Security Addendum

This Security Addendum describes Stern Bench's baseline technical and organizational security measures for Stern Bench Assistant in connection with the serious pilot ring, including Paid Services and other written customer arrangements where this Security Addendum is made applicable.

1. SCOPE

This Security Addendum applies to Stern Bench Assistant under the serious pilot ring. In the event of a conflict between this Security Addendum and the Platform Agreement or DPA, the DPA controls with respect to the processing of DPA Data and the Platform Agreement controls with respect to other contractual matters, unless this Security Addendum expressly addresses the more specific security point at issue.

2. SECURITY GOVERNANCE

Stern Bench will maintain and implement reasonable administrative, technical, and organizational safeguards appropriate to the nature of the Service and the data Stern Bench processes in connection with applicable Paid Services.

3. ACCESS CONTROL

Stern Bench will:

• restrict access to production systems and customer-associated data to authorized personnel and contractors who require such access for legitimate operational, support, security, or legal-compliance purposes;
• maintain access controls reasonably designed to restrict access on a least-privilege basis, authenticate access to administrative systems, and revoke or adjust access when no longer required; and
• require individuals with authorized access to customer-associated data or production systems to be subject to confidentiality obligations.

4. ENCRYPTION

Stern Bench will use encryption in transit for data transmitted over public networks and encryption at rest where supported by the relevant production infrastructure and cloud services used for Stern Bench Assistant.

5. INFRASTRUCTURE AND HOSTING

Stern Bench Assistant is hosted using third-party cloud and infrastructure providers selected by Stern Bench. Stern Bench may use enterprise cloud providers and hosting providers, including Microsoft Azure infrastructure, Azure OpenAI services, enterprise identity and access tooling, and other providers relevant to the applicable serious pilot deployment, to operate the Service.

6. NETWORK, APPLICATION, AND THREAD SECURITY

Stern Bench will maintain reasonable measures designed to protect the Service against unauthorized access, misuse, and common application-level attack vectors. Such measures may include:

• HTTPS enforcement;
• authenticated access controls for account-based features;
• rate limiting, abuse prevention, and anti-automation controls;
• logging and monitoring relevant to security and service integrity;
• change management and deployment practices appropriate to Stern Bench's development process; and
• measures reasonably designed to protect stored thread content and account-linked assistant data against unauthorized access.

7. SUBPROCESSOR AND VENDOR MANAGEMENT

Stern Bench will maintain a subprocessor list for subprocessors that process DPA Data or otherwise access customer-associated data in connection with applicable Paid Services, impose contractual obligations requiring appropriate security and confidentiality protections, and remain responsible for the acts and omissions of its subprocessors to the extent provided in the DPA and Platform Agreement.

8. INCIDENT RESPONSE

Stern Bench will maintain incident-response procedures reasonably designed to identify, investigate, contain, and remediate security incidents affecting the Service, taking into account Stern Bench's current operational stage and the deployment mode being provided. Where a Personal Data Breach affects DPA Data and the DPA applies, Stern Bench will provide notice in accordance with the DPA.

9. DATA RETENTION, DELETION, AND RETURN

Stern Bench will maintain data-retention and deletion practices reasonably aligned with the applicable Terms, Privacy Policy, DPA, and written customer arrangements. Upon termination of the applicable Paid Services, Stern Bench will delete or return customer-associated data, including retained thread content where applicable, subject to any retention required by law or reasonably necessary for security, fraud prevention, dispute resolution, backup cycling, or legal compliance.

10. BACKUP, RESILIENCE, AND RECOVERY

Stern Bench will maintain reasonable measures to support service resilience and recovery for the Service, taking into account the architecture of Stern Bench Assistant, the deployment mode in use, and the capabilities of its underlying cloud providers. Stern Bench does not guarantee uninterrupted availability or any particular recovery time or recovery point objective unless expressly agreed in writing.

11. CUSTOMER DILIGENCE AND SECURITY QUESTIONS

Customers may direct security-related inquiries regarding Stern Bench Assistant to founder@sternbench.com, unless Stern Bench designates another security contact in writing.

12. LIMITATIONS

This Security Addendum describes Stern Bench's baseline security posture and does not constitute:

• a guarantee that the Service will be free from all vulnerabilities or security incidents;
• a promise that Stern Bench maintains any certification not expressly stated in writing; or
• a commitment to any customer-specific control environment unless separately agreed in writing.