Security Measures

1. Overview. This Telnyx Security Overview (“Security Overview”) is incorporated into and made a part of (a) Telnyx’s Terms and Conditions of service available at: https://telnyx.com/terms-and-conditions-of-service; or (b) a similar written agreement between Telnyx and Customer for Customer’s use of the Services (each, the “Agreement”).

“Services”, “Telnyx Services”, will each have the meaning given to it in the Terms and Conditions or the Data Protection Addendum available at https://telnyx.com/company/data-privacy (“Data Protection Addendum”). Any capitalized term used but not defined in this Security Overview will have the meaning given to it in either the Agreement or the Data Protection Addendum.

2. Purpose. This Security Overview describes Telnyx’s security program, security certifications, and technical and organizational security controls to protect (a) Customer Data from unauthorized use, access, disclosure, or theft and (b) the Services.

In addition to this Security Overview, Telnyx’s technical security documentation for the Telnyx APIs is available at https://telnyx.com/api. As security threats shift and evolve, Telnyx continues to update its security program and strategy to help protect Customer Data and the Services. As such, Telnyx reserves the right to update this Security measures from time to time; provided, however, any update will not materially reduce the overall protections set forth in this Security Overview.

3. Security Organization and Program. Telnyx maintains a risk-based assessment security program. The framework for Telnyx’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. Telnyx’s security program is intended to be appropriate to the nature of the Services and the size and complexity of Telnyx’s business operations. Telnyx has a separate and dedicated Information Security team that manages Telnyx’s security program. This team facilitates and supports independent audits and assessments performed by third parties. Telnyx’s “Information Security Management System”, incorporating industry frameworks and compliances such as ISO 27001, SOC, NIST, CIS and others, will include programs covering: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response. Security is managed at the highest levels of the company, with Telnyx’s Chief Executive Officer and Security Officer, where applicable, meeting with executive management regularly to discuss issues and coordinate company-wide security initiatives. Information security policies and standards are reviewed and approved by management at least annually and are made available to all Telnyx employees for their reference.

4. Confidentiality. Telnyx has controls in place to maintain the confidentiality of Customer Data in accordance with the Agreement. All Telnyx employees and contract personnel are bound by Telnyx’s internal policies regarding maintaining the confidentiality of Customer Data and are contractually obligated to comply with these obligations.

5. People Security

5.1 Employee Background Checks. Telnyx performs background checks on all new employees at the time of hire in accordance with applicable local laws. Telnyx currently verifies a new employee’s education and previous employment and performs reference checks. Where permitted by applicable law, Telnyx may also conduct criminal, credit, immigration, and security checks depending on the nature and scope of a new employee’s role.

5.2 Employee Training. At least once (1) a year, all Telnyx employees must complete a security and privacy training which covers Telnyx’s security policies, security best practices, and privacy principles. Employees on a leave of absence may have additional time to complete this annual training. Telnyx’s dedicated security team also performs phishing awareness campaigns and communicates emerging threats to employees. Telnyx currently is looking to also establish an anonymous hotline for employees to report any unethical behavior where anonymous reporting is legally permitted

6. Vendor(s) Management

6.1 Vendor Assessment. Telnyx may use third party vendors to provide the Services. Telnyx carries out a security risk- based assessment of prospective vendors before working with them to validate they meet Telnyx’s security requirements. Telnyx periodically reviews each vendor in light of Telnyx’s security and business continuity standards, including the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal/regulatory requirements. Telnyx ensures that Customer Data is returned and/or deleted at the end of a vendor relationship.

6.2 Vendor Agreements. Telnyx enters into written agreements with all of its vendors which include confidentiality, privacy and security obligations that provide an appropriate level of protection for Customer Data that these vendors may process.

7. Security Certifications. Telnyx holds the following security-related certifications:

• SOC 2 Type I - (Trust Service Principles: Security & Availability): o The following Telnyx Services: Programmable Voice, Programmable Messaging, Video and Wireless. • SOC 2 Type 2 & Type 3 – (Security, Confidentiality, & Availability) o The following Telnyx Services: Programmable Voice, Programmable Messaging, Video and Wireless • ISO 27001:2013 o The following Telnyx Services: Programmable Voice, Programmable Messaging, Video and Wireless

8. Architecture and Data Segregation

8.1 Telnyx Services. The cloud communication platform for the Telnyx Services is hosted by Amazon Web Services (“AWS”), Google Compute Environment, and IBM Softlayer. The AWS data center infrastructure used in providing the Telnyx Services are located in the United States or as otherwise set forth by Telnyx. Additional information about security provided by AWS is available at: https://aws.amazon.com/security/ and https://telnyx.com/legal/technical-organizational-security-practices. Telnyx’s production environment within AWS and Google, where Customer Data and the Telnyx Services are hosted, is a logically isolated Virtual Private Cloud (VPC).

8.2 Telnyx Services. For the Services, Telnyx leverages colocation data centers, provided by Equinix, which are located in the United States or as otherwise set forth by Telnyx.

8.3 Services. For the Services, all network access between production hosts is restricted, using firewalls to allow only authorized services to interact in the production network. Firewalls are in use to manage network segregation between different security zones in the production and corporate environments. Firewall rules are reviewed regularly. Telnyx separates Customer Data using logical identifiers which tag Customer Data with a unique customer identifier that is assigned to Customer to clearly identify ownership. The Telnyx APIs are designed and built to identify and allow access only to and from these tags. These controls prevent other customers from having access to Customer Data.

9. Physical Security. AWS data centers that host the Telnyx Services and the colocation data centers provided by Equinix that are used for the Services are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication (2FA) a minimum of two (2) times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week. Uninterruptible power supplies and on-site generators are available to provide back-up power in the event of an electrical failure. In addition, Telnyx headquarters and office spaces have a physical security program that manages visitors, building entrances, CCTVs (closed circuit televisions), and overall office security. All employees, contractors, and visitors are required to wear identification badges.

10. Security by Design. Telnyx follows security by design principles when it designs the Services. Telnyx also applies the Secure Software Development Lifecycle (Secure SDLC) standard to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before new Services are deployed; (b) penetration tests performed on new Services by independent third parties; and (c) threat models for new Services to detect of any potential security threats and vulnerabilities.

11. Access Controls

11.1 Provisioning Access. To minimize the risk of data exposure, Telnyx follows the principles of least privilege through a role-based-access-control model when provisioning system access. Telnyx personnel are authorized to access Customer Data based on their job function, role and responsibilities, and such access requires approval of the employee’s manager. Access rights to production environments are reviewed at least semi-annually. An employee’s access to Customer Data is promptly removed upon termination of their employment. In order to access the production environment, an authorized user must have a unique username and password, multi-factor authentication and be connected to Telnyx’s Virtual Private Network (VPN). Before an engineer is granted access to the production environment, access must be approved by management and the engineer is required to complete internal training for such access including training on the relevant team’s systems. Telnyx logs high risk actions and changes in the production environment. Telnyx leverages automation to identify any deviation from internal technical standards that could indicate anomalous/unauthorized activity to raise an alert within minutes of a configuration change.

11.2 Password Controls. Telnyx’s current policy for employee password management follows the NIST 800-63B guidance, and as such, our policy is to use longer passwords, with multi-factor authentication and require special character but not frequent changes. For the Services, password requirements include a ten (10) character minimum, with at least three (3) of the following characteristics: upper case letter, lower case letter, number, or special character. When a customer logs into its account, Telnyx hashes the credentials of the user before it is stored. A customer may also require its users to add another layer of security to their account by using two-factor authentication (2FA) and/or set up an SSO through an identity provider (IdP).

12. Change Management. Telnyx has a formal change management process it follows to administer changes to the production environment for the Services, including any changes to its underlying software, applications, and systems. Each change is carefully reviewed and evaluated in a test environment before being deployed into the production environment for the Services. All changes, including the evaluation of the changes in a test environment, are documented using a formal, auditable, system of record. A rigorous assessment is carried out for all high-risk changes to evaluate their impact on the overall security of the Services. Deployment approval for high-risk changes is required from the correct organizational stakeholders. Plans and procedures are also implemented in the event a deployed change needs to be rolled back to preserve the security of the Services.

13. Encryption. For the Telnyx Services, (a) the databases that store Customer Data are encrypted using the Advanced Encryption Standard and (b) Customer Data is encrypted when in transit between Customer’s software application and the Services using TLS v1.2 or greater. For the Services, Telnyx provides opportunistic TLS v1.2 for emails in transit between Customer’s software application and the recipient’s email server. The Services are designed to opportunistically try outbound TLS v1.2 when attempting to deliver an email to a recipient. This means that if a recipient's email server accepts an inbound TLS v1.2 connection, Telnyx will deliver an email over a TLS encrypted connection. If a recipient’s email server does not support TLS, Telnyx will deliver an email over the default unencrypted connection. The Services provide an optional feature, which Customer has to enable, that allows Customer to enforce TLS encryption. If Customer enables the enforced TLS feature, Telnyx will only deliver an email to a recipient if the recipient’s email server accepts an inbound TLS v1.2 connection.

14. Vulnerability Management. Telnyx maintains controls and policies to mitigate the risk of security vulnerabilities in a measurable time frame that balances risk and the business & operational requirements. Telnyx uses various tools to conduct vulnerability scans regularly to assess vulnerabilities in Telnyx’s cloud infrastructure and corporate systems. Critical software patches are evaluated, tested, and applied proactively. For the Telnyx Services, operating system patches are applied through the regeneration of a base virtual-machine image and deployed to all nodes in the Telnyx cluster over a predefined schedule. For high-risk patches, Telnyx will deploy directly to existing nodes through internally developed orchestration tools.

15. Penetration Testing. Telnyx performs penetration tests and engages independent third-party entities to conduct application-level penetration tests. Security threats and vulnerabilities that are detected are prioritized, triaged, and remediated promptly. Telnyx maintains a Bug Bounty Program, which allows independent security researchers to report security threats and vulnerabilities on an ongoing basis.

16. Security Incident Management. Telnyx maintains security incident management policies and procedures in accordance with NIST SP 800-61. Telnyx’s Security Incident Response Team (SIR) assesses all relevant security threats and vulnerabilities and establishes appropriate remediation and mitigation actions. Telnyx retains security logs for ninety (90) days. Access to these security logs is limited to SIR. Telnyx utilizes third-party tools to detect, mitigate, and prevent Distributed Denial of Service (DDoS) attacks.

17. Discovery, Investigation, and Notification of a Security Incident. Telnyx will promptly investigate a Security Incident upon discovery. To the extent permitted by applicable law, Telnyx will notify Customer of a Security Incident in accordance with the Data Protection Addendum. Security Incident notifications will be provided to Customer via email to the email address designated by Customer in its account.

18. Resilience and Service Continuity. The Services use a variety of tools and mechanisms to achieve high availability and resiliency. For the Telnyx Services, Telnyx’s infrastructure spans multiple fault-independent AWS and Google availability zones in geographic regions physically separated from one another. Telnyx’s infrastructure is able to detect and route around issues experienced by hosts or even whole data centers in real time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup. Telnyx also leverages specialized tools that monitor server performance, data, and traffic load capacity within each availability zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these specialized tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. Telnyx is also immediately notified in the event of any suboptimal server performance or overloaded capacity.

19. Backups and Recovery. Telnyx performs regular backups of Customer Data, which is hosted on AWS’s and Google data center infrastructure. Customer Data that is backed up is retained redundantly across multiple availability zones and encrypted in transit and at rest using Advanced Encryption Standard (AES-256).