Compliance

Please go to the following link to review the Boomi Global Code of Conduct: boomi.com/codeofconduct Partner and supplier codes of conduct can be found here: www.boomi.com/supplierprinciples www.boomi.com/partnercode

Boomi takes the privacy of our customers, partners and their customers and end-users seriously. Boomi has taken measures to support our customers’ and partners’ compliance with data protection requirements, including those set forth in the General Data Protection Regulation (“GDPR”), and other applicable data protection laws, such as the Data Protection Act 2018 of the United Kingdom and Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection 1992, related data protection and privacy laws of the member states of the European Economic Area, Australia’s Privacy Act 1988, and the California Privacy Act 2018 (“CCPA”), each as applicable and as amended, repealed, consolidated or replaced from time to time.The global privacy landscape is ever evolving, and, as a result, Boomi’s privacy team has resources aligned by each business and functional organization to monitor our privacy program’s effectiveness and changes in applicable privacy laws. The remainder of this page is intended to provide an overview of such resources and related information. Boomi as Controller or Processor Initially, our GDPR Accountability Statement, which addresses our Privacy Program is located here.  In GDPR terms, Boomi is a Processor with regard to the personal data that we process through the Boomi services on behalf of our customers (the Controller or Processor), in accordance with the Boomi Documentation and our underlying agreement with you. Where Boomi is a processor, our data protection agreement (DPA) shall apply to the provision of our services to you, the customer. Boomi is a controller with regard to the personal data that Boomi collects and for which it determines the purposes and the manner in which the personal data is to be processed. Details of the data collected by Boomi in its capacity as Controller and our use of this data are described in our Privacy Policy, Subprocessors Boomi engages various sub-processors to provide its services to you, the customer. Boomi maintains an up-to-date list of all sub-processors used by Boomi in connection with our services. All sub-processors engaged by us have suitable data processing agreements in place which impose obligations that are (a) relevant to the services sub-processors are to provide and (b) materially similar to the rights and/or obligations imposed on Boomi under our DPA. Standard Contractual Clauses Boomi’s standard DPA includes the SCCs adopted by the European Commission (EC) in June 2021.  Our DPA confirms that the SCCs will apply automatically whenever customer usage of Boomi’s services involve the transfer of customer data to a country outside of the European Economic Area which has not received an adequacy decision from the EC (i.e., a “third country”). As part of our DPA, these new SCCs will apply automatically. Through the use of the Boomi’s DPA (and the incorporated SCCs therein), customers can be comfortable that any personal data transferred to a third country via Boomi’s services has the same high level of protection that customer data receives in the EEA. CCPA Statement Boomi’s DPA also contains our standard CCPA promise to you (and your data subjects). Thus, in addition to the numerous other applicable promises set forth in the DPA and elsewhere, Boomi will process personal data on behalf of the customer and will not retain, use, or disclose the personal data of any California residents for any purpose other than those set out in the underlying customer agreement (including the DPA) and as permitted under the CCPA. Furthermore, in no event will Boomi sell any personal data.

Please go to the following link to review the Boomi Security Schedule which identifies a description of the technical, administrative, and organizational security measures (the “Security Practices”) employed by Boomi for the protection of Customer data, including Personal Data submitted by Customer to the applicable Boomi Service: www.boomi.com/SecSchedule

FedRAMP

Publicly Available Information The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings. Established in 2011, FedRAMP is a government-wide program that provides a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies. FedRAMP standardizes security requirements for the authorization and ongoing cybersecurity of cloud services in accordance with FISMA , OMB Circular A-130 [PDF – 536KB] … https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf, and FedRAMP policy. Boomi-specific Information Boomi’s sponsoring agency, the United States Agency for International Development, and the FedRAMP Program Management Office (PMO) has determined Boomi has met the requirements for the controls in the FedRAMP Moderate baseline. FedRAMP Authorization indicated that Boomi has passed the rigorous security and risk management review process required to offer the Boomi platform to federal agencies, a mandate for any cloud service provider that serves the federal government. Boomi’s FedRAMP authorized services are a portion of Boomi’s offerings. Not every product or service is FedRAMP. Also, there are configuration steps required to implement the FedRAMP controls when you want that more controlled environment; for information on how to purchase and configure our FedRAMP offering please reach out to your Boomi Account Manager and request more information about our FedRAMP services. Boomi is officially listed on the FedRAMP Marketplace – the central, online portal of approved cloud service offerings available for federal government use. “Meeting the stringent security and reliability standards for FedRAMP Authorization at the Moderate impact level, is a critical step for Boomi’s public sector strategy.” -Chris Port, Chief Operating Officer, Boomi 2019 Boomi announces its FedRAMP Moderate Authorization achievement, Aug 2019 Those interested in the FedRAMP-certified Boomi AtomSphere Platform please visit: Boomi Public Sector Website FedRAMP Marketplace federal.sales@boomi.com

StateRAMP

Publicly Available Information Founded at the beginning of 2020, StateRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments. StateRAMP is a membership organization comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third party assessment organizations, and government officials. Boomi-specific Information Boomi is currently pursuing StateRAMP Authorization via FedRAMP reciprocity. We are currently StateRAMP “in-Process” and are working closely with the StateRAMP PMO for next steps and timing. In the meantime, Boomi continues to be FedRAMP Authorized and meet the relevant and related NIST 800-53 Controls. StateRAMP website For more information on The State, Local, and Education sector at Boomi, please go here

VPAT (Voluntary Product Assessment Template)

Publicly Available Information The Voluntary Product Accessibility Template is a document that explains how information and communication technology (ICT) products such as software, hardware, electronic content, and support documentation meet (conform to) the Revised 508 Standards for IT accessibility. Boomi-specific Information At Boomi, our mission is to empower organizations to instantly connect everyone to everything that they want. This mission requires us to work to ensure that everyone, regardless of their needs, is fully able to use and connect with our products. Boomi is committed to ensuring that accessibility remains a key focus throughout our development cycle. We work to understand and implement both emergent regulatory and legal requirements as well as industry standards and customer requested features. Our teams are trained on accessibility best practices so that we can improve accessibility throughout our platform. We are constantly working to ensure our new features and products meet the needs of individuals, organizations, and governments internationally. We are always looking for feedback and suggestions on how we can improve. Please let our accessibility teams know either through your assigned Success specialist, through the Boomi Community, or through e-mailing accessibility@boomi.com. Documents Flow MDH Integration API Developer Portal API Management B2B/EDI DCP

CAIQ available only upon request

Publicly Available Information The Cloud Security Alliance (CSA) is “the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.” The Consensus Assessments Initiative Questionnaire (CAIQ) provides a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud service provider to ascertain their compliance to cloud security best practices. Boomi-specific Information Boomi has responded to this questionnaire to provide our customers and prospects with the information necessary to evaluate Boomi’s cloud security controls. Documents Boomi Response to the Questionnaire is available upon request.

HECVAT available only upon request

Publicly Available Information The higher education information security community, EDUCAUSE, Internet2, and the Research & Education Networks Information Sharing & Analysis Center (REN-ISAC) created the Higher Education Cloud Vendor Assessment Toolkit (HECVAT), a self-assessment that attempts to standardize higher education information security and data protection requirements around cloud service providers. The assessment helps higher education institutions ensure that cloud services are appropriately assessed for security and privacy needs, and allows a consistent, easily-adopted methodology for those who want to use cloud services. Boomi-specific Information Boomi has completed a HECVAT 2.1 self-assessment. These assessments detail our compliance with industry standards and the security protocols built into our infrastructure. Documents Available upon request

FIPS (FED)

Publicly Available Information FIPS are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no acceptable industry standards or solutions for a particular government requirement. Boomi-specific Information As part of our FedRAMP Authorized offerings we have implemented FIPS 140-2 encryption for our data at rest and in transit. For more detailed information please review our FedRAMP information or contact us.

HIPAA/HITECH

Publicly Available Information The Health Insurance Portability and Accountability (HIPAA) Act is a regulation is composed of a series of national standards outlining the privacy and security of protected health information. HIPAA requires the private and confidential handling of protected health information. The subsequent Health Information Technology for Economic and Clinical Health (HITECH) Act defines policies, procedures, and processes that are required to protect electronic protected health information (ePHI). Boomi-specific Information As regulatory oversight related to HIPAA continues to increase, ensuring compliance is more important now than ever. The Boomi AtomSphere Platform has gone through an intensive third-party assessment to receive HIPAA compliance certification, demonstrating our compliance with the safeguards outlined in HIPAA. This assessment includes administrative, physical, technical, and organizational safeguards, as well as breach notifications. Boomi also goes through audits and yearly monitoring to ensure our platform remains in compliance. Documents Boomi Audit: Type 1 Attestation (AT-C 105 and AT-C 205) HIPAA/HITECH)

PCI DSS

Publicly Available Information The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud. Boomi-specific Information PCI certification is considered the best way to safeguard sensitive data and information, and Boomi puts this at the forefront as we build a trusted relationship with our customers and partners. The Boomi AtomSphere Platform has received attestation of compliance for service providers for PCI-DSS. Documents Boomi Attestation of Compliance for PCI DSS

SOC 1 & SOC 2 Compliance

Publicly Available Information System and Organization (SOC) reports utilize independent, third-party auditors to examine various aspects of a company, such as: security, availability, processing integrity, confidentiality, privacy, controls related to financial reporting, and controls related to cybersecurity. SOC 1 reports focuses on outsourced services performed by service organizations which are relevant to a company’s (user entity) financial reporting. A SOC 2 report is an attestation report issued by an independent Certified Public Accounting (CPA) firm. Its focus addresses operational risks of outsourcing to third-parties outside financial reporting. These reports are based on the Trust Services Criteria which include up to five categories: security, availability, processing integrity, confidentiality, and/or privacy. Boomi-specific Information System and Organization Controls (SOC) reports enable customers to feel confident that Boomi is operating in an ethical and compliant manner. No one likes to hear the word audit, but SOC reports establish credibility and trustworthiness for our customers and partners. Boomi AtomSphere services Boomi Integration, Boomi Master Data Hub, Boomi B2B/EDI Management, and Boomi API Management are SOC1 & SOC2 Compliant. Boomi undergoes SOC 1 and SOC 2 examinations annually, and consistently achieves and maintains our compliance. These examinations focus on the Boomi AtomSphere Platform and the suitability of the design and operating effectiveness of controls relevant to security and confidentially. Documents SOC 1 Compliance Report SOC 2 Compliance Report

ISO27001 for Flow

Publicly Available Information

To be certified by the ISO means that Boomi Flow has been audited by an independent third party, and demonstrated the business conforms to the requirements of the latest quality process standards set by the International Standards Organization. This certification signifies that your processes work efficiently and effectively, and are consistent with the international best practices (aka The Standard).

Boomi-Specific Information

Boomi’s ISO/IEC 27001:2013 certification demonstrates to customers that our Flow platform is structured, stable, and ready for growth. Adhering to ISO standards brings our customers increased efficiencies and reduced costs.

Boomi Flow ISO Certification

IRAP

The Information Security Registered Assessors Program (IRAP) provides a fully validated and assessed security framework for Australian Government Customers. The IRAP program’s responsibility model is designed to ensure compliance with the Australian Government Information Security Manual (ISM). As part of the IRAP process, assessors have audited and reviewed Boomi’s compliance with these controls. The IRAP goal is to maximize the security of Australian federal, state, and local government data by focusing on the information and communications technology infrastructure that stores, processes, and communicates it. Boomi is compliant with IRAP standards for our AtomSphere products (including Integration, API Management, EDI/B2B, and Master Data Hub). Boomi-Specific Information

“Accelerating the coordination of Australia’s public sector puts an emphasis on prioritizing data-driven decision-making and defining data as a shared national asset. Having the necessary standards for data protection and cybersecurity in place, across agencies and jurisdictions, is important in today’s cloud world, and completing our IRAP assessment is a validation that our technology is available to Australia’s public sector and can safely operate at a protected level within their cloud environments.”

-Nathan Gower, Director, Australia and New Zealand Boomi, November 2022.

Australia’s IRAP Assessment Recognizes Boomi To Provide Comprehensive Security Controls For more information please contact Tech.Compliance@boomi.com.

BCP

Boomi’s Business Continuity Plan (BCP) defines how we respond and recover in an emergency or a disaster. The purpose of a BCP is to minimize the effects of disasters or events that disrupt business operations and to reduce the risk of losses. We developed this plan using industry-accepted methodologies – including robust Business Impact Analysis. The plan encompasses principles of high-availability engineering for our software products and the SaaS products we use to operate. Our BCP aims to make it possible to quickly return to normal conditions after a disaster or event that disrupts company operations.

Still Have Questions? Please feel free to reach out to Tech.Compliance@boomi.com with any questions about Boomi Compliance. We would love to hear from you and help with your integration needs! If you are interested in Privacy at Boomi, please go here: boomi.com/privacy