WIXLIB

Network securityPort scanningThe AWS network provides significant protectionagainst traditional network security issues, andPanopto’s Cloud Operations Team has implementedadditional measures for further protection.The following are a few examples:Unauthorized port scans by Amazon EC2 customersare a violation of the AWS Acceptable Use Policy.Violations of the AWS Acceptable Use Policy aretaken seriously, and every reported violationis investigated.Distributed Denial of Service(DDoS) attacksEncryptionAWS Application Programming Interface (API)endpoints are hosted on large, Internet-scale,world-class infrastructure that benefits from thesame engineering expertise that has built Amazoninto the world’s largest online retailer. ProprietaryDDoS mitigation techniques are used. Additionally,AWS’s networks are multi-homed across a numberof providers to achieve Internet access diversity.Man In the Middle (MITM) attacksAll of the AWS APIs are available via SSL-protectedendpoints which provide server authentication.Amazon EC2 AMIs automatically generate new SSHhost certificates on first boot and logs them to theinstance’s console.All user data being uploaded to Panopto orviewed by end-users is protected in transit toand from the Panopto system through the use ofTLS v1.2 encryption. For the protection of data atrest, Panopto utilizes Server-Side Encryption withAmazon S3-Managed Keys (SSE-S3). Each object inPanopto’s S3 bucket is encrypted with a unique keyemploying strong multi-factor encryption.As an additional safeguard, it encrypts the key itselfwith a master key that it regularly rotates. AmazonS3 server-side encryption uses one of the strongestblock ciphers available, 256-bit Advanced EncryptionStandard (AES-256), to encrypt data.For more information about SSE-S3: rv-sideencryption.htmlIP spoofingAmazon EC2 instances cannot send spoofednetwork traffic. The AWS-controlled, host-basedfirewall infrastructure will not permit an instance tosend traffic with a source IP or MAC address otherthan its own.11 of 17 Technical infrastructure and securitypanopto.com

Environmental safeguardsPhysical accessAWS data centers are state of the art, utilizinginnovative architectural and engineeringapproaches. AWS has many years of experience indesigning, constructing, and operating large-scaledata centers. This experience has been appliedto the AWS platform and infrastructure. AWS datacenters are housed in nondescript facilities. Physicalaccess is strictly controlled both at the perimeterand at building ingress points by professionalsecurity staff utilizing video surveillance, intrusiondetection systems, and other electronic means.Authorized staff must pass two-factor authenticationa minimum of two times to access data center floors.All visitors and contractors are required to presentidentification and are signed in and continuallyescorted by authorized staff. AWS only provides datacenter access and information to employees andcontractors who have a legitimate business needfor such privileges. When an employee no longerhas a business need for these privileges, his or heraccess is immediately revoked, even if they continueto be an employee of Amazon or Amazon WebServices. All physical access to data centers by AWSemployees is logged and audited routinely.12 of 17 Technical infrastructure and securityFire detection and suppressionAutomatic fire detection and suppressionequipment has been installed to reduce risk.The fire detection system utilizes smoke detectionsensors in all data center environments, mechanicaland electrical infrastructure spaces, chiller roomsand generator equipment rooms. These areas areprotected by either wet-pipe, double-interlockedpre-action or gaseous sprinkler systems.panopto.com

PowerManagementThe data center electrical power systems aredesigned to be fully redundant and maintainablewithout impact to operations, 24 hours a day, andseven days a week. Uninterruptible Power Supply(UPS) units provide back-up power in the event of anelectrical failure for critical and essential loads in thefacility. Data centers use generators to provideback-up power for the entire facility.AWS monitors electrical, mechanical and life supportsystems and equipment so that any issues areimmediately identified. Preventative maintenanceis performed to maintain the continued operabilityof equipment.Climate and temperatureClimate control is required to maintain a constantoperating temperature for servers and otherhardware, which prevents overheating and reducesthe possibility of service outages. Data centers areconditioned to maintain atmospheric conditionsat optimal levels. Personnel and systems monitorand control temperature and humidity atappropriate levels.13 of 17 Technical infrastructure and securityStorage device decommissioningWhen a storage device has reached the endof its useful life, AWS procedures include adecommissioning process that is designedto prevent customer data from being exposedto unauthorized individuals. AWS usestechniques detailed NIST 800-88 (“Guidelinesfor Media Sanitization as part of thedecommissioning process“).panopto.com

ComponentsThe Panopto components listed in this documentalso have multiple levels of security. You can viewa whitepaper for each component at the linkslisted below.Panopto componentsMicrosoft Windows Server /windows-serverMicrosoft SQL Server 2019 SP1 server-2019HTTP Live Streaminghttps://developer.apple.com/streaming IIS security-between-iis-60-and-iis-7-and-above .Net 4.6.2 details.aspx?id 5334414 of 17 Technical infrastructure and securitypanopto.com

Panopto application securityAPI and integrationsOur API is publicly available and can be configuredfor use with other platforms. Panopto currentlyprovides integrations for various platforms.AuditingPanopto software tracks a variety of data such aswhich user creates or deletes a session.Client-side and Server-side validationThe user authenticates on the Panopto clientapplication. The client encrypts the passwordand sends it to the server. The server checks thepassword with the hashed password.Encryption of user informationPanopto uses SSL in the web interface to encrypt allsensitive user information. The Panopto server usespassword hash checking. Passwords are not storedas plaintext.Inbound data validationThe Panopto software checks and tests for valid dataas well as protects against SQL injection and othermalicious inputs. Validation of all data is handled onthe client-side where possible, but the server neverresponds with sensitive validation data.Passwords and authenticationPanopto secures the video repository perimeterwith support for multiple credential types, includingOAuth, SAML 2.0, Active Directory, and a number ofLMS ID providers.15 of 17 Technical infrastructure and securityPanopto’s single-sign on (SSO) implementationsupports rolling two-way synchronization ofcredentials, ensuring that user information is alwaysup to date.Additionally administrators have the ability to enforcestrong passwords, set password expiration, requiretwo-factor authentication via SSO and definesession timeout.Role based accessRoles are specifically assigned to each user account(Administrator, Videographer, Creator, and Viewer).Software developmentThe Panopto development team has a formal SDLCthat is followed for each release. Because Panopto isa private company, we are not able to disclose thedetails of our development lifecycle.Session time outThe web interface has a configurable session timeout in place. The time out is based on the expirationof the cookie. The cookie is valid for 2 weeks afterfirst log in.User access controlPanopto allows for content to have two accesslevels; “Public” and “Unlisted”. Public content can beaccessed by anyone that has the URL or the ability tobrowse to the session. Unlisted content requires theuser to specifically be given access to the content.All unlisted content requires the user to be logged into view the content.panopto.com

Availability andmaintenancePanopto SLAFor purchasers of our hosted solution, Panoptowill continue, for the Term of the Agreement, tooffer hosting services to the Licensee. Panoptowill use reasonable efforts to make the hostingservices available 7 days a week, 24 hours a day.Panopto shall make the hosting services available,as measured in accordance with the formula belowover the course of any one-month period, anaverage of 99.9% of the time. “Available” means thatthe end user or intersystem action requests receivea response within thirty (30) seconds. “Unavailable”means that the hosting services are not available.“Hosting Availability” is expressed generally as apercentage of the requested hours during which thehosting services are available for use by Licensee.Amazon SLAPlanned Uptime is the total number ofhours (TH) in each calendar month. HostingAvailability is calculated as follows and ismeasured on a calendar month basisHA 100 x (1 - (DH – SDH)THHAHosting AvailabilityDHTotal of all downtimes measuredin hoursSDHTotal of all agreed and scheduleddowntimes, not to exceed three (3) hoursin any month, measured in hoursTHTotal hours in each calendar monthAmazon Web Services will use commerciallyreasonable efforts to make Amazon EC2 availablewith an Annual Uptime Percentage (definedin Appendix A) of at least 99.95% during theServiceYear.16 of 17 Technical infrastructure and securitypanopto.com

Upgrades and maintenanceThe Panopto Cloud servers are upgraded to thelatest version of the Panopto software when it isreleased. Typically there are two major upgradesper year. All expected downtime will be plannedfor non-core hours, on a weekend, varying by cloudlocation. Typical downtime windows start after6pm local time and end before 8am local time, forprimary locations served by the cloud.During the time your site is offline, you will notbe able to access recordings on your server, andany attempts to upload from clients will result ina “Server unable to connect” message. Scheduledrecordings will capture offline and upload after thesite is back online.Recorder clients are able to select the record offlineoption and upload after the site is back online.The duration of the downtime window can varyfrom release to release, but it typically ranges fromtwo to four hours.Customers are notified via email three weeks inadvance of any planned downtime. Reminders willbe sent via alert messages and will also beposted to trust.panopto.com.Staging sites will be available prior to anymajor release.Support will be available on live chat duringupgrades and will be monitoring the ticket queuefor widespread problems related to the upgrade(Authorized Point of Contacts only).Support will not monitor live chat during plannedmaintenance or hotfixes.17 of 17 Technical infrastructure and securitypanopto.com

Appendix ADefinitionsAnnual uptime percentage is calculated bysubtracting from 100% the percentage of 5 minuteperiods during the Service Year in which AmazonEC2 was in the state of region unavailable.AWS means Amazon Web Services.Cloud solution means the licensed products,subject to the purchase of usage bundles describedbelow, that are made available to the licensee bymeans of the internet or other electronic means,which are installed and maintained by Panoptoon Panopto controlled servers and that Panoptoprovides access to and support for the licensedproducts for authorized uses as further describedin the Panopto Software License and ServicesAgreement. Access shall be accomplished througha password protected site. Panopto shall create andmaintain, on its server, a management page foreach licensee, which page shall show then-currentusage statistics for such licensee. Components ofthe hosted solution may be delivered to the hostedsolution for installation on the licensee’s equipmentfor use with the hosted solution.Panopto means Panopto,Inc.,a Delawarecorporation,including its successors and assigns.18 of 17 Technical infrastructure and securityPanopto recorder software/Panopto clientmeans all of the software owned by Panopto andlicensed to the licensee hereunder that is installedon computers located at the primary location forpurposes of enabling the production of content.Panopto software means the Panopto recordersoftware and the Panopto server software.Update means either (i) a modification or additionthat, when made or added to the licensed products,establishes material conformity of the licensedproducts to the functional specifications, or (ii)a procedure or routine that, when observed inthe regular operation of the licensed products,eliminates the practical adverse effect on thelicensee of such nonconformity. Updates aredesignated by a change in the number to the rightof the second decimal point (V.X.1).Upgrade means any modification or addition thatmaterially changes the software’s utility, efficiency,functional capability, or application but is notseparately priced and marketed by Panopto anddoes not constitute an Update. Panopto maydesignate upgrades as minor or major, dependingon Panopto’s assessment of their value and of thefunction added to the preexisting licensed products.Such determination shall be at the sole discretionof Panopto. Upgrades are designated by a changein the number to the right of the first decimal point(V.1.Y) language.panopto.com

3 of 17 Technical infrastructure and security panopto.com Introduction Panopto's online video platform can be deployed either as a cloud-hosted service or as an on-premises solution. With the cloud-hosted service, Panopto maintains server infrastructure and ensures its continuous, optimal delivery.