JAMS Information Security Summary

JAMS’s Written Information Security Policy (WISP) details the daily operations of JAMS’s security program. It provides guidance for both employees and leadership regarding how to use, secure, and govern Information Technology (IT) and related resources.

Details related to Incident Response, Business Continuity, and Disaster Recovery are covered in separate policies. Some sections contained within the WISP may have additional dedicated policies, procedures, standards, or guidelines to expand upon what is contained in the WISP.

JAMS does not share its policy documents outside of the organization, with a few exceptions. Our Privacy Policy, Cookie Statement, and Secure Development Lifecycle overview are available on our website. This Information Security Summary is a high-level overview of JAMS’s security program, which may be shared outside of the JAMS organization.

Applicable Guidelines & Best Practices

In creating this WISP, the Company has followed guidance grounded in industry frameworks such as the Secure Controls Framework, CIS controls, and the NIST Cybersecurity Framework. These are leading frameworks for structuring a thorough information security program, from which the Company’s security program is tailored.

Security Certifications

JAMS was divested from its previous parent company on June 1, 2025. As a newly independent company, JAMS has begun the process of pursuing security certifications. JAMS has engaged an independent auditing firm to perform a SOC 2 Type II evaluation and intends to complete the associated examination period in Q3 2026. A copy of the engagement letter is available upon request.

Cybersecurity Program Governance

Risk Management

The JAMS Information Security Team assesses risk on an ongoing basis, as well as a more in-depth annual assessment, to identify risks in the Company’s security controls, technical infrastructure, and procedures. Findings and recommendations from the risk assessment exercise are shared with the Company and are stored in the Risk Register. If deemed necessary, updates are made to the Company’s cybersecurity program based on the findings.

Change Management

Change management regarding Information Technology is governed by JAMS’s established change control standards. The change management process is the ongoing practice of communicating, coordinating, monitoring, and scheduling changes within JAMS’s operating environment. Change management procedures protect JAMS from changes that are potentially disruptive or have unacceptable risk associated with them.

Procurement and Third-Party Risk Management

The WISP includes sections covering both hardware and software procurement, as well as due diligence for engaging prospective third parties, and ongoing due diligence related to third parties. JAMS and its third parties must agree to a written confidentiality or non-disclosure agreement prior to sharing JAMS’s confidential data. Third parties will be granted access to the Company’s data on a need-to-know basis.

Human Security

Acceptable Use

All employees are responsible for exercising good judgment when managing JAMS’s confidential data and systems. For security and network maintenance purposes, JAMS reserves the right to monitor employee activity on the Company’s network at any time. If, at any time, an employee is uncertain of the proper procedures to follow when handling and storing confidential data, the employee must consult with the Information Security Team. The WISP contains general guidance on best practices for password management, access restrictions, and storing confidential data.

“Bring Your Own Device” – Using Personal Devices or Accounts

Employees are issued a Company-provided computer and are expected to perform all work-related tasks on that device. Personal computers are not approved for work-related activities unless prior authorization is sought and given by the Information Security Team. The WISP also lays out policies for personal use of Company-owned computers, mobile device management, and managing confidential data off-premises.

Acceptable Use of Artificial Intelligence (AI) Tools

The progress and impact of Artificial Intelligence (AI) and Machine Learning (ML) have quickly begun to transform our world, especially with the advent of generative AI. This has resulted in great potential both for good and for bad. Even as AI has increased the efficiency of various work-related efforts, many examples have also arisen of problems related to AI.

JAMS does not want to ignore important advances in modern technology that can make the company more effective, nor to blindly accept technology that might compromise company operations and/or confidential data, or that might lead to biased materials and/or processes. Accordingly, the company has adopted guidelines regarding the usage of AI by the company and its employees.

Access Controls

JAMS’s data is stored using hosted technologies. Access to shared or department folders is assigned by the IST or a delegated senior staff member. Private employee folders are maintained as needed. Please note that JAMS does not ingest or store any customer data. All references to data in this document refer to internal JAMS company data.

Access rights are reviewed on an annual basis to ensure access has been appropriately granted to, and restricted from, employees. The Access Controls section of the WISP also details processes for on-boarding and off-boarding of employees and contractors, as well as guidelines for managing access to Company email systems.

Password Management

The Password Management section of the WISP details JAMS standards for passwords, including minimum length, complexity and required reset period. Additional information is provided for best practices for password management and security.

User Awareness & Training

JAMS will provide cybersecurity training to employees on an annual and ongoing basis. The training may address a variety of topics relating to the WISP, cybersecurity events recently in the news, common phishing techniques, how to identify red flags, or other topics deemed relevant at the time of the training. Training will include simulated phish-testing emails, to aid awareness and practice with common methods.

Data Security

Data Classification

Employees must understand the Company’s criteria for what is deemed confidential in order to appropriately manage the Company’s data. The WISP includes a table which categorizes JAMS’s data to provide employees with an understanding of the types of data classified as confidential at the Company, versus types of data classified as public. As referenced earlier, JAMS does not ingest or store any customer data. All references to data in this document refer to internal JAMS company data.

Data Backup & Retention

Backups are in place for critical systems to provide ongoing redundancy in the case of data loss and/or service disruption. Backups of critical data are taken daily and are stored on a separate system that is not on the same network as the source data. Backup standards will be reviewed on a recurring basis to ensure alignment with business needs.

Data Destruction

Prior to disposal, paper documents containing confidential data must be shredded or properly destroyed. The purpose is to preclude reconstruction or recovery of confidential data intended for disposal. Prior to the repair, redeployment, or disposal of any equipment, all confidential data stored on such equipment shall be wiped or encrypted. If a third party is engaged to dispose of the Company’s equipment, the Company will wipe any confidential data prior to its disposal. The third party shall confirm that proper destruction procedures were followed by providing a letter of attestation or data destruction certificate to the Company.

Network & System Security

Security Controls

JAMS builds its security controls in alignment with industry-standard frameworks, emphasizing risk-based control design and continuous improvement. The program is regularly evaluated through gap analyses to strengthen overall security posture. JAMS maintains anti-virus and anti-malware protection on all computers.

Asset Management

JAMS recognizes that the foundation of a strong cybersecurity program is asset management and inventory. Effective asset management is necessary to ensure that cybersecurity decisions are well informed by needs and risks. As a result, JAMS maintains inventories that include, but are not limited to hardware inventory, software inventory, and software development inventory. Inventories are automatically updated whenever possible.

Encryption Management

JAMS enforces industry-standard encryption controls across all managed systems. All data under JAMS’s control is encrypted at rest and in transit, and all endpoints leverage centrally enforced full-disk encryption. Vendors, Cloud, and SaaS providers are evaluated through our third-party risk process to ensure they maintain appropriate encryption standards for any data they handle.

Log Management

The Company, via its Information Security Team and/or the Company’s IT Provider, logs activity on critical systems, including infrastructure devices, and systems storing, processing, or transmitting confidential or sensitive data. The WISP sets forth the types of activity that may be logged.

Patch Management

Patches are updated on a regular basis at the workstation level. System reboots are forced if needed to ensure patches are applied. The WISP lays out the overall patch management process, including definition of patch levels and patch deployment.

Vulnerability Management

JAMS maintains a managed vulnerability, detection, and response program. Internal and external scanning is performed on a regular cadence where applicable. Identified vulnerabilities are assessed, prioritized, and remediated to reduce risk and strengthen system resilience.

Removable Media

The use of removable media is blocked on all JAMS company-provided computers to reduce the potential for security incidents and unauthorized data exfiltration.

If an employee requires use of removable media for business purposes, permission from the Information Security Team is required. Removable media will be enabled for the time needed to perform business duties and will be disabled after.

Physical Access

The Company maintains office space for use by some employees. This space is secured in coordination with building management. The level of security is set in accordance with business risk from physical access options. Considerations include, but are not limited to, physical access to the building, physical access to the office space, and physical access to networking closets, where applicable.

Secure Development

JAMS’s internal software development lifecycle (SDLC) is performed with various security considerations taken into account. These are intended to help ensure the security of the application itself and the data that is contained within the application and its databases. Details and processes are documented in a separate SDLC document that is used by JAMS developers, a summary of which is available on the JAMS website.