Compliance

Please go to the following link to review the Boomi Global Code of Conduct: boomi.com/codeofconduct

Partner and supplier codes of conduct can be found here:

www.boomi.com/supplierprinciples

www.boomi.com/partnercode

Boomi takes the privacy and security of our customers, partners and their customers and end-users seriously. Boomi has taken measures to support our customers’ and partners’ compliance with data protection and security requirements, including those set forth in the General Data Protection Regulation (“GDPR”).

Boomi provides the following additional information which can help you, our customer, asses Boomi’s privacy and security program, including your own Transfer Impact Assessment:

• Data Flows White Paper
• Transfer Impact Assessment
• Transparency Report

Boomi takes the privacy of our customers, partners and their customers and end-users seriously. Boomi has taken measures to support our customers’ and partners’ compliance with data protection requirements, including those set forth in the General Data Protection Regulation (“GDPR”), and other applicable data protection laws, such as the Data Protection Act 2018 of the United Kingdom and Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection 1992, related data protection and privacy laws of the member states of the European Economic Area, Australia’s Privacy Act 1988, and the California Privacy Act 2018 (“CCPA”), each as applicable and as amended, repealed, consolidated or replaced from time to time.The global privacy landscape is ever evolving, and, as a result, Boomi’s privacy team has resources aligned by each business and functional organization to monitor our privacy program’s effectiveness and changes in applicable privacy laws.

The remainder of this page is intended to provide an overview of such resources and related information.

Boomi as Controller or Processor

Initially, our GDPR Accountability Statement, which addresses our Privacy Program is located here. In GDPR terms, Boomi is a Processor with regard to the personal data that we process through the Boomi services on behalf of our customers (the Controller or Processor), in accordance with the Boomi Documentation and our underlying agreement with you. Where Boomi is a processor, our data protection agreement (DPA) shall apply to the provision of our services to you, the customer.

Boomi is a controller with regard to the personal data that Boomi collects and for which it determines the purposes and the manner in which the personal data is to be processed. Details of the data collected by Boomi in its capacity as Controller and our use of this data are described in our Privacy Policy,

Subprocessors

Boomi engages various sub-processors to provide its services to you, the customer. Boomi maintains an up-to-date list of all sub-processors used by Boomi in connection with our services. All sub-processors engaged by us have suitable data processing agreements in place which impose obligations that are (a) relevant to the services sub-processors are to provide and (b) materially similar to the rights and/or obligations imposed on Boomi under our DPA.

Standard Contractual Clauses

Boomi’s standard DPA includes the SCCs adopted by the European Commission (EC) in June 2021. Our DPA confirms that the SCCs will apply automatically whenever customer usage of Boomi’s services involve the transfer of customer data to a country outside of the European Economic Area which has not received an adequacy decision from the EC (i.e., a “third country”).

As part of our DPA, these new SCCs will apply automatically. Through the use of the Boomi’s DPA (and the incorporated SCCs therein), customers can be comfortable that any personal data transferred to a third country via Boomi’s services has the same high level of protection that customer data receives in the EEA.

Boomi provides the following additional information which can help you, our customer, asses Boomi’s privacy and security program, including your own Transfer Impact Assessment:

• Data Flows White Paper
• Transfer Impact Assessment
• Transparency Report

CCPA Statement

Boomi’s DPA also contains our standard CCPA promise to you (and your data subjects). Thus, in addition to the numerous other applicable promises set forth in the DPA and elsewhere, Boomi will process personal data on behalf of the customer and will not retain, use, or disclose the personal data of any California residents for any purpose other than those set out in the underlying customer agreement (including the DPA) and as permitted under the CCPA. Furthermore, in no event will Boomi sell any personal data.

Shared Responsibility. Security and Compliance is a shared responsibility between Boomi and the customer. Our SSRM set out the relevant security responsibilities for both Boomi and our customers, outlining relevant security controls / configurations.

Shared Security Responsibility Model

Security Practices. The Boomi Security Schedule which sets forth a description of the technical, administrative, and organizational security measures employed by Boomi for the protection of Customer data This includes Personal Data submitted by you, the customer, to the applicable Boomi Service.

www.boomi.com/SecSchedule

FedRAMP

Publicly Available Information

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings.

Established in 2011, FedRAMP is a government-wide program that provides a cost-effective, risk-based approach for the adoption and use of cloud services by the federal government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies. FedRAMP standardizes security requirements for the authorization and ongoing cybersecurity of cloud services in accordance with FISMA , OMB Circular A-130 [PDF – 536KB] … https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf, and FedRAMP policy.

Boomi-specific Information

Boomi’s sponsoring agency, the United States Agency for International Development, and the FedRAMP Program Management Office (PMO) has determined Boomi has met the requirements for the controls in the FedRAMP Moderate baseline. FedRAMP Authorization indicated that Boomi has passed the rigorous security and risk management review process required to offer the Boomi platform to federal agencies, a mandate for any cloud service provider that serves the federal government. Boomi’s FedRAMP authorized services are a portion of Boomi’s offerings. Not every product or service is FedRAMP. Also, there are configuration steps required to implement the FedRAMP controls when you want that more controlled environment; for information on how to purchase and configure our FedRAMP offering please reach out to your Boomi Account Manager and request more information about our FedRAMP services.

Boomi is officially listed on the FedRAMP Marketplace – the central, online portal of approved cloud service offerings available for federal government use.

“Meeting the stringent security and reliability standards for FedRAMP Authorization at the Moderate impact level, is a critical step for Boomi’s public sector strategy.”

-Chris Port, Chief Operating Officer, Boomi 2019

Boomi announces its FedRAMP Moderate Authorization achievement, Aug 2019

Those interested in the FedRAMP-certified Boomi AtomSphere Platform please visit:

• Boomi Public Sector Website
• FedRAMP Marketplace
• federal.sales@boomi.com

StateRAMP

Publicly Available Information

Founded at the beginning of 2020, StateRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments. StateRAMP is a membership organization comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third party assessment organizations, and government officials.

Boomi-specific Information

The Boomi products are StateRAMP Authorized and are available for state and local government organizations on the StateRAMP Authorized Product List. Through achieving StateRAMP Authorized status, Boomi is showing its commitment to offering a secure product that meets and exceeds the security requirements of our state & local customers. To learn more about how Boomi works to support state and local governments, please reach out to our team. Boomi is currently pursuing StateRAMP Authorization via FedRAMP reciprocity. We are currently StateRAMP “in-Process” and are working closely with the StateRAMP PMO for next steps and timing. In the meantime, Boomi continues to be FedRAMP Authorized and meets the relevant and related NIST 800-53 Controls. StateRAMP website For more information on The State, Local, and Education sector at Boomi, please go here.

VPAT (Voluntary Product Assessment Template)

Publicly Available Information

The Voluntary Product Accessibility Template is a document that explains how information and communication technology (ICT) products such as software, hardware, electronic content, and support documentation meet (conform to) the Revised 508 Standards for IT accessibility.

Boomi-specific Information

At Boomi, our mission is to empower organizations to instantly connect everyone to everything that they want. This mission requires us to work to ensure that everyone, regardless of their needs, is fully able to use and connect with our products. Boomi is committed to ensuring that accessibility remains a key focus throughout our development cycle. We work to understand and implement both emergent regulatory and legal requirements as well as industry standards and customer requested features. Our teams are trained on accessibility best practices so that we can improve accessibility throughout our platform. We are constantly working to ensure our new features and products meet the needs of individuals, organizations, and governments internationally. We are always looking for feedback and suggestions on how we can improve. Please let our accessibility teams know either through your assigned Success specialist, through the Boomi Community, or through e-mailing accessibility@boomi.com.

Documents

• Latest VAPT Report

CAIQ available only upon request

Publicly Available Information

The Cloud Security Alliance (CSA) is “the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.” The Consensus Assessments Initiative Questionnaire (CAIQ) provides a set of questions a cloud consumer and cloud auditor may wish to ask of a cloud service provider to ascertain their compliance to cloud security best practices.

Boomi-specific Information

Boomi has responded to this questionnaire to provide our customers and prospects with the information necessary to evaluate Boomi’s cloud security controls.

• Boomi Response to the Questionnaire is available upon request.

FIPS (FED)

Publicly Available Information

FIPS are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no acceptable industry standards or solutions for a particular government requirement.

Boomi-specific Information

As part of our FedRAMP Authorized offerings we have implemented FIPS 140-2 encryption for our data at rest and in transit. For more detailed information please review our FedRAMP information or contact us.

HIPAA/HITECH

Publicly Available Information

The Health Insurance Portability and Accountability (HIPAA) Act is a regulation is composed of a series of national standards outlining the privacy and security of protected health information. HIPAA requires the private and confidential handling of protected health information. The subsequent Health Information Technology for Economic and Clinical Health (HITECH) Act defines policies, procedures, and processes that are required to protect electronic protected health information (ePHI).

Boomi-specific Information

As regulatory oversight related to HIPAA continues to increase, ensuring compliance is more important now than ever. The Boomi AtomSphere Platform has gone through an intensive third-party assessment to receive HIPAA compliance certification, demonstrating our compliance with the safeguards outlined in HIPAA. This assessment includes administrative, physical, technical, and organizational safeguards, as well as breach notifications. Boomi also goes through audits and yearly monitoring to ensure our platform remains in compliance.

• Boomi Audit: Type 1 Attestation (AT-C 105 and AT-C 205) HIPAA/HITECH)

PCI DSS

Publicly Available Information

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. Governed by the Payment Card Industry Security Standards Council (PCI SSC), the compliance scheme aims to secure credit and debit card transactions against data theft and fraud.

Boomi-specific Information

PCI certification is considered the best way to safeguard sensitive data and information, and Boomi puts this at the forefront as we build a trusted relationship with our customers and partners. The Boomi AtomSphere Platform has received attestation of compliance for service providers for PCI-DSS.

• Boomi Attestation of Compliance for PCI DSS

SOC 1 & SOC 2 Compliance

Publicly Available Information

System and Organization (SOC) reports utilize independent, third-party auditors to examine various aspects of a company, such as: security, availability, processing integrity, confidentiality, privacy, controls related to financial reporting, and controls related to cybersecurity.

SOC 1 reports focuses on outsourced services performed by service organizations which are relevant to a company’s (user entity) financial reporting. A SOC 2 report is an attestation report issued by an independent Certified Public Accounting (CPA) firm. Its focus addresses operational risks of outsourcing to third-parties outside financial reporting. These reports are based on the Trust Services Criteria which include up to five categories: security, availability, processing integrity, confidentiality, and/or privacy.

Boomi-specific Information

System and Organization Controls (SOC) reports enable customers to feel confident that Boomi is operating in an ethical and compliant manner. No one likes to hear the word audit, but SOC reports establish credibility and trustworthiness for our customers and partners. Boomi AtomSphere services Boomi Integration, Boomi Master Data Hub, Boomi B2B/EDI Management, and Boomi API Management are SOC1 & SOC2 Compliant.

Boomi undergoes SOC 1 and SOC 2 examinations annually, and consistently achieves and maintains our compliance. These examinations focus on the Boomi AtomSphere Platform and the suitability of the design and operating effectiveness of controls relevant to security and confidentially.

• SOC 1 Compliance Report
• SOC 2 Compliance Report

ISO

Publicly Available Information

Boomi has achieved certification for compliance with ISO/IEC 27001:2013, 27701:2019, 27017, and 27018. These certifications are performed by independent third-party auditors. Our compliance with these internationally-recognized standards and code of practice is evidence of our commitment to information security at every level of our organization, and that Boomi’s security program is in accordance with industry leading best practices.

Boomi-Specific Information

• ISO/IEC 27001:2013 is a security management standard that specifies security management best practices and comprehensive security controls following the ISO/IEC 27002 best practice guidance. ISO/IEC 27001:2013 requires the development and implementation of a rigorous security program, which includes an Information Security Management System (ISMS) that defines how Boomi manages security in a holistic, comprehensive manner. Boomi’s 27001:2013 ISO certification also includes control objectives from ISO 27017:2015 and ISO 27018:2019 which provides guidance on both the information security aspects of cloud computing and the protection of personal data in the cloud.
• ISO/IEC 27701:2019 is a privacy standard that specifies requirements and guidelines to establish and continuously improve a Privacy Information Management System (PIMS), including processing of Personally Identifiable Information (PII). It is an extension of the ISO/IEC 27001 and ISO/IEC 27002 standards and provides a set of additional controls and associated guidance intended to address public cloud PIMS and PII management requirements. Boomi’s 27701:2019 ISO certification also includes control objectives from ISO 27017:2015 and ISO 27018:2019 which provides guidance on both the information security aspects of cloud computing and the protection of personal data in the cloud.

Documents

• ISO 27001 Certification
• ISO 27701 Certification

IRAP

The Information Security Registered Assessors Program (IRAP) provides a fully validated and assessed security framework for Australian Government Customers. The IRAP program’s responsibility model is designed to ensure compliance with the Australian Government Information Security Manual (ISM). As part of the IRAP process, assessors have audited and reviewed Boomi’s compliance with these controls.

The IRAP goal is to maximize the security of Australian federal, state, and local government data by focusing on the information and communications technology infrastructure that stores, processes, and communicates it. Boomi is compliant with IRAP standards for our AtomSphere products (including Integration, API Management, EDI/B2B, and Master Data Hub).

Boomi-Specific Information

“Accelerating the coordination of Australia’s public sector puts an emphasis on prioritizing data-driven decision-making and defining data as a shared national asset. Having the necessary standards for data protection and cybersecurity in place, across agencies and jurisdictions, is important in today’s cloud world, and completing our IRAP assessment is a validation that our technology is available to Australia’s public sector and can safely operate at a protected level within their cloud environments.”

-Nathan Gower, Director, Australia and New Zealand Boomi, November 2022.

• Australia’s IRAP Assessment Recognizes Boomi To Provide Comprehensive Security Controls
• For more information please contact Tech.Compliance@boomi.com.

BCP

Boomi’s Business Continuity Plan (BCP) defines how we respond and recover in an emergency or a disaster. The purpose of a BCP is to minimize the effects of disasters or events that disrupt business operations and to reduce the risk of losses. We developed this plan using industry-accepted methodologies – including robust Business Impact Analysis. The plan encompasses principles of high-availability engineering for our software products and the SaaS products we use to operate. Our BCP aims to make it possible to quickly return to normal conditions after a disaster or event that disrupts company operations.

Boomi’s Disaster Recovery (DR) plan outlines the procedures followed to quickly and efficiently recover Boomi’s services, by focusing on establishing procedures and guidelines to recover Boomi’s services in the event of a disaster. Boomi’s DR plan forms part of Boomi’s business contingency plan (BCP) and establishes business impact analysis (BIA), risk assessment along with recovery strategies.

Boomi Global Trade Compliance

Laws and Regulations

Boomi, LP is committed to complying with all applicable laws and regulations. This includes U.S. laws related to the export and re-export of our products, services, and/or technical data (the “Boomi Products”) such as the following, without limitation:

• The Export Administration Regulations (EAR) (15 C.F.R. §§ 730.1 to 774.1), administered by the Bureau of Industry and Security of the U.S. Department of Commerce
• The International Traffic in Arms Regulations (ITAR) (22 C.F.R. §§ 120.1 to 130.17), administered by the Directorate of Defense Trade Controls of the U.S. State Department (Boomi does not have any products subject to ITAR)
• The Foreign Trade Regulations (FTR) (15 C.F.R. §§ 30.1 to 30.74), administered by the Census Bureau of the Commerce Department
• The Foreign Assets Control Regulations (FACR) (31 C.F.R. §§ 501.101 to 598.901), administered by the Office of Foreign Assets Control of the U.S. Department of the Treasury

Boomi Product License Information

Boomi, LP has obtained a formal Commodity Classification for its Boomi Products confirming the applicable Export Control Classification Numbers (ECCN) for each product. A complete Boomi Product Export Control Classification List can be found here. All Boomi Products in the Product Export Control Classification List are eligible for export with No License Required or are eligible for export under provisions of License Exception ENC. Any person or entity that exports, re-exports, or transfers the Boomi Products is responsible for compliance with any applicable U.S. export control laws, and to provide classification information at the time of export or re-export. It is the responsibility of any person or entity exporting or re-exporting the Boomi Products to provide the correct ECCN and Boomi makes no warranty or representation as to the accuracy or reliability of these classifications which are subject to change.

Export Restrictions

In accordance with the applicable U.S. export laws and regulations, Boomi prohibits the export, re-export, transfer, or provision of access of the Boomi Products to or by the following:

• Any entity or individual national of a country subject to U.S. embargoes or trade sanctions including of Cuba, Iran, North Korea (Democratic People’s Republic of Korea), Syria, Crimea, Donetsk, Luhansk regions of Ukraine, or any other country where it is known or have reason to know it would be contrary to U.S. or applicable laws or regulations.
• Any entity or individual on the Consolidated Screening List available at www.trade.gov/consolidated-screening-list For purposes of this policy, export, re-export, transfer, or provision of access shall include in-country transfers whether for the sale of Boomi Products or for beta, quality assurance, demonstration, or other purposes.

Please contact the Boomi Legal Department at Legal-Notice@boomi.com with any questions regarding export compliance for the Boomi Products.