INFORMATION SECURITY ADDENDUM
Last Revised May 2025
This Information Security Addendum (“ISA”) applies whenever it is incorporated by reference into the applicable agreement (“Agreement”) between ServiceTitan, Inc. (“ServiceTitan”) and the applicable counterparty (“Partner”).
PURPOSE.
Each party shall adhere to the following minimum information security standards to protect any and all non-public data and information of the other party and its affiliates and subsidiaries and its and their customers which, in each case, is commercially valuable, proprietary, confidential, privileged, or personal (“Data”). Data includes personal information and personal data (each as defined under applicable law). The requirements in this ISA are in addition to any requirements in the Agreement.
CERTAIN DEFINED TERMS
“Incident” means a security event that compromises the confidentiality, integrity or availability of a party’s information asset.
"Breach" means an Incident that results in the confirmed disclosure, not just potential exposure, of Data to an unauthorized third-party.
GENERAL COMPLIANCE
Follow AICPA guidelines and regularly review controls as described in its SOC 2 Type II independent auditor report (“SOC 2 Report”).
ENCRYPTION AND KEY MANAGEMENT
Use industry-standard and NIST-approved encryption techniques to (1) encrypt Data at rest and in transit and (2) authenticate and encrypt all connections.
SUPPORT AND MAINTENANCE
Deploy changes to its respective platforms and systems during scheduled maintenance windows.
Post notifications on its website describing affected services in the event of a service interruption.
Provide status updates, high -level information regarding upgrades, new release availability, and minimum release version requirements via its website.
INCIDENT RESPONSE AND NOTIFICATION.
Maintain an incident response plan (“IRP”), including a Breach notification process, to assess, escalate, and respond to identified physical and cyber security Incidents that impact the organization, customers, or result in data loss. Resolve discovered intrusions and vulnerabilities in accordance with established procedures. Review its IRP, update it annually (more frequently as needed), and test it at least annually via a tabletop exercise conducted by a reputable third party vendor.
For any Breach involving Data, if suffering the Breach:
notify the other party within 72 hours of discovery of the Breach: If Partner is to be notified, via email to the main contact on file with ServiceTitan, and if ServiceTitan is to be notified, via email to security@servicetitan.com with a copy to legal@servicetitan.com;
reasonably cooperate with the other party with respect to such Breach;
take reasonable and appropriate corrective action to mitigate any risks or damages involved with the Breach to protect Data from further compromise;
take any other actions that may be required by applicable law, rule, or regulation (which may include, without limitation, provision of notices to impacted individuals and credit monitoring services) as a result of the Breach;
bear all costs and expenses associated with the investigation, mitigation, and remediation of such Breach, including the reasonable costs and expenses incurred by the other party, and pay the same on demand.
make no announcement of nor communicate to any third party that such Breach occurred absent the other party’s prior written approval (not to be unreasonably withheld, conditioned, or delayed), except as required by contract, law, rule, or regulation.
SECURITY PROGRAM
Scope and Contents. Maintain a written information security program that (a) complies with applicable global industry-recognized information security frameworks, (b) includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity, and availability of Data, and (c) is appropriate to the nature, size, and complexity of its business operations.
Security Program Changes. Make its policies (including any applicable code of conduct), standards, and operating procedures related to security, confidentiality, integrity, and availability available to all personnel via the corporate intranet. Review, update (as needed), and approve security policies at least annually to maintain their continuing relevance and accuracy. Require personnel to review and acknowledge security policies during onboarding and annually thereafter.
Dedicated Security Team. Ensure the Chief Information Security Officer (“CISO”) and dedicated security team develop, maintain, review, and approve security policies. The CISO must possess appropriate expertise and training in current industry -standard information security and privacy practices and be responsible for implementing and enforcing information policies.
TRAINING
Security Training & Awareness. Require all personnel to complete security awareness training at least annually, including how to recognize and avoid phishing and social engineering attacks. Conduct periodic security awareness education to guide personnel in creating and maintaining a secure workplace.
Privacy. Ensure all personnel involved in the handling of personal information are suitably trained on and understand applicable data privacy principles.
RISK MANAGEMENT
Have a security risk assessment and management process to identify and remediate potential threats to such party. Assign risk ratings to all identified risks, and manage remediation by security personnel. Keep executive management apprised of the risk posture of the organization.
ACCESS CONTROL PROGRAM
Assign application and data rights based on security groups and roles, which are created based on the principle of least privilege. Approve security access requests by the designated individual prior to provisioning access.
Classify information assets in accordance with such party’s data classification guidelines.
USER ACCESS MANAGEMENT
Disable access to systems and networks promptly upon notification of termination of personnel.
Restrict administrative accounts to authorized personnel. Review administrator access to confidential and restricted systems, including corporate and cloud networks, on a semiannual basis. Review administrator access to the cloud production environment and to select corporate systems that provide broad privileged access on a quarterly basis. Promptly remove any inappropriate access.
PASSWORD MANAGEMENT AND AUTHENTICATION CONTROLS
With respect to the corporate network, implement authentication mechanisms that require users to identify and authenticate with their unique user ID and password, along with mandatory multi-factor authentication, with at least one factor being phishing-resistant. Whenever a password is utilized, require minimum password parameters for the corporate network via a directory service system, including a minimum length of 16 characters.
ASSET CONFIGURATION AND SECURITY
Install and activate endpoint detection and response (EDR) technology on all endpoints to monitor for virus and malware infections. Scan endpoint devices in real-time. Monitor and report when an EDR agent does not check in for prolonged periods of time. Investigate and remediate issues as appropriate. Automatically push updates to endpoint devices from the EDR technology as they become available.
Use full-disk encryption on endpoint devices. Monitor and encrypt endpoint devices using industry -recognized tools. Use tools to identify and alert IT administrators of discrepancies between security policies and a user’s endpoint settings. Maintain and regularly update an inventory of corporate and cloud infrastructure assets and systematically reconcile the asset inventory annually.
THREAT AND VULNERABILITY MANAGEMENT AND SECURITY TESTING
Monitor for vulnerabilities and misconfigurations on an ongoing basis as part of its Threat and Vulnerability Management (TVM) program. Conduct monthly internal and external vulnerability scans using industry-recognized vulnerability scanning tools. Evaluate, document, and remediate identified vulnerabilities to address associated risks. Conduct annual external penetration tests by an independent third party. Evaluate, document, and remediate significant findings from these tests.
LOGGING AND MONITORING
Continuously monitor application, infrastructure, network, data storage space, and system performance. Utilize a security information event monitoring system (SIEM) that pulls real-time security log information from servers, firewalls, routers, intrusion detection system (IDS) devices, end users, and administrator activity. Configure the SIEM for alerts and monitor it on an ongoing basis. Logs shall contain details on the date, time, source, and type of events. Review logs and work events worthy of real-time review.
CHANGE MANAGEMENT
Maintain change management policies and procedures for requesting, testing, and approving application, infrastructure, and product -related changes. Assign risk scores to all changes based on risk and impact criteria. Generate automated change tickets for low-risk changes with various levels of approval based on risk score. Require manual change tickets for high-risk changes, reviewed by approvers based on change type.
Regularly review planned changes to the corporate or cloud production environments. Maintain change documentation and approvals in a ticketing system. Conduct various levels of review and testing for product development changes based on change type, including security and code reviews, regression, and user acceptance testing prior to approval for deployment. Following the successful completion of testing, ensure changes are reviewed and approved by appropriate managers prior to implementation to production. Use dedicated environments separate from production for development and testing activities. Limit and restrict access to move code into production to authorized personnel.
SECURE DEVELOPMENT
Maintain a software development life cycle (SDLC) process, consistent with its security policies, that governs the acquisition, development, implementation, configuration, maintenance, modification, and management of infrastructure and software components. Ensure that code is pushed through lower -tier environments for testing and certification prior to final release to the production cloud environment. Follow secure coding guidelines based on leading industry standards, including without limitation input validation, data encryption, and output sanitization, along with vulnerability testing and analysis to identify and address potential security vulnerabilities. Update such guidelines as needed and make them available to personnel via the corporate intranet.
Provide developers with annual secure coding training, including without limitation: secure coding practices, including how to prevent and detect vulnerabilities such as injection attacks, cross-site scripting, and buffer overflows; and the importance of data security and privacy and how to incorporate security and privacy measures into software development processes. Maintain records of the training (including, at minimum, the date of the training, list of attendees, and the content of the training) and make them available to the other party upon request. Utilize a code versioning control system to maintain the integrity and security of its application source code. Utilize static analysis and scanners to detect vulnerable third-party libraries and the presence of secrets embedded in code.
SERVER AND NETWORK SECURITY
Use network perimeter defense solutions, such as an IDS and firewalls, to monitor, detect, and prevent malicious network activity. Ensure security personnel monitor detected items and take appropriate action. Follow the change management process and require approval for firewall rule changes that meet the corporate change management criteria. Logically segment corporate and cloud networks to restrict access to authorized users, systems, and services. Implement server hardening practices to reduce the attack surface and mitigate potential security risks, including access controls, disabling unnecessary services, and configuring appropriate security settings. Maintain a patch management program to ensure all servers and network infrastructure run up -to -date software, including prompt patching of all vulnerabilities deemed critical and patching of high -risk vulnerabilities within 2 weeks. Maintain a comprehensive and up-to-date security posture management program to identify, evaluate, and mitigate potential security risks, including but not limited to vulnerabilities in the server and network infrastructure.
THIRD PARTY SECURITY
Assess and manage the risks associated with existing and new third-party vendors. Employ a risk-based scoring model for each third party. Require third parties to enter into contractual commitments that contain security, availability, processing integrity, and confidentiality requirements and operational responsibilities as necessary. Evaluate the physical security controls and assurance reports for its data centers on an annual basis. Assess the impact of any issues identified and track any remediation efforts. Confidentially provide the other party with a current list of subprocessors upon request.
PHYSICAL SECURITY
Grant access to its data centers and offices by job responsibility, and remove access as part of its separation or internal job transfer process when access is no longer required. Manage office access by a badging system that logs access and denies and logs unauthorized attempts. Require personnel and visitors to display identity badges at all times within its offices. Maintain visitor logs and require visitors to be escorted by its personnel.
OVERSIGHT & AUDIT
Align internal audits to its information security program and compliance requirements. Conduct internal control assessments to validate that controls are operating effectively. Document, track, and remediate issues identified from assessments. Have internal controls related to security, availability, processing integrity, and confidentiality audited by an external independent auditor at least annually and in accordance with applicable regulatory and industry standards.
BUSINESS CONTINUITY PLAN
Maintain a business continuity plan and a disaster recovery plan to manage significant disruptions to operations and infrastructure. Review and update these plans periodically and ensure they are approved annually by the CISO. Conduct business continuity exercises to evaluate its tools, processes, and subject matter expertise in response to specific incidents. Document the results of these exercises and track identified issues to remediation.
HUMAN RESOURCES SECURITY
Have procedures in place to guide the hiring process. Complete background verification checks for its personnel in accordance with relevant laws and regulations. Require its personnel to sign a confidentiality agreement as a condition of employment. Maintain a disciplinary process to take action against its personnel that do not comply with company policies, including security policies.
COMPLIANCE AND ATTESTATION REQUIREMENTS
Conduct site audits of the information technology and information security controls for all facilities used in complying with its obligations under this ISA at least once per year, including obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices. Obtain and make available to the other party and maintain on an annual basis a SOC 2 Report covering, at minimum, the following trust services criteria: Security, availability, and confidentiality. If Partner does not currently maintain such a SOC 2 Report, Partner must obtain the same within 1 year of this requirement being imposed on Partner and thereafter maintain such SOC 2 Report in accordance with this ISA. Partner SOC 2 Reports shall include a control to validate the identity of customers for purposes of onboarding and offboarding. Such SOC 2 Reports are the confidential information of the party providing the report.
Promptly address any exceptions noted on its SOC 2 Reports, or other audit reports, with the development and implementation of a corrective action plan by its management.
INSURANCE
Comply with the insurance guidelines set out in Exhibit A, which is incorporated by reference.