Overlook Security Addendum

This Overlook Security Addendum (this “Security Addendum”) describes the baseline information security program and security commitments that apply to the Services provided by Overlook AI, Inc. (“Overlook”) under the agreement governing Customer’s access to and use of the Services. This Security Addendum is incorporated into, and forms part of, the applicable Subscription and Software License Agreement, Terms of Service, Order Form, Data Processing Addendum, Professional Services Addendum, or other written agreement between Overlook and Customer that expressly incorporates this Security Addendum (the “Agreement”). Capitalized terms used but not defined in this Security Addendum have the meanings given to them in the Agreement.

This Security Addendum is intended to allocate security responsibilities between Overlook and Customer and to describe Overlook’s baseline security posture. It does not replace any separately executed security exhibit, government security schedule, agency authorization package, FedRAMP authorization package, dedicated-environment security plan, or other negotiated security terms executed by the parties. If Customer requires security commitments different from or in addition to those stated in this Security Addendum, those commitments must be stated in an Order Form, security exhibit, or other written agreement signed by Overlook.

1. Scope and Applicability

This Security Addendum applies to the Services to the extent Overlook operates, hosts, supports, administers, or otherwise controls the relevant systems, applications, infrastructure configurations, or service processes. It applies to Hosted Services operated by Overlook, support activities performed by Overlook, professional services activities involving Customer Materials, and Licensed Software or packaged distributions only to the extent Overlook has expressly undertaken security obligations for those environments in an Order Form or other written agreement.

This Security Addendum does not apply to systems, networks, endpoints, cloud accounts, identity providers, integrations, datasets, AI systems, models, prompts, repositories, or environments that Customer operates or controls, except to the extent expressly stated in the Agreement. Customer remains responsible for the security of Customer-controlled environments and for the lawful, secure, and appropriate configuration and use of the Services by Customer and its Authorized Users.

2. Definitions

“Customer Data” means data, content, records, files, prompts, configurations, AI Profile content, completed Business-led AI Management Canvas entries, assessment responses, assessment results, operational inputs, and other information submitted to, uploaded to, stored in, or generated within the Services by or on behalf of Customer, excluding Overlook Technology and Overlook Materials.

“Customer Materials” means Customer Data and any other information, documents, files, access credentials, system information, business information, operating AI descriptions, workshop materials, or other materials that Customer provides to Overlook in connection with the Services or any professional services engagement.

“Overlook Technology” means the Services, Hosted Services, Licensed Software, Overlook platform, software, source code, object code, APIs, documentation, systems, configurations, templates, workflows, scoring structures, Business-led AI Management Assessment, Business-led AI Management Scorecard, Business-led AI Management Canvas design, training materials, delivery methods, internal playbooks, know-how, and related intellectual property owned or controlled by Overlook.

“Security Incident” means a confirmed breach of security of systems under Overlook’s control that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Data. Security Incidents do not include unsuccessful access attempts, pings, port scans, denial-of-service attempts that do not result in unauthorized access to Customer Data, attacks on Customer-controlled environments, or security events caused by Customer, Authorized Users, Customer systems, Customer integrations, or third-party systems not controlled by Overlook.

3. Security Program

Overlook will maintain a written information security program designed to protect the confidentiality, integrity, and availability of the Services and Customer Data processed by Overlook. The program will be appropriate to the nature of the Services, the sensitivity of Customer Data that Overlook is authorized to process, the deployment model selected by Customer, the size and maturity of Overlook’s business, and the risks reasonably foreseeable to Overlook.

Overlook’s security program will include administrative, technical, and organizational safeguards that address security governance, access control, personnel responsibilities, asset management, secure configuration, change management, vulnerability management, incident response, data protection, service continuity, and vendor oversight. The specific safeguards may evolve over time as Overlook’s products, infrastructure, threat environment, customer requirements, and legal obligations evolve, provided that Overlook will not materially diminish the overall security of the Services during a then-current paid subscription term without a legitimate business, legal, technical, or security reason.

4. Security Governance and Risk Management

Overlook will assign responsibility for maintaining and administering its information security program to personnel or service providers with appropriate responsibility for security operations, engineering practices, and customer trust obligations. Overlook will periodically review and update its security practices based on operational experience, changes to the Services, known vulnerabilities, reasonably available threat information, customer requirements, and applicable legal obligations.

Overlook may use recognized security frameworks, control catalogs, or industry practices as reference points for its security program. Unless expressly stated in an Order Form or separate security exhibit, references to recognized frameworks, including NIST, FedRAMP, ISO, SOC, or similar standards, are descriptive reference points and do not constitute a representation that the Services are certified, accredited, authorized, or fully compliant with any such framework.

5. Personnel Security

Overlook will require personnel with access to production systems, Customer Data, or Confidential Information to comply with confidentiality obligations. Overlook will maintain onboarding and offboarding procedures designed to ensure that personnel are granted access only as needed for their roles and that access is removed or disabled when no longer required. Where legally permissible and appropriate to the role, Overlook may conduct background checks or equivalent personnel screening for individuals with privileged access responsibilities.

Overlook will maintain security awareness practices appropriate to the roles of its personnel. Personnel with engineering, infrastructure, support, or administrative responsibilities may receive additional guidance concerning secure development, credential handling, incident reporting, customer confidentiality, and appropriate use of internal systems.

6. Access Controls

Overlook will maintain access controls designed to limit access to production systems and Customer Data to authorized personnel, contractors, and service providers with a legitimate business need. Overlook will use commercially reasonable authentication and authorization practices, including role-based access controls and least-privilege principles, for systems under Overlook’s control.

Privileged access to production systems will be restricted to authorized personnel and will be reviewed or updated periodically based on job function and operational need. Overlook will use commercially reasonable measures to protect administrative credentials and may require multi-factor authentication for administrative access where supported and appropriate to the system.

7. Customer Authentication and Account Security

Customer is responsible for administering its Authorized Users, managing account roles and permissions, configuring identity provider integrations, enforcing Customer’s internal authentication requirements, maintaining the security of user credentials, and promptly disabling access for users who no longer require access. Customer is responsible for all activity occurring under Customer accounts, except to the extent caused by Overlook’s breach of the Agreement.

Where the Services support single sign-on, identity federation, role-based permissions, user provisioning, multi-factor authentication, or similar controls, Customer is responsible for selecting, configuring, and maintaining those controls in accordance with Customer’s own security policies and risk requirements. Overlook is not responsible for unauthorized access resulting from Customer’s failure to configure available controls, Customer’s identity provider, compromised Customer credentials, or Customer-managed integrations.

8. Cloud Hosting and Shared Responsibility

Overlook may operate Hosted Services using cloud infrastructure providers, including Amazon Web Services, and may use AWS commercial regions, AWS GovCloud regions, or other environments as specified in an applicable Order Form. For cloud-hosted environments, security responsibility is shared among the cloud infrastructure provider, Overlook, and Customer. Overlook is generally responsible for the security of application components, configurations, operational processes, and managed service layers under Overlook’s control. Customer is generally responsible for Customer Data, Customer access controls, Customer systems, Customer networks, Customer endpoints, and Customer-selected configurations.

For dedicated, customer-cloud, GovCloud, on-premises, air-gapped, or other customer-managed deployments, the applicable Order Form or deployment schedule should identify which party is responsible for infrastructure, network controls, patching, backup administration, identity management, monitoring, log retention, vulnerability remediation, physical security, and operational administration. Unless the applicable Order Form expressly assigns a responsibility to Overlook, Customer is responsible for security of Customer-controlled infrastructure and deployment environments.

9. Network, Infrastructure, and Application Security

For environments under Overlook’s operational control, Overlook will use commercially reasonable network and infrastructure safeguards designed to reduce unauthorized access, protect production environments, and support the availability and integrity of the Services. Such safeguards may include network segmentation, managed firewall rules, secure configuration practices, vulnerability remediation processes, hardened administrative access paths, malware protection, and monitoring of material security events.

Overlook will maintain application security practices appropriate to the nature of the Services. Such practices may include secure development guidance, code review, dependency review, secrets management, automated or manual security testing, change control, and release procedures designed to reduce the risk of introducing material vulnerabilities into production systems.

10. Encryption and Data Protection

Overlook will use commercially reasonable measures to encrypt Customer Data in transit over public networks using contemporary transport encryption protocols where supported by the Services. Overlook will use commercially reasonable measures to protect Customer Data at rest within storage systems under Overlook’s operational control, including through encryption or equivalent protective measures where appropriate to the nature of the data and system.

Overlook will maintain reasonable controls for the management of cryptographic keys under Overlook’s control. Customer-managed keys, customer-supplied encryption, dedicated key management, or other enhanced cryptographic arrangements apply only if expressly included in an Order Form or separate security exhibit. Customer is responsible for encryption, key management, and access controls within Customer-controlled environments unless Overlook expressly undertakes those responsibilities in writing.

11. Logging, Monitoring, and Security Operations

Overlook will maintain logging and monitoring practices for systems under Overlook’s control that are designed to support security operations, troubleshooting, abuse detection, and incident investigation. The nature, scope, and retention of logs may vary based on the Services, deployment model, subscription tier, legal obligations, and operational needs.

Security logs and operational telemetry collected by Overlook may include administrative events, authentication events, system events, error logs, usage telemetry, network events, and other information reasonably necessary to operate and secure the Services. Access to such logs will be restricted based on business need and confidentiality obligations.

12. Vulnerability Management and Patch Management

Overlook will maintain a vulnerability management process for systems under Overlook’s control. The process will be designed to identify, assess, prioritize, remediate, and verify vulnerabilities based on severity, exploitability, availability of fixes, compensating controls, operational risk, service impact, and whether the affected system is managed by Overlook or Customer.

Overlook may use automated scanning, dependency review, security testing, third-party security tools, vendor notices, researcher reports, customer reports, and internal engineering review as part of its vulnerability management program. Remediation timelines may vary depending on severity, complexity, affected service, availability of vendor patches, customer impact, and the risk of service disruption.

13. Security Testing and Customer Testing Restrictions

Overlook may conduct periodic security assessments, vulnerability assessments, penetration tests, architecture reviews, or other security reviews of the Services using internal personnel or third-party providers. The timing, scope, methodology, and disclosure of such testing are determined by Overlook unless otherwise agreed in writing.

Customer may not conduct penetration tests, vulnerability scans, load tests, denial-of-service simulations, social engineering tests, physical security tests, or other intrusive security testing against the Services or Overlook systems without Overlook’s prior written authorization. Overlook may condition such authorization on a written testing plan, scope limitations, timing restrictions, confidentiality commitments, insurance requirements, and other safeguards reasonably necessary to protect the Services and other customers.

14. Incident Response and Security Incident Notice

Overlook will maintain an incident response process designed to identify, assess, contain, investigate, remediate, and document Security Incidents affecting systems under Overlook’s control. Overlook may prioritize incident response based on severity, affected systems, affected customers, legal obligations, operational risk, and the need to preserve evidence or protect the Services.

Overlook will notify Customer without undue delay after confirming a Security Incident affecting Customer Data, consistent with the Agreement, applicable Data Processing Addendum, and applicable law. Notice may be provided by email, in-product notice, support portal communication, or other reasonable means. Overlook’s notice will include information reasonably available to Overlook at the time, which may include the nature of the Security Incident, affected Services, known categories of affected Customer Data, steps taken or planned by Overlook, and recommendations for Customer action, subject to legal, security, confidentiality, and law enforcement limitations.

Customer will promptly notify Overlook of any suspected unauthorized access, credential compromise, misuse of the Services, vulnerability, or security issue reasonably believed to affect the Services or Customer’s use of the Services. Customer will reasonably cooperate with Overlook in investigating, containing, and remediating incidents involving Customer accounts, Customer systems, Customer Data, Customer integrations, or Customer-controlled environments.

15. Backup, Resilience, and Business Continuity

For Hosted Services under Overlook’s operational control, Overlook will maintain commercially reasonable backup, resilience, and recovery practices designed to support restoration of critical service functionality following qualifying disruptions. Recovery capabilities may vary based on product architecture, subscription tier, deployment model, region, and Order Form terms.

Unless expressly stated in an Order Form or Service Level Agreement, Overlook does not guarantee any specific recovery time objective, recovery point objective, backup frequency, retention period, or restoration outcome. Customer remains responsible for maintaining independent copies, exports, or backups of Customer Data to the extent required by Customer’s internal policies, regulatory obligations, or business continuity requirements.

16. Professional Services and Customer Materials

When Overlook provides professional services, workshops, training, onboarding, assessment support, Canvas facilitation, product configuration assistance, or data loading support, Overlook will handle Customer Materials in accordance with the Agreement, Professional Services Addendum, applicable Data Processing Addendum, and confidentiality obligations. Customer Materials provided during professional services engagements are subject to the same general security and confidentiality safeguards applicable to Customer Data, except to the extent Customer provides materials outside approved systems or channels.

Customer is responsible for ensuring that information provided during professional services engagements does not include prohibited, regulated, or highly sensitive data unless expressly authorized in a written agreement. Overlook is not responsible for security failures caused by Customer’s use of unauthorized communication channels, unauthorized recordings, unapproved third-party collaboration tools, or Customer’s disclosure of Customer Materials to persons not authorized by Customer.

17. Vendor and Subprocessor Security

Overlook may engage vendors, subcontractors, subprocessors, cloud providers, payment processors, support tools, analytics providers, communications providers, and other service providers to support the Services. Overlook will use commercially reasonable vendor management practices designed to evaluate and manage security risks associated with material service providers that process Customer Data or support production systems.

Where a service provider processes Customer Data on Overlook’s behalf, Overlook will impose contractual obligations appropriate to the nature of the services provided and materially consistent with Overlook’s obligations under the Agreement. Subprocessor obligations for Personal Data are further addressed in the applicable Data Processing Addendum.

18. Security Materials, Audits, and Questionnaires

Upon Customer’s reasonable written request and subject to confidentiality, Overlook may provide available security materials such as security summaries, completed questionnaires, architecture summaries, third-party audit summaries, certificates, penetration test executive summaries, or similar materials that Overlook makes generally available to similarly situated customers. Overlook may redact information that is confidential, sensitive, proprietary, irrelevant to Customer’s use of the Services, or that could compromise the security of the Services or other customers.

Customer audits of Overlook systems, facilities, personnel, source code, cloud accounts, or internal security operations are not permitted unless expressly required by applicable law or agreed in a written security exhibit signed by Overlook. Where an audit is required, the parties will cooperate in good faith to use security reports, questionnaires, certifications, or other less intrusive methods before any direct audit is permitted.

19. Public Sector, GovCloud, and Regulated Deployments

If Customer purchases a GovCloud, public sector, dedicated, or regulated deployment, the applicable Order Form or government schedule must specify any additional security requirements, boundary descriptions, control inheritance assumptions, agency responsibilities, FedRAMP requirements, NIST control baselines, information impact levels, data residency commitments, or other public-sector obligations. Unless expressly stated in an executed Order Form or authorization package, Overlook does not represent that any Service is FedRAMP authorized, agency-authorized, impact-level authorized, or approved for classified information, controlled unclassified information, export-controlled technical data, protected health information, payment card data, or other regulated data requiring specialized safeguards.

For public sector or government orders, Customer remains responsible for determining whether the Services, deployment model, authorization status, data types, control inheritance, and security boundary satisfy Customer’s procurement, agency, statutory, regulatory, and mission requirements. Overlook will provide security cooperation only to the extent expressly stated in the applicable Agreement, Order Form, government schedule, or mutually agreed authorization plan.

20. Customer Security Responsibilities

Customer is responsible for securely using the Services and for maintaining appropriate administrative, technical, and organizational safeguards for Customer’s own systems, users, data, and operations. Customer responsibilities include managing Authorized Users, enforcing account security, maintaining endpoint security, configuring identity integrations, limiting user permissions, controlling Customer Data inputs, protecting secrets and credentials, reviewing access periodically, maintaining backups required by Customer, and using the Services in accordance with the Agreement and documentation.

Customer is responsible for the security and legality of Customer’s AI systems, models, datasets, prompts, operating contexts, integrations, outputs, workflows, and decisions. Overlook’s security commitments do not make Overlook responsible for Customer’s AI operations, Customer’s business processes, Customer’s compliance determinations, Customer’s model behavior, Customer’s downstream use of insights, or Customer’s security obligations outside systems controlled by Overlook.

21. Restricted Data and Sensitive Information

The Services are designed for business operational data, AI management records, and related Customer Data permitted under the Agreement. Unless expressly authorized in a written agreement, Customer shall not submit protected health information subject to HIPAA, payment card data requiring PCI DSS controls, classified information, controlled unclassified information requiring specialized federal handling, export-controlled technical data, biometric identifiers, children’s data, special-category personal data, or other highly sensitive regulated information requiring safeguards not expressly provided by Overlook.

Customer is solely responsible for determining whether Customer Data is appropriate for use with the Services and whether Customer’s use of the Services satisfies Customer’s legal, regulatory, contractual, and internal security requirements. Overlook may suspend processing, require removal, or decline to process Customer Data that Overlook reasonably believes violates the Agreement, this Security Addendum, the Acceptable Use Policy, or applicable law.

22. Changes to Security Measures

Overlook may modify its security measures, technologies, vendors, hosting architecture, operational processes, and security program from time to time, provided that such modifications do not materially diminish the overall security of the Services during a then-current paid subscription term without a legitimate business, legal, technical, or security reason. Customer acknowledges that security controls must evolve to address new threats, product changes, infrastructure changes, legal requirements, and operational needs.

If Overlook makes a material change that materially reduces the security commitments expressly stated in this Security Addendum and the change is not required for security, legal compliance, service integrity, or operational continuity, Customer’s sole remedy will be to provide written notice and request commercially reasonable remediation. If Overlook does not materially remediate the reduction within a reasonable period and the reduction materially impairs Customer’s use of the affected paid Services, Customer may terminate the affected Order Form and receive a refund of prepaid unused fees for the affected Services, unless the applicable Agreement provides a different exclusive remedy.

23. No Absolute Security; No Independent Warranty

No security measure can guarantee absolute security. Except as expressly stated in the Agreement, this Security Addendum does not create any warranty that the Services will be uninterrupted, error-free, immune from attack, free from vulnerabilities, compliant with Customer’s internal policies, or suitable for any specific regulated data type or security classification.

This Security Addendum describes Overlook’s baseline security practices and does not expand Overlook’s liability, indemnity obligations, warranties, service levels, or remedies beyond those expressly stated in the Agreement. Any remedies for breach of this Security Addendum are subject to the limitations of liability, exclusions of damages, and exclusive-remedy provisions of the Agreement.

24. Order of Precedence

If there is a conflict between this Security Addendum and the Agreement, this Security Addendum controls solely with respect to the subject matter of Overlook’s baseline security commitments. If there is a conflict between this Security Addendum and a Data Processing Addendum with respect to Personal Data processing, breach notification, subprocessors, or data protection obligations, the Data Processing Addendum controls solely with respect to that Personal Data subject matter. If there is a conflict between this Security Addendum and an executed Order Form, negotiated security exhibit, government schedule, or mutually executed authorization package that expressly modifies security obligations, the executed Order Form, security exhibit, government schedule, or authorization package controls solely to the extent of the conflict.

Nothing in this Security Addendum limits Customer’s obligations under the Acceptable Use Policy, Commercial Software License, Professional Services Addendum, Order Form, or other incorporated documents. Nothing in this Security Addendum grants Customer audit, testing, access, data residency, encryption-key, certification, or regulatory rights not expressly stated in the Agreement or a signed Order Form.

25. Survival

Sections of this Security Addendum that by their nature should survive expiration or termination will survive, including provisions concerning confidentiality, Customer security responsibilities, restricted data, audit restrictions, no absolute security, order of precedence, and limitations of liability.