REVI-ITA/S� stateauthorisedpublicaccountingfirmJensKofodsGade1�DK-1268CopenhagenK�Phone33118100�info@revi-it.dk�revi-it.dk�CVR-no.30988531

Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandoperating

effectivenessregardingtheoperationofhostedservicesfortheperiod01-12-2015to30-11-2016

ISAE3402-II

any.cloudA/SCVR-no.:31161509

December2016

ThisreportwasoriginallypreparedinDanish.

Incaseofanydisputes,thereportinDanishisapplicable.

any.cloudA/S

REVI-ITA/S

Tableofcontents

Section1: any.cloudA/S’statement.............................................................................................................1

Section2: any.cloudA/S’descriptionofcontrolsinrelationtotheoperationoftheirhostingservices...................................................................................................................2

Section3: Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandfunctionality.....................................................................................14

Section4: Controlobjectives,controls,tests,andrelatedtestcontrols....................................................17

any.cloudA/S

REVI-ITA/S Page1of31

Section1: any.cloudA/S’statement

Thisdescriptionhasbeenpreparedforcustomerswhohavemadeuseofany.cloudA/S’hostingservices,andfortheirauditorswhohaveasufficientunderstandingtoconsiderthedescriptionalongwithotherinformation,includinginformationaboutcontrolsoperatedbycustomersthemselves,whenassessingtherisksofmaterialmisstatementsofcustomers’financialstatements.any.cloudA/Sconfirmsthat:

(a) TheaccompanyingdescriptioninSection2fairlypresentsany.cloudA/S’hostingservicesrelatedtocustomertransactionsprocessedthroughouttheperiod01-12-2015to30-11-2016.Thecriteriaforthisstatementwerethattheincludeddescription:

(i) Presentshowthesystemwasdesignedandimplemented,including:• Thetypeofservicesprovided,whenrelevant• Theprocedures,withinbothinformationtechnologyandmanualsystems,bywhichtransac-

tionsareinitiated,recorded,processed,correctedasnecessary,andtransferredtothereportspresentedtothecustomers

• Relevantcontrolobjectivesandcontrolsdesignedtoachievetheseobjectives• Controlsthatweassumed,inthedesignofthesystem,wouldbeimplementedbyuserentities,

andwhich,ifnecessarytoachievecontrolobjectivesstatedintheaccompanyingdescription,areidentifiedinthedescriptionalongwiththespecificcontrolobjectivesthatcannotbeachievedbyourselvesalone

• Otheraspectsofourcontrolenvironment,riskassessmentprocess,informationsystemandcommunication,controlactivitiesandmonitoringcontrolsthatwereconsideredrelevanttoprocessingandreportingcustomertransactions.

(ii) Providesrelevantdetailsofchangesintheserviceorganisation’ssystemthroughouttheperiod01-12-2015to30-11-2016

(iii) Doesnotomitordistortinformationrelevanttothescopeofthedescribedsystem,whileacknowl-edgingthatthedescriptionispreparedtomeetthecommonneedsofabroadrangeofcustomersandtheirauditorsandmaynot,therefore,includeeveryaspectofthesystemthateachindividualcustomermayconsiderimportanttotheirparticularenvironment.

(b) Thecontrolsrelatedtothecontrolobjectivesstatedintheaccompanyingdescriptionweresuitablyde-signedandoperatedeffectivelythroughouttheperiod01-12-2015to30-11-2016.Thecriteriausedinmakingthisstatementwerethat:(i) Therisksthatthreatenedachievementofthecontrolobjectivesstatedinthedescriptionwere

identified(ii) Theidentifiedcontrolswould,ifoperatedasdescribed,providereasonableassurancethatthose

risksdidnotpreventthestatedcontrolobjectivesfrombeingachieved(iii) Thecontrolswereconsistentlyappliedasdesigned,includingthatmanualcontrolswereapplied

bypersonswhohavetheappropriatecompetenceandauthority,throughouttheperiod01-12-2015to30-11-2016.

Copenhagen,19December2016

any.cloudA/S

REVI-ITA/S Page2of31

Section2: any.cloudA/S’descriptionofcontrolsinrelationtotheoperationoftheirhostingservices

Introduction

Thepurposeofthisdescriptionistoinformany.cloudA/S’customersandtheirauditorsabouttherequire-mentslistedintheinternationalstandardonassuranceengagementsregardingassurancereportsoncontrolsataserviceorganisation,ISAE3402.

Moreover,thepurposeofthisdescriptionistoprovideinformationaboutthecontrolsusedforcloudserviceswithusduringtheaboveperiod.

Thedescriptionincludesthecontrolareasandcontrolswithany.cloud,whichincludethemajorityofourcus-tomersandarebasedonourstandarddelivery.Individualcustomermattersarenotincludedinthisdescrip-tion.

any.cloudA/S

any.cloudprovidesprofessionalISO-certifiedhosting-andconsultancyservicestotheDanishbusinesscommu-nity.

any.cloud’smostsignificantactivityissupplyingservices,including:

• PaaS-VPS(VirtualPrivateServer) • DRaaS-virtualbackupwithDRS(DisasterRecoverySolution)• Networksecurity • MPLSandfibreinfrastructure • DDoSandhackingsecurityproducts• Consultancy,supportandoperations

WesupplythehighestqualityofinfrastructurethroughthebestsupplierssuchasIBMandVMwareandpre-sentthistoourcustomersbymeansofsimpleandinnovativesolutions.

Wemakeagreatefforttorendercomplicatedservicessimpleforourcustomers.Wetakeoverallthemachinesandsystemsusuallywhirringinaserverroominorderforthecustomertofocusontheirbusiness.WeoperateITforcompaniesandtheiremployeesandensurethattheyalwayscanwork–securely,efficiently,andataveryfavourableprice.

any.cloudhasanISAE3402TypeIIassurancereportandworksundertheISO27002standard.ThisensuresthatweconstantlymaintainthequalityneededtobelongtotheabsoluteelitewithinhostedITsolutions.

any.cloudishostedatInterXionDenmarkinBallerupandGlobalConnectinTaastrup;bothareEuropeansup-pliersofcloudandoperatorneutraldatacentreswithmorethan48datacentresin11countries.WeprovideallrelevantsecuritymeasuressuchasInergen,cooling,redundantpowersources,fibrelines,andfullyequippedmonitoringsystems.Additionally,any.cloudhashostingservicesintheIBM-ownedcompanySoftlay-er,whohas31datacentres,wherebyany.cloudcansupplytheirsolutionsworldwide.

Any.cloudis,i.a.duetoourrecertificationsofthehostingcertificatefromBFIH,partofDenmark’sbesthostingcompanies.Asacontinuallycertifiedmemberandwiththeattainmentofthehostingbrandany.cloudis

any.cloudA/S

REVI-ITA/S Page3of31

obligedtoprovideinconsiderationofstrictcontrolmeasures,highsecurityrequirements,andtransparencyinrelationtothecontentsofqualityandsecurityinIThostingservices.

Weareastrong,composedteamwithdepartmentsinDenmark,PolandandTheCzechRepublic.

any.cloud–RESHAPETHEFUTURE

Organisationandresponsibilities

any.cloudhasaclearandtransparentcorporatestructure.

any.cloudA/Shas15employees,coveringthedepartmentsAdministration,Finance,andOperations-Support.Anadditional16personsareemployedinthesistercompanyany.macA/Sprovidingallon-sitesupportandoperationsforany.cloud’scustomers.

Thus,any.cloud’semployeessolelyworkonthehostinginfrastructure.

Supportreceivesallincominginquiriesandeithersolvesthecustomer’sissuesorforwardsthetasktoOpera-tionsforprocessing.

Operationsthusfunctionsbothassecondlinesupportforhotlineandadditionallyhandlesthepracticalimple-mentationofnewcustomers;monitorsexistingoperationssolutionsandanyothertasksinconnectionwiththeday-to-daymanagementofourhostingenvironment.

Riskassessmentandmanagement

Riskassessment

ITriskanalysisWehaveproceduresinplaceforon-goingriskassessmentofourbusiness,especiallyourcloudservices.Thisenablesustoensurethattherisksassociatedwiththeservicesweprovideareminimisedtoanacceptablelevel.

Riskassessmentisperformedperiodicallyandwhenweintroducechangesorimplementnewsystemswhichwedeemrelevantinrelationtore-performingourgeneralriskassessment.

any.cloudA/S

REVI-ITA/S Page4of31

Thecompany’sCTOisresponsiblefortheriskassessmentsandtheymustsubsequentlybeembeddedinandapprovedbymanagement.

Managementofsecurityrisks

ProcedureforriskmanagementWehaveintroducedascoringsystemwithregardtotherisksrelatedtotheprovisionofcloudservices.Weusethecalculationformularisk*effectwithascorefrom1to10.Theacceptablelevelisupto30points.Itiscon-tinuouslyassessedwhetherwecanreducerisksandtakemeasurestoimproveourscore.

Securitypolicies

ITsecuritypolicies

PoliciesforinformationsecurityWehavedefinedourqualitycontrolsystembasedonouroverallobjectivetodeliverstableandsecurehostingtoourcustomers.Inordertodothat,wehaveintroducedpoliciesandproceduresensuringthatourdeliveriesareuniformandtransparent.

OurITsecuritypolicyispreparedwithreferencetotheaboveandappliestoallemployeesandallourdeliver-ies.

OurmethodsforimplementationofcontrolsaredefinedaccordingtoISO27002(frameworkformanagementofinformationsecurity)andisoveralldividedintothefollowingcontrolareas:

• Organisationandresponsibilities• Humanresourcesecurity• Logicaccesscontrol• Riskassessmentandmanagement• Physicalandenvironmentalsecurity• UseofITequipment• Proceduresforoperations• Thenetwork• Support• Protectionagainstmalware• Systemacquisition,developmentandmaintenance• Supplierrelationships• Informationsecurityincidentmanagement.

Wecontinuouslyimproveourpolicies,proceduresandoperations.

WeareamemberofBFIH(BrancheforeningenforIT-HostingvirksomhederiDanmark–TradeassociationforIThostingcompaniesinDenmark)andinconnectionwithourmembershipwearesubjecttoanannualaudittoverifythatwecomplywiththesetofrulesestablishedbyBFIH,focusingonhowweprovideourservices,per-formrestore,managesecurityback-up,etc.

AssessmentoftheITsecuritypoliciesWecontinuouslyupdateourITsecuritypolicies,asaminimumonceayear.

any.cloudA/S

REVI-ITA/S Page5of31

Organisationofinformationsecurity

Internalorganisation

DelegationofresponsibilitiesforinformationsecurityWehaveaclearlydividedorganisationinregardtoresponsibilities;andwehavethoroughdescriptionsofre-sponsibilitiesandrolesatalllevels,frommanagementtoeachoperationsemployee.

Wehaveestablishedconfidentialityingeneralforallpartiesinvolvedinourbusiness.Thisisdoneviaemploy-mentcontracts.

SegregationofdutiesThroughcontinuousdocumentationandprocessesweensurethatweareabletoeliminateorminimisekeystaffdependency.Tasksareallocatedandestablishedviaproceduresformanagementofoperations.

ContactwithspecificinterestgroupsWehaveestablishedcontacttoahotlineatDK-CERTwithwhomwehaveenteredamutualagreementonnotificationincaseofmaterialsecurityrelatedmattersregardingInternettraffic.

InformationsecurityinprojectmanagementIfwefindthataprojectfailstocomplywithourinformationsecurityprocedures,theprojectwillbeadaptedinawaythatitsubsequentlymatchesourstandardwithininformationsecurity.Ifwefindthattheprojectisnotfeasibleoramendablewithoutbeinginconflictwithoursecuritypolicies,thentheprojectwillbeabandoned.

Mobiledevicesandteleworking

MobiledevicesandcommunicationWeallowouremployeestoworkfromhomedueto,amongstothers,operationsdutiesandourpolicyisthatdevices(portable,etc.)mayonlybeusedforwork-relatedpurposesandmustnotbeleftunattended,etc.Portabledevicesareprotectedwithlogonandencryption.

Wehaveenabledthatweandourcustomerscanusemobiledevices(smartphones,tablets,etc.)forsynchro-nisingmailsandcalendars.Wehavenotimplementedsecuritymeasuresotherthanpasswordprotectiontosecuresuchdevicesanduseraccess.

Ourcustomershavethesameoptionsanditisuptothemtoimplementsecuritypoliciesfortheirusers.

RemoteworkAccesstoournetworkandtherebypotentiallysystemsanddataisonlypossibleforauthorisedindividuals.OuremployeeshaveaccessviaremoteworkplacesusingRemoteDesktopandIPrestriction.

Humanresourcesecurity

Priortoemployment

ScreeningWehaveproceduresinplacegoverningrecruitmentofemployeesandcollaborationwithexternalsensuringthatwerecruittherightcandidatebasedonbackgroundandskills.Wehavedescriptionsofrolesandresponsi-bilitiesforemployeesandgroupsofemployeesinordertoensurethatallemployeesareawareoftheirre-sponsibilities.Whenjoiningthecompany,allemployeesarereviewedandaregistrationsformisfollowed.

any.cloudA/S

REVI-ITA/S Page6of31

TermsandconditionsofemploymentGeneraltermsofemployment,includingconfidentialityregardinginternalandcustomermatters,aredescribedineachemployee’semploymentcontractwheretermsofallareasoftheemployment,includingterminationandsanctionsincaseofpotentialsecuritybreaches,arelaiddown.

Duringemployment

ManagementresponsibilitiesInconnectionwithemployment,thenewemployeesignsacontract.Thecontractstatesthattheemployeemustobservethecurrentpoliciesandprocedures.Moreover,itclearlydefines,aspartofthecontractmaterial,theemployee’sresponsibilitiesandrole.

Informationsecurityawareness,educationandtrainingOurassetsaretoalargeextentouremployeesandwefollowastructuredsetofmethodsinrelationtoouremployees’qualifications,educationandcertifications.Courses,seminarsandotherrelevantactivitiesareorganisedonacurrentbasis,asaminimumonceayear,toensurethatrelevantemployeesandanyexternalcollaboratingpartnersarekeptuptodatewithsecurityandaremadeawareofnewthreats,ifany.Employees,andexternalpartnerswhererelevanttoincludetheminoursecurityguidelines,areperiodicallyinformedaboutoursecurityguidelinesandwhenamendmentsaremadetothem.

DisciplinaryprocessGeneraltermsofemployment,includingconfidentialityregardinginternalandcustomermatters,aredescribedineachemployee’semploymentcontractwheretermsofallareasoftheemployment,includingterminationandsanctionsincaseofpotentialsecuritybreaches,arelisted.

TerminationorchangeofemploymentresponsibilitiesIntheeventofterminationofemployment,wehaveimplementedathoroughprocedurewhichmustbeob-servedtoensurethattheemployeesreturnallrelevantassets,includingportablemedia,etc.andtoensurethatallemployees’accesstobuildings,systemsanddataisrevoked.Theoverallresponsibilityforallcontrolsrelatedtotheterminationprocesslieswiththecompany’sCTO.

Assetmanagement

Responsibilityforassets

InventoryofassetsSoftware,serversandnetworkdevices,includingconfiguration,areregisteredforusefordocumentation,overviewofdevices,etc.Wehaveacomplexnetworkincludingmanysystemsandcustomersandtoprotectagainstunauthorisedaccessandtoensureatransparentstructure,wehaveprepareddocumentationdescrib-ingtheinternalnetworkwithunits,namesofunits,logiccompositionofnetworks,etc.

Thedocuments,networktopologiesandsimilararecontinuouslyupdatedintheeventofchangesandarere-viewedatleastonceayearbyournetworkspecialists.

OwnershipofassetsBymeansofdivisionofresponsibilitiescentralnetworkunits,servers,peripherals,systemsanddataarededi-catedtosystemadministratorsinourcompany.Customerdataandsystemsarededicatedtothecustomer’scontactperson.

AcceptableuseofassetsThisisdescribedinthestaffmanual.

any.cloudA/S

REVI-ITA/S Page7of31

ReturnofassetsIntheeventofterminationofemployment,wehaveacomprehensiveprocedureinplacewhichmustbeob-servedtoensurethattheemployeesreturnallrelevantassets,includingportablemedia,etc.,andtoensurethatallemployees’accesstobuildings,systemsanddataisrevoked.Theoverallresponsibilityforallcontrolsrelatedtotheterminationprocesslieswiththecompany’sCTO.

Mediahandling

ManagementofremovablemediaWeensuretothewidestextentpossiblethatourstaff’sportablemedia,e.g.laptops,mobilephonesandsimi-lar,issecurelyconfiguredtothesameextentastherestofourenvironment;andwealsoensurethatthedatacarryingmediaareupdatedwhenweintroducenewsecuritymeasures.

Accesscontrol

Businessrequirementsofaccesscontrol

AccesscontrolpolicyWehaveapolicyregardingallocationofaccess.ThispolicyisanintegralpartofourITsecuritypolicies.

Useraccessmanagement

UseraccountcreationandterminationproceduresOurcustomers’usersareonlycreateduponrequestfromourcustomers.Ourcustomersaretherebyresponsi-bleforthecreationandterminationofuseraccounts.

Allusersmustbepersonallyidentifiable,i.e.haveaclearidentificationwithapersonalname.Incaseofserviceusers,i.e.accountsonlyusedforsystempurposes,theoptionregardingactuallogonwillbedisabled.

AllocationofrightsAllocationofprivilegesiscontrolledinconnectionwithournormalusermanagementprocess.

ManagementofsecretauthenticationinformationofusersAllpersonallogonsareonlyknowntotheindividualemployeeandaresubjecttopasswordpoliciesinordertoensurecomplexity.

ReviewofuseraccessrightsForourownusers,thecompany'sCTOwillperiodically,onceayearasaminimum,reviewthecompany’sin-housesystemsforcreationofusersandtheiraccessleveltopreventunauthorisedaccess.

Userresponsibilities

UseofsecretauthenticationinformationAccordingtoourITsecuritypoliciesouremployees’passwordsarepersonalandonlytheusermustknowthepassword.EveryyeartheemployeessignadocumentstatingthattheyhavereadandunderstoodthelatestversionofourITsecuritypolicy.Aswehaveusers,suchasserviceaccountsandsimilar,thatcannotbeusedforlogonandforsystem-relatedreasonsdonotchangepasswords,wehaveasystemforstorageofsuchpass-words.Onlyauthorisedstaffhasaccesstothesystem.

any.cloudA/S

REVI-ITA/S Page8of31

Systemandapplicationaccesscontrol

InformationaccessrestrictionOuremployeesaresetupwithdifferentiatedaccessprivilegesandthereforeonlyhaveaccesstothesystemsanddatathatarerelevantfortheirworkeffort.

PasswordmanagementsystemAllemployeesacrossbothcustomersystemsandproprietarysystemshaverestrictionsasregardspasswords.Allusershaveapasswordandsystemicallyitissetupsothattherearerestrictionsinrelationtothedesignofthepassword.Passwordsmustbechangedregularlyandtheymustbecomplex.

OurITsecuritypolicydescribesrulesforcomplexity;ouremployees’passwordsarepersonal,andonlytheusermustknowthepassword.

Physicalandenvironmentalsecurity

EquipmentmaintenanceThedatacentre'scoolingandfirepreventionsystemsarecheckedregularlyandtheback-uppowersystem(UPS)ischeckedeverysixmonths.Systemsareinstalledinthedatacentremonitoringtemperaturesandvolt-agesintheserverroom.

Securityofequipmentandassetsoff-premisesWeconductback-upproceduresduringthenighttoprotectourcustomers’dataandsystemsifourhostingsystemsforsomereasonbecomeunavailable.

Wehaveenteredintoanagreementwiththeconcernedsupplieronhousingofourproprietaryserversandsimilarmeasuresareimplementedtopreventtheft,fire,waterandtemperaturedeviations.

Weannuallyreceiveanauditor’sopinioncoveringthephysicalsecurityatoursubcontractor.

Themostrecentauditor’sopinionscovertheperiods1/12015through31/122015,and15/62015through14/62016.Theopinionsareissuedwithoutqualifications.

Securedisposalorre-useofequipmentAlldata-carryingdevicesaredestroyedbeforedisposaltoensurethatnodataisaccessible.

UnattendeduserequipmentAllinternaluseraccountsarecentrallymanagedtoenterscreenlockmodeafteramaximumof2minutesofinactivity.Therebyweensurethatunauthorisedstaffcannotaccessconfidentialdata.

Operationssecurity

Operationalproceduresandresponsibilities

DocumentedoperationalproceduresAlthoughourorganisationdoesnotnecessarilyallowoverlapwithinallprojectsandsystems,weensureviadocumentationanddescriptions-andviacompetentanddiligentemployees-thatexistingornewemployeescancommenceworkingonasystemforwhichthesaidpersondoesnothaveoperationalorpreviousexperi-ence.Weoperatewithdualrolesonallsystemsinordertoensurethatthekeyresponsibleemployeeisre-sponsibleforcommunicatingpracticalissuestotheircolleagues.Thesystemdocumentationisupdatedcontin-uously.

any.cloudA/S

REVI-ITA/S Page9of31

ChangemanagementWehavedefinedaprocessforchangemanagementinordertoensurethatchangesaremadeasagreedwithcustomersandareproperlyplannedaccordingtothein-houseconditions.Changesareonlymadeonthebasisofaqualificationoftheproject,thecomplexityandassessmentofeffectsonothersystems.Moreover,apro-cessisfollowedregardingdevelopmentandtesting.

Regardlessofthechangeinquestion,wealwaysensureasaminimumthat:

• Allchangesarediscussed,prioritisedandapprovedbymanagement• Allchangesaretested• Allchangesareapprovedbeforedeployment• Allchangesaredeployedataspecifictimeasagreedwiththecompanyandthecustomers• Fall-backplanningisperformed,ensuringthatthechangescanberolledbackorcancelledincasetheyfail

tobeoperational• Thesystemdocumentationisupdatedaccordingtothenewchangeincaseitisfoundnecessary.

Ourenvironmentislogicallysegregatedanddividedintotestingandproductionwherebyweensurethataproductistestedbeforeitisbroughtintoproduction.Bymeansofaccesscontrolsweensurethatonlyauthor-isedpersonnelwillhaveaccesshereto.

CapacitymanagementViaourgeneralmonitoringsystem,wehavesetlimitsforwhenouroverallsystems,andtherebyourcustom-ers’systems,mustbeupscaledwithregardtoelectronicspace,responsetime,etc.Whenwesetupnewsys-tems,functionalitytestingneedstobeperformed,includingcapacityandperformancetesting.Aregularpro-cedureispreparedforreportingcapacityissues.

Protectionfrommalware

ControlsagainstmalwareWehaveimplementedscanningandmonitoringsystemstoprotectagainstknownharmfulcode,i.e.whatweandourcustomers-viaourplatforms-mayrisktobeinfectedwithontheInternetviamailsetc.Wehaveantivirussystems,systemsformonitoringInternetusage,trafficandresourcesonSaaSplatforms,securitybymeansofothertechnicalandcentralinstallations(firewalletc.)inplace.

Backup

InformationbackupWeensurethatwecanrestoresystemsanddataappropriatelyandcorrectlyincompliancewiththeagree-mentswehavewithourcustomers.

Wehaveatestforhowsystemsanddatacanberestoredinpractice.Wekeepalogofthesetests,enablingustofollowuponwhetherwecanchangeourproceduresandprocessestoimproveoursolution.

Unlessotherwiseagreedwithourcustomers,weperformbackupoftheirentirevirtualenvironmentwithus.Weperformbackupsofourproprietarysystemsanddataliketheonesweperformofcustomers’systemsanddata.

Wehavedefinedguidelinesastohowweperformbackups.Everynightacompletecopyofourcentralsystemiscarriedforwardtoourbackupsystems.Therebythedataisphysicallyseparatedfromouroperationalsys-tems,andaftercompletionanautomaticverificationisperformedtoseeiftheamountandcontentofdatabetweenouroperationalsystemandbackupsystemmatch.

any.cloudA/S

REVI-ITA/S Page10of31

Aresponsibleemployeewillthenensurethatthebackupiscompletedandwilltakethenecessaryactionifthejobhasfailed,andafterwardsenteritinthelog.

Loggingandmonitoring

EventloggingWehavesetupmonitoringandloggingofnetworktrafficandOperationsfollowsthis.Wedonotperformpro-activemonitoringofloggedincidents,butwefollowupifwesuspectthatanincidentcanberelatedtoissuesaddressedinthelog.Formanagementofmonitoringandfollow-uponincidentswehaveimplementedformalincidentandproblemmanagementprocedurestosafeguardthatincidentsareregistered,prioritised,man-aged,escalatedandthatnecessaryactionsaretaken.Theprocessisdocumentedinourhotlinesystem.

ProtectionofloginformationLogsareuploadedtoourlogserver.

AdministratorandoperatorlogAdministratorlogsareperformedsimultaneouslywiththenormallog.

ClocksynchronisationWeuseNTPserversfromtheInternet,whichallserversaresynchronisedupagainst.

InstallationofsoftwareonoperationalsystemsWeensurethatonlyapprovedandtestedupdatesareinstalled.InaccordancewithourmembershipofBFIHweensurethatcriticalpatchesthathaveaneffectonsecurityareinstallednolaterthan2monthsaftertheyarereleased.Intheeventofmajorchanges,thiswillbediscussedatinternalmeetingsinOperations.

Moreover,ourstaffisawareofthepolicyregardingsoftwaredownloads.

ManagementoftechnicalvulnerabilitiesSecurityannouncementsfromDK-CERTaremonitoredandanalysedandiftheyarefoundrelevant,theyareinstalledonourinternalsystemswithin1monthfromrelease.Additionally,wecontinuouslyperformariskassessmentofourin-housesolutions.

Communicationssecurity

NetworkcontrolsTheITsecurityproceduresregardingtheexternalframeworkforsystemsanddataarethenetworkagainsttheInternet,remoteorsimilar.Protectionofdataandsystemswithinthenetworkandexternalprotectionagainstunauthorisedaccessisofthehighestprioritytous.

SecurityofnetworkservicesOurcustomershaveaccesstooursystemseitherviathepublicnetworks,whereaccessisallowedviaencrypt-edVPNaccess,IP-whitelistingorMPLS/VPLS.Accessandcommunicationbetweenourserversandourco-locationtakesplacewithinaclosednetwork.

Onlyapprovednetworktraffic(inbound)isallowedthroughourfirewall.

Weareresponsibleforoperationsandsecuritywithus,i.e.fromoursystemsonwardsandouttotheInternet(orMPLS/VPLS).OurcustomersareresponsibleforbeingabletoaccesstotheInternet.

any.cloudA/S

REVI-ITA/S Page11of31

SegregationinnetworksOurnetworkisdividedintovarioussegmentswherebyweensurethatourinternalnetworkissegregatedfromthecustomers’networks.Moreover,theserviceswithsensitivedataareplacedinspecial,securedenviron-ments.

InformationtransferpoliciesandproceduresExternaldatacommunicationonlytakesplaceviamailsasourcustomers’accesstoanduseofourserversarenotconsideredexternaldatacommunication.

Initialpasswordstocustomersystemsaresentviamail,buttheymustbechangedatfirstlogon.Forgottenpasswords,personaldetails,orders,etc.areneverhandledviaphone,butonlyinwritingandnotuntilourstaffhasverifiedthatitisarealandauthorisedpersonthatwearecommunicatingwith.

Confidentialityornon-disclosureagreementsWehaveestablishedconfidentialityingeneralforallpartiesinvolvedinourbusiness.Thisisdonebymeansofemploymentcontractsorserviceagreementswithsubcontractorsandbusinesspartners.

Systemacquisition,developmentandmaintenance

Securityrequirementsofinformationsystems

InformationsecurityrequirementsanalysisandspecificationIfanewsystemisintroduced,analysesandresearchwillbecarriedoutinordertoensurethatitcomplieswithbestpracticeforhardening.

ChangemanagementproceduresWehavedefinedaprocessforchangemanagementinordertoensurethatchangesaremadeasagreedwithcustomersandareproperlyplannedaccordingtothein-houseconditions.Changesareonlymadeonthebasisofaqualificationoftheproject,thecomplexityandassessmentofeffectsonothersystems.Moreover,apro-cessisfollowedregardingdevelopmentandtesting,aswellasacceptancebyusandthecustomer.

Regardlessofthechangeinquestion,wealwaysensureasaminimumthat:

• Allchangesarediscussed,prioritisedandapprovedbymanagement• Allchangesaretested• Allchangesareapprovedbeforedeployment• Allchangesaredeployedataspecifictimeasagreedwiththebusinessandanycustomers• Fall-backplanningisperformed,ensuringthatthechangescanberolledbackorcancelledincasetheyfail

tobeoperational• Thesystemdocumentationisupdatedaccordingtothenewchangeincaseitisfoundnecessary.

Ourenvironmentislogicallysegregatedanddividedintotestingandproduction,wherebyweensurethataproductistestedbeforeitisbroughtintoproduction.Bymeansofaccesscontrolsweensurethatonlyauthor-isedpersonnelhasaccesshereto.

RestrictiononchangestosoftwarepackagesServicepacksandsystemspecificupdatesthatmaycausefunctionalitychangesarereviewedandinstalledseparately.Securityupdatesarerolledoutonallsystemsinsofaritispossible.

any.cloudA/S

REVI-ITA/S Page12of31

Supplierrelationships

Managementofthirdpartyservices

ManagingchangestosupplierservicesWhenchangesoccurinternallyintheorganisation,includingpoliciesandprocedures,andamendmentsaremadetoourservicesorservicesfromourexternalpartners,ariskassessmentwillalwaysbeperformedtoexplorewhetherthechangeswillhaveanimpactonouragreementwiththecustomers.

Monitoringofthird-partyservicesViamonitoringsetupbyathirdpartyweensurethatallservicesdeliveredbythirdpartiesareincompliancewiththerequirementsandtermswehaveagreedwiththirdparties.Wevisitsuchthirdpartiesregularly,wherebyweensurethattheagreedtermsarecontinuallyfulfilled.

Informationsecurityincidentmanagement

Managementofinformationsecuritybreachesandimprovements

ResponsibilitiesandproceduresOuremployeesareunderobligationtokeepthemselvesupdatedbymeansofproviders’supportsites,discus-sionforumsetc.forknownweaknessesinthesystemsweuseandprovide.

ThereareformallyappointedASPsandtherequirementstheyaresubjecttoareclearlyandformallydefined.TheASPisresponsibleforpreparingandmaintainingproceduresthatensuretimelyandcorrectinterventioninconnectionwithsecuritybreaches.

ReportinginformationsecurityincidentsOurhotlinesystemthatweusetohandleallissuesforcustomersandinternalmattersisthesamesystemthatweusetohandlesecurityincidents.Herewecanescalateissuessothatsomeincidentshavehigherprioritythanothers.Moreover,securityincidentsidentifiedfromownobservations,alarmsfromlogandmonitoringsystems,telephonecallsfromcustomers,subcontractorsorpartners,respectively,areescalatedfromourhot-linetoOperations,alertingmanagementaswell.

WehaveestablishedcontacttoahotlineatDK-CERTwithwhomwehaveenteredintoamutualagreementonnotificationincaseofsignificantsecurityrelatedmattersregardingInternettraffic.

ReportinginformationsecurityweaknessesOuremployeesandexternalpartnersare,viatheenteredcontractsandagreements,underanobligationtoreportanysecurityincidenttotheirimmediatesuperiorinorderthatactioncanbetakentoaddresstheissueassoonaspossibleandnecessarymeasurescanbetakeninaccordancewiththeproceduresestablished.

Businesscontinuitymanagement

Informationsecurityaspectsofbusinesscontinuitymanagement

InformationsecuritycontinuityIntheeventofanemergency,any.cloudhaspreparedabusinesscontinuityplan.ThebusinesscontinuityplanisembeddedintheITriskanalysisandisupdatedatleastonceayearincontinuationoftheconductionoftheanalysis.

Theplanandtheproceduresareembeddedinouroperationsdocumentationandprocedures.

any.cloudA/S

REVI-ITA/S Page13of31

ViaourmembershipofBFIH(BrancheforeningenforIT-hostingvirksomhederiDanmark–TradeassociationforIThostingcompaniesinDenmark)weareunderanobligationtobeabletore-establishanyunitinourdatacentrewithinthreedays.Weensurethatthisisdonebyconsideringtherisks,classifyingtheunitsinouropera-tions,andhavingproceduresinplacethatensurethatinrelationtoourbusinesscontinuityplanningwecanreplaceouroperationsplatforminordertoensurethattheservicessuppliedwillbere-establishedinatimelymanner.

Testing,maintenanceandreassessmentofbusinesscontinuityplansTheplanistestedonceortwiceannuallyaspartofourbusinesscontinuityprocedureinorderforustoensurethatthecustomerswillonlyexperiencelimitedinterruptionofservicesinconnectionwithanyemergencies.

Compliance

Reviewofinformationsecurity

IndependentreviewofinformationsecurityAreviewisperformedbyanexternalITauditorandinconnectionwiththepreparationoftheannualISAE3402reports.

CompliancewithsecuritypoliciesandstandardsOuremployeesreadtheITsecuritypoliciesonceayearasaminimumandsignthattheyunderstandandcom-plywithit.Wehaveon-goingcontrols,conductedbyourmanagementteam,toensurethatouremployeescomplywiththesecuritymeasuresthatarespecifiedinourITsecuritypolicies,inrelationtothephysicalaswellasthelogicalconditions.

TechnicalcompliancereviewWehaveestablishedproceduresthatensurethatallsystemsareupdated,andwehaveimplementedextensivemonitoringofallsystems,includingourcustomers’services.Moreover,wehave,withanotherISOcertifiedhostingprovider,anexternalsystemmonitoringtheavailabilityofallourservices.Furthermore,wehavecon-trolsensuringcompliancewithmonitoringandsecurity.

Changesduringtheperiod

Throughouttheperiodof1/122015to30/112016fewsignificantchangeshaveoccurred.Wehaveincreasedthecompetencyofourtechnicalstaffintermsofnewappointments,andmoreover,wehave:

• Improvedoursystemfordocumentingtasks• Implementedanddocumentednewproducts• Developedandimprovedinternalsystems.

Supplementarycontrols

any.cloudA/S‘customersare,unlessotherwiseagreed,responsibleforestablishingaconnectiontoany.cloudA/S‘servers.Moreover,any.cloud’scustomersare,unlessotherwiseagreed,responsiblefor:

• Ensuringthattheagreedbackuplevelcoversthecustomer'sneeds• Periodicallyreviewingthecustomer'sownusers• Compliancewithany.cloudA/S’atanytimeapplicableServiceLevelAgreement,whichcanbefoundon

any.cloudA/S’website• Maintainingtraceabilityinthird-partysoftware,managedbythecustomer.

any.cloudA/S

REVI-ITA/S Page14of31

Section3: Independentserviceauditor’sassurancereportonthedescriptionofcontrols,theirdesignandfunctionality

Tothemanagementofany.cloudA/S,theircustomersandtheirauditors.

Scope

Wehavebeenengagedtoreportonany.cloudA/S’description,presentedinSection2.Thedescription,asconfirmedbythemanagementofany.cloudA/SinSection1,coversany.cloudA/S’operatingandhostingser-vicesintheperiod01-12-2015to30-11-2016,aswellasthedesignandoperationofthecontrolsrelatedtothecontrolobjectivesstatedinthedescription.

any.cloudA/S’description(Section2)containsanumberofconditions,whichthecompanymustcomplywithaccordingtothecompany’smembershipofBFIH(BrancheforeningenforIT-HostingvirksomhederIDanmark).Ouraudithasincludedtheseconditionsandconsists,otherthanofthephysicalmatters,includingserverhardware,LAN,WAN,andfirewalls,of:

• Whetherany.cloudA/Simplementscriticalsecurityupdateswithin2monthsofrelease• Whetherany.cloudA/Scanrestoreunitsindatacentreswithin3days• Whetherany.cloudA/ScomplieswithBFIH’srequirementsfora”modicumofgoodhosting”.

any.cloudA/S’responsibility

any.cloudA/Sisresponsibleforpreparingthedescription(Section2)andtherelatedstatement(Section1)includingthecompleteness,accuracyandmethodofpresentationofthedescriptionandstatement.Addition-ally,any.cloudA/Sisresponsibleforprovidingtheservicescoveredbythedescription,forstatingcontrolob-jectivesandforthedesign,implementationandeffectivenessofoperatingcontrolsforachievingthestatedcontrolobjectives.

REVI-ITA/S’independenceandqualitycontrol

WehavecompliedwiththeindependenceandotherethicalrequirementsoftheCodeofEthicsforProfessionalAccountantsissuedbytheInternationalEthicsStandardsBoardforAccountants,whichisfoundedonfunda-mentalprinciplesofintegrity,objectivity,professionalcompetenceandduecare,confidentialityandprofes-sionalbehaviour.

ThefirmappliesInternationalStandardonQualityControl1andaccordinglymaintainsacomprehensivesys-temofqualitycontrolincludingdocumentedpoliciesandproceduresregardingcompliancewithethicalre-quirements,professionalstandardsandapplicablelegalandregulatoryrequirements.

REVI-ITA/S’responsibility

Basedonourprocedures,ourresponsibilityistoexpressanopiniononany.cloudA/S’description(section2)aswellasonthedesignandfunctionalityofthecontrolsrelatedtothecontrolsobjectivesstatedinthisdescrip-tion.WeconductedourengagementinaccordancewithISAE3402,“AssuranceReportsonControlsataSer-viceOrganisation”,issuedbyIAASB.Thisstandardrequiresthatweplanandperformourprocedurestoobtainreasonableassuranceaboutwhether,inallmaterialrespects,thedescriptionisfairlypresentedandthecon-trolsaresuitablydesignedandoperatingeffectively.

any.cloudA/S

REVI-ITA/S Page15of31

Anassuranceengagementtoreportonthedescription,designandoperatingeffectivenessofcontrolsataserviceorganisationinvolvesperformingprocedurestoobtainevidenceaboutthedisclosuresintheserviceorganisation’sdescriptionofitssystem,andthedesignandoperatingeffectivenessofcontrols.Theproceduresselecteddependontheserviceauditor’sjudgment,includingtheassessmentoftherisksthatthedescriptionisnotfairlypresented,andthatcontrolsarenotsuitablydesignedoroperatingeffectively.Ourproceduresin-cludedtestingtheoperatingeffectivenessofthosecontrolsthatweconsidernecessarytoprovidereasonableassurancethatthecontrolobjectivesstatedinthedescriptionwereachieved.Anassuranceengagementofthistypealsoincludesevaluatingtheoverallpresentationofthedescription,thesuitabilityoftheobjectivesstatedthereinandthesuitabilityofthecriteriaspecifiedbytheserviceorganisation,describedinsection2.

Webelievethattheevidencewehaveobtainedissufficientandappropriatetoprovideabasisforouropinion.

Limitationsofcontrolsataserviceorganisation

any.cloudA/S’descriptioninsection2ispreparedtomeetthecommonneedsofabroadrangeofcustomersandtheirauditorsandmaynot,therefore,includeeveryaspectofthesystemsthateachindividualcustomermayconsiderimportantinitsownparticularenvironment.Also,becauseoftheirnature,controlsataserviceorganisationmaynotpreventordetectallerrorsoromissionsinprocessingorreportingtransactions.Also,theprojectionofanyevaluationofeffectivenesstofutureperiodsissubjecttotheriskthatcontrolsataserviceorganisationmaybecomeinadequateorfail.

Opinion

Ouropinionhasbeenformedonthebasisofthemattersoutlinedinthisreport.Thecriteriaweusedinform-ingouropinionwerethosedescribedinany.cloudA/S’descriptioninSection2andonthebasisofthis,itisouropinionthat:

(a) thedescriptionofcontrols,astheyweredesignedandimplementedthroughouttheperiod01-12-2015to30-11-2016,isfairinallmaterialrespects

(b) thecontrolsrelatedtothecontrolobjectivesstatedinthedescriptionweresuitablydesignedthroughouttheperiod01-12-2015to30-11-2016

(c) thecontrolsforthespecialrequirements,causedbythecompany’smembershipofBFIHcf.thedescrip-tioninSection2,weresuitablydesignedthroughouttheperiod01-12-2015to30-11-2016

(d) thecontrolstested,whichwerethecontrolsnecessaryforprovidingreasonableassurancethatthecon-trolobjectivesinthedescriptionwereachievedinallmaterialrespects,haveoperatedeffectivelythroughouttheperiod01-12-2015to30-11-2016.

Descriptionoftestsofcontrols

Thespecificcontrolstested,andthenature,timingandresultsofthesetestsarelistedinthesubsequentmainsection(Section4).

any.cloudA/S

REVI-ITA/S Page16of31

Intendedusersandpurpose

Thisassurancereportisintendedonlyforcustomerswhohaveusedany.cloudA/S’hostingservicesandtheauditorsofthesecustomers,whohaveasufficientunderstandingtoconsiderthedescriptionalongwithotherinformation,includinginformationaboutcontrolsoperatedbycustomersthemselves.Thisinformationservestoobtainanunderstandingofthecustomers’informationsystems,whicharerelevantforthefinancialstate-ments.

Copenhagen,19December2016

REVI-ITA/SStateauthorisedpublicaccountingfirm

HenrikPaaske MartinBrogaardNielsenStateAuthorisedPublicAccountant ITAuditor,CISA,CRISC,CEO

any.cloudA/S

REVI-ITA/S Page17of31

Section4: Controlobjectives,controls,tests,andrelatedtestcontrols

Thefollowingoverviewisprovidedtofacilitateanunderstandingoftheeffectivenessofthecontrolsimple-mentedbyany.cloudA/S.Ourtestingoffunctionalitycomprisedthecontrolsthatweconsiderednecessarytoprovidereasonableassurancethatthecontrolobjectivesstatedinthedescriptionwereachievedthroughouttheperiod01-12-2015to30-11-2016.

Thus,wehavenotnecessarilytestedallthecontrolsmentionedbyany.cloudA/SintheirdescriptioninSection2.

Moreover,ourstatementdoesnotapplytoanycontrolsperformedatany.cloudA/S’customers,asthecus-tomers’ownauditorsshouldperformthisreviewandassessment.

Weperformedourtestsofcontrolsatany.cloudA/Sbytakingthefollowingactions:

Method Generaldescription

Enquiry Interview,i.e.enquirywithselectedpersonnelatthecompanyregardingcontrols

Observation Observinghowcontrolsareperformed

Inspection Reviewandevaluationofpolicies,procedures,anddocumentationconcerningtheper-formanceofcontrols

Re-performingcontrolpro-cedures

Wehavere-performed–orhaveobservedthere-performanceof–controlsinordertoverifythatthecontrolisworkingasassumed

Adescriptionandtheresultsofourtestsbasedonthetestedcontrolsappearfromthetablesonthefollowingpages.Totheextentthatwehaveidentifiedsignificantweaknessesinthecontrolenvironmentordeviationstherefrom,wehavespecifiedthis.

any.cloudA/S

REVI-ITA/S Page18of31

Riskassessmentandmanagement

RiskassessmentControlobjective:ToensurethatthecompanyperiodicallyperformsananalysisandassessmentoftheITriskprofile.No. any.cloudA/S’control REVI-IT’stest Testresults

4.1 Riskassessmentisperformedperiodicallyandwhenweintro-ducechangesorimplementnewsystemswhichwedeemrelevantinrelationtoreassessingourgen-eralriskassessment.

Thecompany’sCTOisresponsiblefortheriskassessmentsandtheymustsubsequentlybeembeddedinandapprovedbymanagement.

Itiscontinuouslyassessedwhetherwecanreducerisksandtakemeasurestoimproveourscore.

Wehaveenquiredabouttheprepara-tionofariskanalysis,andwehaveinspectedthepreparedriskanalysis.

WehaveenquiredaboutreviewoftheITriskanalysisduringtheperiod,andwehaveinspecteddocumentationfortheriskanalysisbeingreviewedandapprovedbymanagementduringtheauditperiod.

Nosignificantdeviationsnoted.

Informationsecuritypolicies

ManagementdirectionforinformationsecurityControlobjective:Toprovidemanagementdirectionandsupportforinformationsecurityinaccordancewithbusinessrequirementsandrelevantlawsandregulations.No. any.cloudA/S’control REVI-IT’stest Testresults

5.1 Wehavedefinedourqualitycon-trolsystembasedonouroverallobjectivetodeliverstableandsecurehostingtoourcustomers.Inordertodothat,wehaveintro-ducedpoliciesandproceduresensuringthatourdeliveriesareuniformandtransparent.

Wecontinuouslyimproveourpolicies,proceduresandopera-tions.

WecontinuouslyupdateourITsecuritypolicy,asaminimumonceayear.

Wehaveenquiredabouttheprepara-tionofaninformationsecuritypolicy,andwehaveinspectedthepolicy.

Wehaveenquiredaboutperiodicre-viewoftheinformationsecuritypolicy,andwehavecheckedthatthepolicyhasbeenreviewedduringtheauditperiod.Additionally,wehaveinspectedcontrolforperiodicreviewofthedocu-ment.

Wehaveenquiredaboutmanagementapprovaloftheinformationsecuritypolicy,andwehaveinspecteddocu-mentationformanagementapproval.

Nosignificantdeviationsnoted.

any.cloudA/S

REVI-ITA/S Page19of31

Organisationofinformationsecurity

InternalorganisationControlobjective:Toestablishamanagementframeworktoinitiateandcontroltheimplementationandoperationofinformationsecuritywithintheorganisation.No. any.cloudA/S’control REVI-IT’stest Testresults

6.1 Wehaveaclearlydividedorganisa-tioninregardtoresponsibilities;andwehavethoroughdescriptionsofresponsibilitiesandrolesatalllevels,frommanagementtoeachoperationsemployee.

Throughcontinuousdocumenta-tionandprocessesweensurethatweareabletoeliminateormini-misekeystaffdependency.Tasksareallocatedandestablishedviaproceduresformanagementofoperations.

WehaveestablishedcontacttoahotlineatDK-CERTwithwhomwehaveenteredamutualagreementonnotificationincaseofmaterialsecurityrelatedmattersregardingInternettraffic.

Wehaveenquiredaboutallocationofresponsibilityforinformationsecurity,andwehaveinspecteddocumentationfortheallocationandmaintenanceofdescriptionsofresponsibilities.

Wehaveenquiredaboutaccesssegre-gationinrelationtofunction,andwehaveinspecteddocumentationfordifferentiatedaccess.

Wehaveenquiredaboutguidelinesforcontactwithauthorities.

Wehaveenquiredaboutcontactwithinterestgroups,andwehaveinspect-eddocumentationforcontactwithDK-CERT.

Wehaveenquiredabouttheconsider-ationofinformationsecurityinprojectmanagement.

Wehaveinspotchecksinspectedprojectprocessesandverifiedthatinformationsecurityisconsidered.

Nosignificantdeviationsnoted.

MobiledevicesandteleworkingControlobjective:Toensurethesecurityofteleworkinganduseofmobiledevices.No. any.cloudA/S’control REVI-IT’stest Testresults

6.2 Weallowouremployeestoworkfromhomedueto,amongstoth-ers,operationsdutiesandourpolicyisthatdevices(portable,etc.)mayonlybeusedforwork-relatedpurposesandmustnotbeleftunattended,etc.Portabledevicesareprotectedwithlogonandencryption.

OuremployeeshaveaccessviaremoteworkplacesusingRemoteDesktopandIPrestriction.

Wehaveenquiredaboutmobilede-vicemanagement,andwehavein-spectedthesolution.

Wehaveenquiredaboutsecuringremoteworkplaces,andwehaveinspectedthesolution.

Nosignificantdeviationsnoted.

any.cloudA/S

REVI-ITA/S Page20of31

Humanresourcesecurity

PriortoemploymentControlobjective:Toensurethatemployeesandcontractorsunderstandtheirresponsibilitiesandaresuitablefortherolesforwhichtheyareconsidered.No. any.cloudA/S’control REVI-IT’stest Testresults

7.1 Wehaveproceduresinplacegov-erningrecruitmentofemployees,ensuringthatwerecruittherightcandidatesbasedonbackgroundandskills.

Whenjoiningthecompany,allemployeesarereviewedandaregistrationsformisfollowed.

Inconnectionwithemploymentallnewhiressignacontract.Thecontractdetailsthattheemployeemustcomplywiththeatalltimesapplicablepoliciesandprocedures.

Wehaveenquiredaboutaprocedureforhiringnewemployees,andwehaveinspectedtheprocedure.

Wehaveinspotchecksinspecteddocumentationshowingthatthepro-cedurehasbeenfollowed.

Wehaveenquiredabouttheformali-sationoftermsofemployment,andwehaveinspotchecksinspectedthecontentsofcontracts.

Nosignificantdeviationsnoted.

DuringemploymentControlobjective:Toensurethatemployeesandcontractorsareawareofandfulfiltheirinformationsecurityrespon-sibilities.No. any.cloudA/S’control REVI-IT’stest Testresults

7.2 Wehaveaclearlydividedorganisa-tioninregardtoresponsibilities;andwehavethoroughdescriptionsofresponsibilitiesandrolesatalllevels,frommanagementtoeachoperationsemployee.

Ourassetsaretoalargeextentouremployeesandwefollowastruc-turedsetofmethodsinrelationtoouremployees’qualifications,educationandcertifications.Courses,seminarsandotherrele-vantactivitiesareorganisedonacurrentbasis,asaminimumonceayear,toensurethatrelevantem-ployeesandanyexternalcollabo-ratingpartnersarekeptuptodatewithsecurityandaremadeawareofnewthreats,ifany.

Generaltermsofemployment,includingconfidentialityregardinginternalandcustomermatters,aredescribedineachemployee’semploymentcontractwheretermsofallareasoftheemployment,includingterminationandsanc-tionsincaseofpotentialsecuritybreaches,arelisted.

Wehaveenquiredaboutadescriptionofmanagement’sresponsibilityforcommunicatinginformationsecuritycriteria,andwehaveinspectedthedescription.

Wehaveenquiredaboutstafftraining,andwehaveinspotchecksinspecteddocumentationforparticipationincourses.

Wehaveenquiredaboutguidelinesfordisciplinaryprocesses,andwehaveinspectedtheguidelines.

Nosignificantdeviationsnoted.

any.cloudA/S

REVI-ITA/S Page21of31

TerminationandchangeofemploymentControlobjective:Toprotecttheorganisation’sinterestsaspartoftheprocessofchangingorterminatingemploy-ment.No. any.cloudA/S’control REVI-IT’stest Testresults

7.3 Generaltermsofemployment,includingconfidentialityregardinginternalandcustomermatters,aredescribedineachemployee’semploymentcontractwheretermsofallareasoftheemployment,includingterminationandsanc-tionsincaseofpotentialsecuritybreaches,arelaiddown.

Wehaveenquiredaboutemployees’obligationstomaintaininginformationsecurityinconnectionwithtermina-tionofemployment,andwehaveinspecteddocumentationfortheemployees’obligations.

Nosignificantdeviationsnoted.

Assetmanagement

ResponsibilityforassetsControlobjective:Toidentifyorganisationalassetsanddefineappropriateprotectionresponsibilities.No. any.cloudA/S’control REVI-IT’stest Testresults

8.1 Software,serversandnetworkdevices,includingconfiguration,areregisteredforusefordocu-mentation,overviewofdevices,etc.

Thedocuments,networktopolo-giesandsimilararecontinuouslyupdatedintheeventofchangesandarereviewedatleastonceayearbyournetworkspecialists.

Bymeansofdivisionofresponsibil-itiesandroledescriptionscentralnetworkunits,servers,peripherals,systemsanddataarededicatedtosystemadministratorsinourcom-pany.

Customerdataandsystemsarededicatedtothecustomer’scon-tactperson.

Intheeventofterminationofemployment,wehaveacompre-hensiveprocedureinplacewhichmustbeobservedtoensurethattheemployeesreturnallrelevantassets,includingportablemedia,etc.,andtoensurethatallemploy-ees’accesstobuildings,systemsanddataisrevoked.

Wehaveenquiredaboutinventoriesofassets,andwehaveinspotchecksinspectedinventoriesofassets.

Wehaveenquiredaboutcontrolsforensuringassetsareupdated,andwehaveinspectedthecontrolsinplace.

Wehaveenquiredaboutaninventoryofassetownership,andwehavein-spectedtheinventory.

Wehaveenquiredaboutguidelinesfortheuseofassets,andwehavein-spectedtheguidelines.

Wehaveenquiredaboutaprocedureforensuringthereturnofhanded-outassets,andwehaveinspotchecksinspectedtheprocedure.Additionally,wehaveinspotchecksinspecteddocumentationforthereturnofas-sets.

Nosignificantdeviationsnoted.

any.cloudA/S

REVI-ITA/S Page22of31

MediahandlingControlobjective:Topreventunauthoriseddisclosure,modification,removalordestructionofinformationstoredonmedia.No. any.cloudA/S’control REVI-IT’stest Testresults

8.3 Weensuretothewidestextentpossiblethatourstaff’sportablemedia,e.g.laptops,mobilephonesandsimilar,haveasecurityconfig-urationtothesameextentastherestofourenvironment;andwealsoensurethatthedatacarryingmediaareupdatedwhenweintro-ducenewsecuritymeasures.

Wehaveenquiredaboutmobilede-vicemanagement,andwehavein-specteddocumentationforthesolu-tion.

Wehaveenquiredaboutaprocessfordisposalofmedia,andwehavein-spectedtheprocess.

Wehaveenquiredabouttransportofphysicalmedia.

Nosignificantdeviationsnoted.

Accesscontrol

BusinessrequirementsofaccesscontrolControlobjective:Tolimitaccesstoinformationandinformationprocessingfacilities.No. any.cloudA/S’control REVI-IT’stest Testresults

9.1 Wehaveapolicyregardingalloca-tionofaccess.ThispolicyisanintegralpartofourITsecuritypolicy.

Wehaveenquiredaboutapolicyformanagementofaccesstosystemsandbuildings,andwehaveinspectedthepolicy.

Wehaveenquiredaboutmanagementofaccesstonetworkandnetworkservices,andwehaveinspectedthesolution.

Nosignificantdeviationsnoted.

UseraccessmanagementControlobjective:Toensureauthoriseduseraccessandtopreventunauthorisedaccesstosystemsandservices.No. any.cloudA/S’control REVI-IT’stest Testresults

9.2 Allusersmustbepersonallyidenti-fiable,i.e.haveaclearidentifica-tionwithapersonalname.Incaseofserviceusers,i.e.accountsonlyusedforsystempurposes,theoptionregardingactuallogonwillbedisabled.

Allocationofprivilegesiscon-trolledinconnectionwithournormalusermanagementprocess.

Allpersonallogonsareonlyknowntotheindividualemployeeandaresubjecttopasswordpoliciesforsecuringcomplexity.

Forourownusers,thecompany'sCTOwillperiodically,onceayearasaminimum,reviewthecompa-ny’sin-housesystemsforcreationofusersandtheiraccessleveltopreventunauthorisedaccess.

Wehaveenquiredaboutaprocedureforcreatinganddisablingusers,andwehaveinspectedtheprocedures.

Wehaveinspotchecksinspecteddocumentationforcreationanddisa-blingofusersduringtheperiod.

Wehaveenquiredaboutaprocedureforallocatingrights,andwehaveinspectedtheprocedure.

Wehaveenquiredaboutstorageofconfidentialpasswords,andwehaveinspecteddocumentationforadequatestorage.

Wehaveenquiredaboutaprocessforperiodicreviewofusers,andwehaveinspecteddocumentationforthelatestreview.

Nosignificantdeviationsnoted.

any.cloudA/S

REVI-ITA/S Page23of31

UserresponsibilitiesControlobjective:Tomakeusersaccountableforsafeguardingtheirauthenticationinformation.No. any.cloudA/S’control REVI-IT’stest Testresults

9.3 OurITsecuritypolicystatesthatouremployees’passwordsarepersonal,andonlytheuseristoknowthepassword.Everyyeartheemployeessignadocumentstatingthattheyhavereadandunder-stoodthelatestversionofourITsecuritypolicy.

Wehaveenquiredaboutguidelinesfortheuseofconfidentialpasswords,andwehaveinspectedtheguidelines.

Wehaveenquiredaboutannualtrain-ingofstaffinrelationtoinformationsecurity,andwehaveinspecteddocu-mentationforstafftraining.

Nosignificantdeviationsnoted.

SystemandapplicationaccesscontrolControlobjective:Topreventunauthorisedaccesstosystemsandapplications.No. any.cloudA/S’control REVI-IT’stest Testresults

9.4 Ouremployeesaresetupwithdifferentiatedaccessprivilegesandthereforeonlyhaveaccesstothesystemsanddatathatarerelevantfortheirworkeffort.

Allemployeesacrossbothcustom-ersystemsandproprietarysystemshaverestrictionsasregardspass-words.Allusershaveapasswordandsystemicallyitissetupsothattherearerestrictionsinrelationtothedesignofthepassword.Pass-wordsmustbechangedregularlyandtheymustbecomplex.

Wehaveenquiredaboutrestrictionsonaccesstodata,andwehavein-specteddocumentationforrestriction.

Wehaveenquiredaboutaprocedureforsecurelogon,andwehaveinspect-edthesolution.

Wehaveenquiredaboutasystemforpasswordmanagement.Wehaveinspectedthesolutionandselectedconfigurations.

Nosignificantdeviationsnoted.

Cryptography

CryptographiccontrolsControlobjective:Toensureproperandeffectiveuseofcryptographytoprotecttheconfidentiality,authenticityand/orintegrityofinformation.No. any.cloudA/S’control REVI-IT’stest Testresults

10.1 Ourcustomershaveaccesstooursystemsviathepublicnetworks,whereaccessisallowedviaen-cryptedVPNaccess,IP-whitelistingorMPLS/VPLS.

Portabledevicesareprotectedwithlogonandencryption.

Wehaveenquiredaboutapolicyfortheuseofencryption,andwehaveinspotchecksinspecteddocumentationfortheuseofcryptography.

Wehaveenquiredaboutadministra-tionofencryptionkeys,andwehaveinspecteddocumentationforthismanagement.

Nosignificantdeviationsnoted.

any.cloudA/S

REVI-ITA/S Page24of31

Physicalandenvironmentalsecurity

SecureareasControlobjective:Topreventunauthorisedphysicalaccess,damageandinterferencetotheorganisation’sinfor-mationandinformationprocessingfacilities.No. any.cloudA/S’control REVI-IT’stest Testresults

11.1 Wehaveenteredintoanagree-mentwiththeconcernedsupplieronhousingofourproprietaryserversandsimilarmeasuresareimplementedtopreventtheft,fire,waterandtemperaturedeviations.

Weannuallyreceiveanauditor’sopinioncoveringthephysicalsecu-rityatoursubcontractor.

Wehaveenquiredaboutanauditor’sopinionfromthesubcontractorforthephysicalenvironment,andwehaveinspectedtheauditor’sopinionforadequatephysicalsecurity.

Wehaveobservedthattheauditor’sopinionfromsubcontractorrespectivelycoverstheperiod1January2015to31December2015and16June2015to15June2016.

Wehaveenquiredaboutperiodicreviewofexternallocation,andwehaveinspotchecksinspecteddocumentationforinspection.

Wehaveenquiredabouttheallocationandrevocationofaccesstooperationsfacilitiesatthesubcontractor,andwehaveinspotchecksinspecteddocumen-tationfortheallocationofaccesstooperationsfacilities.

Wehaveinspectedthephysicalenvi-ronmentatany.cloud’sofficesinordertocheckthephysicalsecurity.

Wehaveenquiredaboutthedeliveryofparcelsandgoods.

Nosignificantdeviationsnoted.

any.cloudA/S

REVI-ITA/S Page25of31

EquipmentControlobjective:Topreventloss,damage,theftorcompromiseofassetsandinterruptiontotheorganisation’soperations.No. any.cloudA/S’control REVI-IT’stest Testresults

11.2 Wehaveenteredintoanagree-mentwiththeconcernedsupplieronhousingofourproprietaryserversandsimilarmeasuresareimplementedtopreventtheft,fire,waterandtemperaturedeviations.

Thedatacentre'scoolingandfirepreventionsystemsarecheckedregularlyandtheback-uppowersystem(UPS)ischeckedeverysixmonths.Systemsareinstalledinthedatacentremonitoringtem-peraturesandvoltagesintheserv-erroom.

Weannuallyreceiveanauditor’sopinioncoveringthephysicalsecu-rityatoursubcontractor.

Alldata-carryingdevicesarede-stroyedbeforedisposaltoensurethatnodataisaccessible.

Allinternaluseraccountsarecen-trallymanagedtoenterscreenlockmodeafteramaximumof2minutesofinactivity.Therebyweensurethatunauthorisedstaffcannotaccessconfidentialdata.

Wehaveenquiredaboutanauditor’sopinionfromsubcontractorregardingphysicalenvironment.

Wehaveinspectedtheauditor’sopinioninordertoidentifyobservationsinrelationtophysicalsecurity;andinrelationtothiswehave,amongstoth-ers,checkedthattherearesupportingsupplies,andthatthesearemaintained.

Wehaveobservedthattheauditor’sopinionfromsubcontractorrespectivelycoverstheperiod1January2015to31December2015and16June2015to15June2016.

Wehaveenquiredaboutperiodicreviewofexternallocation,andwehaveinspotchecksinspecteddocumentationforinspection.

Additionally,bymeansofre-performingthecontrolwehaveinspectedtheex-ternallocation.

Wehaveenquiredaboutthesecuringofcabling,andwehaveinspectedauditor’sopinionfromsupplier.

Wehaveenquiredaboutapolicyforthedisposalofequipment.

Wehaveenquiredaboutthesecuringofunattendeduserequipment,andwehaveinspotchecksinspectedthatuserequipmentislockedatinactivity.

Nosignificantdeviationsnoted.

any.cloudA/S

REVI-ITA/S Page26of31

Operationssecurity

OperationalproceduresandresponsibilitiesControlobjective:Toensurecorrectandsecureoperationofinformationprocessingfacilities.No. any.cloudA/S’control REVI-IT’stest Testresults

12.1 Weensureviadocumentationanddescriptionsthatexistingornewemployeescancommenceworkingonasystemforwhichthesaidpersondoesnothaveoperationalorpreviousexperience.

Thesystemdocumentationisupdatedcontinuously.

Changesareonlymadeonthebasisofaqualificationofthepro-ject,thecomplexityandassess-mentofeffectsonothersystems.Moreover,aprocessisfollowedregardingdevelopmentandtest-ing.

Viaourgeneralmonitoringsystem,wehavesetlimitsforwhenouroverallsystems,andtherebyourcustomers’systems,mustbeup-scaledwithregardtoelectronicspace,responsetime,etc.

Ourenvironmentislogicallysegre-gatedanddividedintotestingandproductionwherebyweensurethataproductistestedbeforeitisbroughtintoproduction.

Wehaveenquiredaboutproceduresinconnectionwithoperations,andwehaveinspotchecksinspectedthepro-cedures.

Wehaveenquiredaboutcontrolsforupdatingoperationsprocedures,andwehaveinspectedthecontrol.

Wehaveenquiredaboutaprocedureforchangemanagement,andwehaveinspectedtheprocedure.Wehaveinspotchecksinspecteddocumentationforchangemanagementduringtheperiod.

Wehaveenquiredaboutcapacitymoni-toring,andwehaveinspotchecksin-specteddocumentationforcapacitymonitoring.

Wehaveenquiredabouttheuseofatestenvironment,andwehaveinspect-eddocumentationfortheexistenceofatestenvironment.

Nosignificantdeviationsnoted.

ProtectionfrommalwareControlobjective:Toensurethatinformationandinformationprocessingfacilitiesareprotectedagainstmalware.No. any.cloudA/S’control REVI-IT’stest Testresults

12.2 Wehaveimplementedscanningandmonitoringsystemstoprotectagainstknownharmfulcode,i.e.whatweandourcustomers-viaourplatforms-mayrisktobeinfectedwithontheInternetviamailsetc.Wehaveantivirussys-tems,systemsformonitoringInternetusage,trafficandre-sourcesonSaaSplatforms,securitybymeansofothertechnicalandcentralinstallations(firewalletc.)inplace.

Wehaveenquiredaboutmeasurestoprotectagainstmalware.

Wehaveenquiredabouttheuseofantivirussoftware,andwehaveinspect-eddocumentationfortheuse.

Nosignificantdeviationsnoted.

any.cloudA/S

REVI-ITA/S Page27of31

BackupControlobjective:Toprotectagainstlossofdata.No. any.cloudA/S’control REVI-IT’stest Testresults

12.3 Weensurethatwecanrestoresystemsanddataappropriatelyandcorrectlyincompliancewiththeagreementswehavewithourcustomers.

Wehaveatestforhowsystemsanddatacanberestoredinprac-tice.Wekeepalogofthesetests,enablingustofollowuponwheth-erwecanchangeourproceduresandprocessestoimproveoursolution.

Unlessotherwiseagreedwithourcustomers,weperformbackupoftheirentirevirtualenvironmentwithus.

Wehavedefinedguidelinesastohowweperformbackups.

Wehaveenquiredabouttheconfigura-tionofbackup,andwehaveinspotchecksinspecteddocumentationforthesetup.

Wehaveenquiredaboutthestorageofbackup,andwehaveinspectedtheauditor’sopinionfromsubcontractorinordertoverifythatbackupisstoredsecurely.Additionally,wehaveinspect-eddocumentationforbackupbeingstoredinaseparatelocationinrelationtotheproductionenvironment.

Wehaveenquiredabouttestofrestorefrombackupfiles,andwehaveinspect-eddocumentationforrestoretest.

Nosignificantdeviationsnoted.

LoggingandmonitoringControlobjective:Torecordeventsandgenerateevidence.No. any.cloudA/S’control REVI-IT’stest Testresults

12.4 WehavesetupmonitoringandloggingofnetworktrafficandOperationsfollowsthis.Wefollowupifwesuspectthatanincidentcanberelatedtoissuesaddressedinthelog.

Logsareuploadedtoourlogserv-er.

Administratorlogsareperformedsimultaneouslywiththenormallog.

WeuseNTPserversfromtheIn-ternet,whichallserversaresyn-chronisedupagainst.

Wehaveenquiredabouttheloggingofuseractivity.Wehaveinspotchecksinspectedtheloggingconfigurations.

Wehaveenquiredaboutthesecuringofloginformation,andwehaveinspectedthesolution.

Wehaveenquiredaboutsynchronisa-tionwithanadequateclockserver,andwehaveinspectedthesolution.

Nosignificantdeviationsnoted.

ControlofoperationalsoftwareControlobjective:Toensuretheintegrityofoperationalsystems.No. any.cloudA/S’control REVI-IT’stest Testresults

12.5 Bymeansofourpatchprocessweensurethatonlyapprovedandtestedupdatesareinstalled.Intheeventofmajorchanges,thiswillbediscussedatinternalmeetingsinOperations.

Moreover,ourstaffisawareofthepolicyregardingsoftwaredown-loads.

Wehaveenquiredaboutguidelinesforinstallationofsoftwareonoperationssystems,andwehaveinspectedtheguidelines.

Wehaveenquiredabouttimelyupdatestooperationssystems,andwehaveinspecteddocumentationforupdatesofoperationssystems,whichisinaccord-ancewithBFIH’srequirements.

Nosignificantdeviationsnoted.

any.cloudA/S

REVI-ITA/S Page28of31

TechnicalvulnerabilitymanagementControlobjective:Topreventexploitationoftechnicalvulnerabilities.No. any.cloudA/S’control REVI-IT’stest Testresults

12.6 SecurityannouncementsfromDK-CERTaremonitoredandanalysedandiftheyarefoundrelevant,theyareinstalledonourinternalsys-temswithin1monthfromrelease.Additionally,wecontinuouslyperformariskassessmentofourin-housesolutions.

Wehaveenquiredaboutmanagementoftechnicalvulnerabilities,andwehaveinspecteddocumentationforthisman-agement.

Wehaveenquiredaboutmanagementofaccesstoinstallingsoftware,andwehaveinspecteddocumentationforthelimitationofuserswithrightsallowingthemtoinstallsoftware.

Nosignificantdeviationsnoted.

Communicationssecurity

NetworksecuritymanagementControlobjective:Toensuretheprotectionofinformationinnetworksanditssupportinginformationprocessingfacilities.No. any.cloudA/S’control REVI-IT’stest Testresults

13.1 Ourcustomershaveaccesstooursystemseitherviathepublicnet-works,whereaccessisallowedviaencryptedVPNaccess,IP-whitelis-tingorMPLS/VPLS.Accessandcommunicationbetweenourserv-ersandourco-locationtakesplacewithinaclosednetwork.

Onlyapprovednetworktraffic(inbound)isallowedthroughourfirewall.

Ournetworkisdividedintovarioussegmentswherebyweensurethatourinternalnetworkissegregatedfromthecustomers’networks.

Wehaveenquiredaboutmeasurestosecurenetworkandnetworkservices.Wehaveinspecteddocumentationfortheestablishmentoffirewallandpatch-ingoffirewall.

Wehaveenquiredaboutsecuringnet-workservices,andwehaveinspecteddocumentationforadequatesecuring.

Nosignificantdeviationsnoted.

InformationtransferControlobjective:Tomaintainthesecurityofinformationtransferredwithinanorganisationandwithanyexternalentity.No. any.cloudA/S’control REVI-IT’stest Testresults

13.2 Externaldatacommunicationonlytakesplaceviamailsasourcus-tomers’accesstoanduseofourserversarenotconsideredexternaldatacommunication.

Wehaveestablishedconfidentiali-tyingeneralforallpartiesinvolvedinourbusiness.Thisisdonebymeansofemploymentcontractsorserviceagreementswithsubcon-tractorsandbusinesspartners.

Wehaveenquiredaboutapolicyforinformationtransfer,andwehavein-spectedthepolicy.

Wehaveenquiredaboutguidelinesforhandlingelectronicmessages,andwehaveinspectedtheguidelines.

Wehaveenquiredabouttheestablish-mentofconfidentialityagreements,andwehaveinspotchecksinspecteddocu-mentationforenteredconfidentialityagreements.

Nosignificantdeviationsnoted.

any.cloudA/S

REVI-ITA/S Page29of31

Supplierrelationships

InformationsecurityinsupplierrelationshipsControlobjective:Toensureprotectionoftheorganisation’sassetsthatareaccessiblebysuppliers.No. any.cloudA/S’control REVI-IT’stest Testresults

15.1 Viamonitoringsetupbyathirdpartyweensurethatallservicesdeliveredbythirdpartiesareincompliancewiththerequirementsandtermswehaveagreedwiththirdparties.Wevisitsuchthirdpartiesregularly,wherebyweensurethattheagreedtermsarecontinuallyfulfilled.

Wehaveenquiredabouttheformalisa-tionofsupplieragreements,andwehaveinspectedtheagreementinordertochecktheconsiderationofinfor-mationsecurity.

Wehaveinspectedanauditor’sopinionfromsubcontractorinordertoidentifyadequatesecurity.

Nosignificantdeviationsnoted.

SupplierservicedeliverymanagementControlobjective:Tomaintainanagreedlevelofinformationsecurityandservicedeliveryinlinewithsupplieragreements.No. any.cloudA/S’control REVI-IT’stest Testresults

15.2 Viamonitoringsetupbyathirdpartyweensurethatallservicesdeliveredbythirdpartiesareincompliancewiththerequirementsandtermswehaveagreedwiththirdparties.Wevisitsuchthirdpartiesregularly,wherebyweensurethattheagreedtermsarecontinuallyfulfilled.

Wehaveenquiredaboutmonitoringofsubcontractors,andwehaveinspecteddocumentationformonitoring.

Wehaveenquiredaboutchangeman-agementatsubcontractors.

Nosignificantdeviationsnoted.

any.cloudA/S

REVI-ITA/S Page30of31

Informationsecurityincidentmanagement

ManagementofinformationsecurityincidentsandimprovementsControlobjective:Toensureaconsistentandeffectiveapproachtothemanagementofinformationsecurityinci-dents,includingcommunicationonsecurityeventsandweaknesses.No. any.cloudA/S’control REVI-IT’stest Testresults

16.1 ThereareformallyappointedASPsandtherequirementstheyaresubjecttoareclearlyandformallydefined.TheASPisresponsibleforpreparingandmaintainingproce-duresthatensuretimelyandcor-rectinterventioninconnectionwithsecuritybreaches.

Ouremployeesandexternalpart-nersare,viatheenteredcontractsandagreements,underanobliga-tiontoreportanysecurityincidenttotheirimmediatesuperiorinorderthatactioncanbetakentoaddresstheissueassoonaspossi-bleandnecessarymeasurescanbetakeninaccordancewiththepro-ceduresestablished.

Wehaveenquiredaboutresponsibilityandproceduresincaseofinformationsecurityincidents,andwehaveinspect-eddocumentationfortheallocationofresponsibilities.Additionally,wehaveinspectedtheprocedureformanaginginformationsecurityincidents.

Wehaveenquiredaboutguidelinesforreportinginformationsecurityincidentsandweaknesses,andwehaveinspectedtheguidelines.

Wehaveenquiredaboutaprocedureforassessing,reactingtoandevaluatinginformationsecuritybreaches,andwehaveinspectedtheprocedure.

Wehaveenquiredaboutinformationsecurityincidentsduringtheperiod,andwehaveinspotchecksinspecteddocu-mentationforthehandlingofinfor-mationsecuritybreaches.

Nosignificantdeviationsnoted.

Informationsecurityaspectsofbusinesscontinuitymanagement

InformationsecuritycontinuityControlobjective:Informationsecuritycontinuityshouldbeembeddedintheorganisation’sbusinesscontinuityman-agementsystems.No. any.cloudA/S’control REVI-IT’stest Testresults

17.1 ThebusinesscontinuityplanisembeddedintheITriskanalysisandisupdatedatleastonceayearincontinuationoftheconductionoftheanalysis.

Theplanandtheproceduresareembeddedinouroperationsdoc-umentationandprocedures.

Theplanistestedonceortwiceannuallyaspartofourbusinesscontinuityinorderforustoensurethatthecustomerswillonlyexpe-riencelimitedinterruptionofser-vicesinconnectionwithanyemer-gencies.

Wehaveenquiredabouttheprepara-tionofabusinesscontinuityplanforsecuringthecontinuityofoperationsincaseoffailuresandsimilar,andwehaveinspectedtheplan.

Wehaveinspecteddocumentationformanagementapprovalandperiodiccontrolofreviewofthebusinessconti-nuityplan.

Wehaveenquiredabouttestofthebusinesscontinuityplan,andwehaveinspecteddocumentationfortestofthebusinesscontinuityplan.

Nosignificantdeviationsnoted.

any.cloudA/S

REVI-ITA/S Page31of31

RedundanciesControlobjective:Toensureavailabilityofinformationprocessingfacilities.No. any.cloudA/S’control REVI-IT’stest Testresults

17.2 any.cloudishostedinInterXionDanmarkinBallerupandGlobalConnectinTaastrup.

Wehaveenquiredabouttheavailabilityofoperationssystems,andwehaveinspectedtheestablishedmeasures.

WehaveenquiredaboutredundancyonInternetconnections,andwehaveinspecteddocumentationforredundan-cyonInternetconnectionscf.BFIH’srequirements.

Nosignificantdeviationsnoted.

Compliance

InformationsecurityreviewsControlobjective:Toensurethatinformationsecurityisimplementedandoperatedinaccordancewiththeorganisa-tionalpoliciesandprocedures.No. any.cloudA/S’control REVI-IT’stest Testresults

18.2 OuremployeesreadtheITsecuritypoliciesonceayearasaminimumandsignthattheyunderstandandcomplywithit.Wehaveon-goingcontrols,conductedbyourman-agement,toensurethatourem-ployeescomplywiththesecuritymeasuresthatarespecifiedinourITsecuritypolicy,inrelationtothephysicalaswellasthelogicalcon-ditions.

Furthermore,wehavecontrolsensuringcompliancewithmonitor-ingandsecurity.

Wehaveenquiredaboutindependentevaluationoftheinformationsecurity.

Wehaveenquiredaboutinternalcon-trolsforensuringcompliancewithsecu-ritypolicyandprocedures,andwehaveinspectedselectedcontrols.

Wehaveenquiredaboutperiodiccon-troloftechnicalcompliance,andwehaveinspecteddocumentationformon-itoring.

Nosignificantdeviationsnoted.