Governance Ensuring Data Security NetApp products and Data security is the foundation on which privacy and compliance are built. NetApp follows services are audited the requirements of data security laws that require reasonable security measures for storing, regularly against the Service transmitting, and processing data. We take measures broadly recognized as integral to appropriate security including encryption, authentication and authorization controls, breach Organization Controls (SOC)2 reporting, data loss prevention, and patch management. (AT Section 101) standard NetApp also abides by the practice of data minimization. This fundamental principle of data by an independent certified security holds that organizations should not collect or hold more personal information than is public accountant firm and necessary and that data should be deleted when no longer needed for authorized purposes. services auditor. In FY21, an This principle reduces compliance complexity and protects data against harm in the event of a independent third-party security breach. auditor affirmed that NetApp In the unlikely event of a data breach, we’re committed to protecting the privacy of our in-scope cloud and managed customers and employees. In such an event, NetApp’s Security Operations Center, Chief services have achieved SOC Privacy Officer, Data Protection Officer, and/or other senior executives would provide timely and 2 Type 1 and Type 2 reports transparent notification. Stakeholders would also be informed about what data was involved in the breach, as well as NetApp’s response to the incident, steps to take, and where to locate based on applicable Trust additional information. Services criteria. 41