WIXLIB

Section Two: Assertion of Abrigo’s ManagementTo: DHG (Dixon Hughes Goodman LLP)We have prepared the description of Abrigo’s Anti-money Laundering (AML), Fraud Detection, Lending, Credit Risk, Portfolio Risk Solutionsand certain aspects of the general computer control environment entitled “Abrigo’s Description of Its System,” for processing user entities’transactions throughout the period January 1, 2021 to September 30, 2021 (description) for user entities of the System during some or allof the period January 1, 2021 to September 30, 2021, and their auditors who audit and report on such user entities’ financial statementsor internal control over financial statement reporting and have a sufficient understanding to consider it, along with other information,including information about controls implemented by subservice organizations and user entities of the System themselves when assessingthe risks of material misstatement of user entities’ financial statements.Abrigo utilizes Flexential, a subservice organization, to provide co-located datacenter services for IT infrastructure, including both physicaland environmental controls. The description includes only the control objectives and related controls of Abrigo and excludes the controlobjectives and related controls of Flexential. The description also indicates that certain control objectives specified in the description canbe achieved only if complementary subservice organization controls assumed in the design of our controls are suitably designed andoperating effectively, along with the related controls. The description does not extend to controls of the subservice organization.The description indicates that certain control objectives specified in the description can be achieved only if complementary user entitycontrols assumed in the design of Abrigo’s controls are suitably designed and operating effectively, along with related controls at the serviceorganization. The description does not extend to controls of the user entities.We confirm, to the best of our knowledge and belief, that:1.the description fairly presents the System made available to user entities of the System during some or all of the period January1, 2021 to September 30, 2021 for processing user entities’ transactions as it relates to controls that are likely to be relevant touser entities’ internal control over financial reporting. The criteria we used in making this assertion were that the description:a.b.presents how the System made available to user entities of the System was designed and implemented to processrelevant user entity transactions, including, if applicable:i.the types of services provided, including, as appropriate, the classes of transactions processed.ii.the procedures, within both automated and manual systems, by which those services are provided, including,as appropriate, procedures by which transactions are initiated, authorized, recorded, processed, corrected asnecessary, and transferred to the reports and other information prepared for user entities of the System.iii.the information used in the performance of the procedures including, if applicable, related accountingrecords, whether electronic or manual, and supporting information involved in initiating, authorizing,recording, processing, and reporting transactions; this includes the correction of incorrect information andhow information is transferred to the reports and other information prepared for user entities.iv.how the System captures and addresses significant events and conditions other than transactions.v.the process used to prepare reports and other information for user entities.vi.the services performed by a subservice organization, if any, including whether the carve-out method or theinclusive method has been used in relation to them.vii.the specified control objectives and controls designed to achieve those objectives including, as applicable,complementary user entity controls and complementary subservice organization controls assumed in thedesign of the controls.viii.other aspects of our control environment, risk assessment process, information and communications(including the related business processes), control activities, and monitoring activities that are relevant to theservices provided.includes relevant details of changes to the System during the period covered by the description.SOC 1 Type 2 Page 6

c.2.does not omit or distort information relevant to the System, while acknowledging that the description is prepared tomeet the common needs of a broad range of user entities of the System and their user auditors and may not, therefore,include every aspect of the System that each individual user entity of the System and its auditor may consider importantin its own particular environment.the controls related to the control objectives stated in the description were suitably designed and operating effectivelythroughout the period January 1, 2021 to September 30, 2021 to achieve those control objectives if subservice organizations anduser entities applied the complementary controls assumed in the design of Abrigo’s controls throughout the period January 1,2021 to September 30, 2021. The criteria we used in making this assertion were that:a.the risks that threaten the achievement of the control objectives stated in the description have been identified bymanagement.b.the controls identified in the description would, if operating effectively, provide reasonable assurance that those riskswould not prevent the control objectives stated in the description from being achieved.c.the controls were consistently applied as designed, including whether manual controls were applied by individuals whohave the appropriate competence and authority.Austin, TexasNovember 16, 2021SOC 1 Type 2 Page 7

Section Three: Abrigo’s Description of Its SystemOverview of AbrigoCompany BackgroundHeadquartered in Austin, Texas, Abrigo is a financial services technology company that provides compliance, credit risk, and lendingsolutions to enable its customers to “think bigger”, allowing them to both manage risk and drive growth. Abrigo was created when Banker’sToolbox, founded in 2000, acquired three other technology providers: MainStreet Technologies (MST), founded in 1999 and acquired in2018; Sageworks, founded in 1998 and acquired in 2018; and FARIN Financial Risk Management, founded in 1985 and acquired in 2019.Abrigo helps community financial institutions succeed against “the perfect storm” of ever-changing and increasing regulatory requirements,limited resources, increasing and new competition, evolving technologies, and changing customer expectations. Abrigo provides productinnovation, world-class support, and specialty expertise so that Abrigo customers can make big things happen.The Company offers innovative technology that allows financial institutions to reduce risk and drive growth. The technology spans FinancialCrime Risk, Lending, Portfolio Risk, and Financial Analysis. Across the solutions, Abrigo prioritizes ease of use, integrations with othersoftware, transparency, and reportability. Abrigo also offers Advisory Services to complement the technology, including Financial CrimeInvestigation, Loan Portfolio Risk Management, Asset/Liability Management, Pricing, CECL Transition Assistance, and Reporting.Thousands of accounting firms also utilize Abrigo’s software, ProfitCents, and proprietary data to automate audit requirements and consultwith their business clients. The market acceptance of Abrigo’s software products, along with the Company’s commitment to superior clientservice, has supported continuous growth, strong recurring revenue, and the expansion of product and service offerings.Services ProvidedAbrigo is a financial services technology company that provides various software and consulting solutions to its clients. The scope of thisreport includes technology offered by Abrigo for Anti-money Laundering, Fraud Detection, Lending, Credit Risk, and Portfolio Risks. Thesoftware formerly offered by FARIN Financial Risk Management is not included within this report.TechnologyHaving come together through the Company’s acquisition model, the software solutions for Financial Crime Risk, Lending, Portfolio Risk,and Financial Analysis are deployed differently. Many clients using Abrigo’s Financial Crimes software, BAM , and Loan Loss Analyzer,formerly from MST, use locally installed versions of the software that are updated through quarterly release cycles in which updates aremade available for download. A portion of Financial Crime software clients, LLA clients, and all Abrigo clients using the Sageworks Lending,Credit Risk, or Portfolio Risk solutions rely on Abrigo’s multi-tenant Software-as-a-Service (SaaS) platform.SOC 1 Type 2 Page 8

In 2020, Abrigo launched Abrigo Connect, which uses an Integrated Data Management Platform to bridge data across the SaaS solutions tooffer financial institutions enterprise level insights and dashboarding capabilities.Abrigo’s SaaS systems are segregated into development, disaster recovery, and production environments located in two geographicallyseparate datacenter facilities. Abrigo operates a Microsoft Windows environment deployed on Intel-based hardware, with all productrelated services operating on Microsoft Windows Server with Microsoft SQL Server databases. For the production, development, anddisaster recovery environments, Abrigo maintains a co-location relationship with Flexential for datacenter services. Abrigo owns, operates,and maintains all of its own equipment, hardware, and platforms, while Flexential provides physical and environmental controls. SOC 1 and SOC 2 reports are obtained annually from the datacenter provider and are reviewed by Abrigo.Abrigo systems are protected by firewalls, intrusion detection and prevention systems, and other perimeter controls. Network accesspermissions are granted through Active Directory. Corporate network systems are located at Abrigo office locations and housed in a secure,temperature-controlled area, to which access is restricted to authorized personnel only. The corporate systems are for office connectivityand are not associated with customer-facing or production environments.Organizational StructureLeadership at Abrigo starts with an engaged, committed, and effective Board of Directors. Management sets strategic business objectives,ensures that Abrigo has dynamic and responsive leadership, tracks performance, and institutes strong financial controls. Managementbelieves in strengthening investor confidence and creating long-term shareholder value so Abrigo can continue to deliver technologyinnovations that provide opportunities for customers.Abrigo actively partners with firms, vendors, and developers to facilitate more advanced analysis and increase value delivered to customersusing broad and expandable technology. Abrigo strives to help companies’ lower costs, improve efficiency, and increase revenue, and hassuccessfully built custom expert systems, adapted its existing platforms, licensed industry data, and established synergies with companiesin its existing markets.SOC 1 Type 2 Page 9

Relevant Customer ApplicationsThe Customer Applications leverage similar business processes, inbound and outbound data feeds, security, platforms, and softwarearchitecture, details of which are included in this section. Relevant Customer Applications include the following solutions, including allmodules made available through each solution:Related ControlObjectivesSolution NameSolution DescriptionCO-1 to CO-8,CO-10 to CO-12Anti-money LaunderingDetection SolutionAbrigo offers BAM , a Bank Secrecy Act (BSA) and Anti-money Laundering (AML)solution for banks and credit unions. The software allows the financial institution tocustomize scenarios, customer segmentations, workflows, and reporting to optimizethe institution’s BSA program while complying with audit and exam expectations.Add-ons are available for Customer Due Diligence, Office of Foreign Assets Control(OFAC) and Watchlist Scanning, and advanced Fraud Protection. Abrigo’s solutionallows clients to: CO-1 to CO-8,CO-10 to CO-12Fraud Detection SolutionOptimize case management to save time within the institution’s BSAdepartment,Reduce false positives through the deployment of machine learning,Customize segmentation and scenarios to fit the institution’s unique riskprofile and customer base,Easily access the information needed to understand BSA system health,Streamline Suspicious Activity Report (SAR) and Currency TransactionReport (CTR) processes with system-populated forms and direct file toFinCEN,Leverage IQ AutoScan as a standalone OFAC compliance platform for allfinancial service businesses.Abrigo’s multi-channel fraud prevention software helps banks and credit unionscatch more financial criminals than manual systems or omni-channel fraud tools.Abrigo’s fraud solution includes centralized case management workflow and robustanalytics engine to detect, investigate, track, and report on potentially fraudulentactivity across different lines of business and transaction types. Abrigo’s solutionallows clients to: Combine with BSA/AML SAR preparation for a centralized reporting system,Fraud data files, such as Automated Clearing House (ACH) origination files,import directly into BAM for scanning and detecting anomalies that canprevent account takeover and embezzlement,Transparency into fraud scenarios and alerts, giving staff the informationneeded to act quickly,Review ACH and wire files for activity that may indicate corporate accounttakeover, tax fraud, or embezzlement,Detect fraud before transactions are processed, protecting the institutionfrom loss.SOC 1 Type 2 Page 10

Related ControlObjectivesSolution NameSolution DescriptionCO-1 to CO-12Lending SolutionThe Sageworks Lending Solution from Abrigo is designed to help institutions growtheir loan portfolios through scalable and convenient origination channels. Thesystem accommodates commercial, Commercial Real Estate (CRE), personal, SMB,agricultural, nonprofit, and SBA-guaranteed loans, helping institutions grow onlinerevenues from these channels while maintaining the institution’s credit policy anddecisioning thresholds. Abrigo’s solution allows clients to: CO-1 to CO-12Credit Risk SolutionOffer customers a more convenient online experience,Reduce data entry and re-entry, increasing the institution’s throughput orresponsiveness to customers,Simplify loan document preparation using a single point of data entry,Grow loan volume and revenue through digital channels and a more efficientlending team,Centralize customer and prospect information to expedite cross sales andnew account origination.Financial institutions rely on the Sageworks Credit Risk Solution from Abrigo to makesmarter credit decisions and identify and act on credit risk in the institution. Thesoftware gives analysts robust analytics, despite easy data entry, to ensure loans fitwithin the institution’s risk appetite and follow the institution’s credit policy throughorigination and administration. Thanks to the life-of-loan platform from Abrigo, theinstitution enters data only once and can access it throughout each stage of the loan,from underwriting and information gathering to documentation and decisioning toeventual administration and borrower correspondence. Abrigo’s solution allowsclients to: Make smarter credit decisions that leverage global cash flow analysis, ratioanalysis, and risk ratings,Optimize pricing scenarios to offer the customer the best terms possiblethat meet the institution’s requirements,Consolidate information from the life of the loan for credit memorandums,passing on to Home Mortgage Disclosure Act (HMDA) solutions, loandocumentations, and portfolio management,Use custom metrics and templates to fit decisioning to the institution’scredit policy and procedures,Automate borrower correspondence to cut down on document exceptions,portfolio risk, and busy-work for staff.SOC 1 Type 2 Page 11

Related ControlObjectivesSolution NameMST LLA:CO-1 to CO-8,CO-10 to CO-21Portfolio Risk Solutions MST Loan LossAnalyzer (LLA) Sageworks ALLLSageworks ALLL:CO-1 to CO-27Solution DescriptionPortfolio risk management requires a concerted and coordinated risk managementframework, made possible by the Sageworks Portfolio Risk Solution from Abrigo aswell as MST Loan Loss Analyzer (LLA). These solutions include technology spanningportfolio reporting and management, stress testing, allowance for loan and leaselosses (ALLL) and Current Expected Credit Loss (CECL) modeling, profitabilitybenchmarking, risk modeling, and peer-institution analysis. Abrigo’s businessintelligence functionality brings together disparate portfolio risk data for simplerreporting and robust analytics outputs, including automatically generated reports,interactive dashboards, and more. Abrigo’s solutions allows clients to: Report on portfolio health in a single place, including views of disclosuresand back-testing results,Navigate ALLL compliance now and under the Current Expected Credit LossStandard, CECL, Accounting Standards Update, Topic 326,Reduce risks associated with manual data entry or spreadsheets for siloedoperations,Increase defensibility of risk management processes throughdocumentation for examiners, auditors, and others.Locations & InfrastructureAbrigo maintains key operations and datacenters for Customer Applications as described in this section.FunctionDescriptionPrimary DatacenterThe primary datacenter used for production and User Acceptance Testing (UAT) environmentsof Abrigo-hosted Customer Applications is a Flexential location in Morrisville, North Carolina.Secondary DatacenterDisaster recovery operations for Abrigo-hosted Customer Applications as well as developmentenvironments are located at a Flexential location in West Chester, Ohio.Operations SupportCustomer support operations for the Anti-money Laundering Detection Solution and FraudDetection Solution are performed from Abrigo offices in Austin, Texas.Customer support operations for the Lending Solution, Credit Risk Solution, and Portfolio RiskSolutions are performed from Abrigo offices in Raleigh, North Carolina.To allow for capacity expansion and network resiliency, Abrigo leverages co-location services between primary and secondary datacenterlocations in conjunction with multiple network providers. Hardware components, including servers, storage, and network devices, thatreside in co-located datacenter locations are owned and operated by Abrigo, and are managed by Abrigo personnel.Abrigo hardware components are located within locked cages within the secured datacenter facilities and are physically and logicallysegregated from other datacenter tenants. Co-location datacenter provider personnel do not have logical access to Abrigo systems.SOC 1 Type 2 Page 12

Subservice OrganizationsFunctionDescriptionFlexentialAbrigo uses Flexential, a subservice organization, to provide co-located datacenter services forIT infrastructure, including both physical and environmental controls. Other managed servicesofferings from Flexential are not obtained by Abrigo from Flexential.Platforms & SystemsThe following table details operationally relevant platforms and systems that support Customer Applications.FunctionProduct NameProduct DescriptionPlatformsMicrosoft Windows Server 2016Operating SystemsMicrosoft SQL Server 2019 EnterpriseDatabasesMicrosoft In

SOC 1 Type 2 Page 5 Restricted Use . This report, including the description of tests of controls and results thereof in Section Four, is intended solely for the information and use of Abrigo, user entities of Abrigo's System during some or all of the period January 1, 2021 to September 30, 2021, and their auditors who