Technology Overview

ExpenseWire application environment runs in a networked environment on Microsoft Windows 2003 Server, accessed through a web browser over the Internet. Our web applications are served by IIS 6 running on Windows Server 2003 in a clustered configuration. Our application data is served by Microsoft SQL Server 2000 running on Windows Server 2003 in a clustered configuration. All internet-accessible servers are protected by firewalls and monitored with adaptive intrusion detection systems.

ExpenseWire maintains a strategy of defense-in-depth. Our information security systems are configured in a tiered environment, with programs and processes running on many levels, to provide a transparent, robust level of security and service while maintaining a robust user level performance. Any breach of the below mentioned systems or policies would be immediately communicated to a designated client contact.

All primary servers are housed in a 99.999% uptime state-of-the-art data center.

Data center specifications include:

SECURITY AND ACCESS

• 24/7 security management via the Security Operations Center
• Remote camera monitoring 24/7, backed by digital recordings.
• Access to equipment area 24/7 days via card key and pass code
• Escort services 24/7 at sites with non-secured equipment areas
• Locking cabinets and/or cages
• Full CCTV surveillance
• Falcon equipment monitoring system

POWER AND INFRASTRUCTURE

• 80 to 85 watts per square foot including HVAC
• 120/208V AC and -48V DC available
• 100% generator backup
• Generator capacity 600-2000 KW
• Size of fuel tank 1,000 to 2,000 gallons
• Generator both auto start and auto transfer.
• Isolation bypass feature on automatic transfer switch
• Minimum 24-hour run time fuel capacity
• Two-hour response for fuel delivery
• UPS backup power
• Voltage output 480 transformed to 120/208 V
• -48 Volt DC Battery Plant
• 1200 amp expandable to 4800 amp
• 2-hour battery reserve non-redundant, 4 hours redundant
• “True” A/B power feeds
• Grounding in accordance with NFPA 70

ENVIRONMENTAL CONTROLS

• Under-floor cooling provided by computer-room grade equipment
• Cooling not less than 150 BTU/h per square foot with an N+1 redundancy
• Temperature is maintained at 72 degrees F dry bulb at ASHRAE 1%
• In the event of a power interruption HVAC systems (and entire facility) operate on diesel generators
• 30% to 60% humidity non-condensing. Humidity control delivered through ATS/Liebert units via infra-red humidifier

FIRE PROTECTION

• Pre-action sprinkler rated for telecommunication equipment/computer room
• Integrated smoke/heat detector system
• Under-floor leak detection system

NETWORK SECURITY

ExpenseWire maintains separate internal and external networks to separate our application servers from our data storage servers. All internal network database and document storage servers are accessible only from dedicated application servers on the external network, and have no Internet accessibility whatsoever. All external Internet accessible servers are protected with active firewall technology in default deny mode, which allows access only to a limited IP port range on designated servers. All network traffic is monitored with an adaptive intrusion detection system. A team of professional network technicians maintains all systems.

All data transmitted using the ExpenseWire application environment is encrypted using 128 bit SSL. All access to The ExpenseWire application environment is username and password controlled.

Network penetration tests are performed regularly. These are self audits performed using standard network penetration tools patched to include latest exploits for the network services and operating systems that are in use in the ExpenseWire production and corporate network environment.

HOST SECURITY

All ExpenseWire servers are hardened and maintained to the latest tested level of security and systems patches. New patches and service packs are first tested in a separate, controlled network environment before being applied to production servers. All servers are monitored and maintained by a team of dedicated technicians.

All application and database servers are run in a clustered configuration to maintain the highest levels of application performance and availability.

APPLICATION SECURITY

All access to the ExpenseWire application environment are controlled with a username and password combination. Users are created by ExpenseWire customer representatives or a designated administrative client contact, from within the Administrative section of our application environment. Our standard procedure is to email the user their information including URL, username and password. Our standard password policy is that passwords must be greater than 8 characters and contain letters, numbers, and symbols. Users are “locked out” of the application after 4 incorrect logon attempts. Password and user notification policies are flexible and can be tailored to suit a clients needs or concerns.

The ExpenseWire application environment has a robust, granular permissions system that can be used to restrict user access to the application down to the individual record level. User rights can be easily granted or revoked from within the Administration section of our application environment.

DATA SECURITY

All client data is maintained in separate, secure databases. Backups of this data will be provided to clients at any time. Client data is accessible only to the Client and authorized ExpenseWire personnel via our application environment. All client databases are backed up on a hourly basis using redundant methods of hard disk and data tape. Backups of client data are by default stored on an hourly basis for the past 24 hours, and then on a daily basis for two months, with weekly backups being stored indefinitely. Backup storage is flexible and can be tailored to suit a clients needs or concerns. Backup of client data can be provided at any time to the client.

DISASTER RECOVERY

Our disaster recovery plan is provided by supplying layers of redundancy in power (battery backup, with generator fail over), servers (all servers run in a clustered configuration), data (frequent reliable backups), network connectivity (Main ISP at data center failing over to backup ISP which fails over to a collocated data center in a different city). Backups of data occur on an hourly basis. Clients have an option of having this data replicated to a redundant collocated data center in Columbus, OH. Redundant systems are tested on a daily basis.

WEB SECURITY

ExpenseWire uses industry standard efforts to safeguard the confidentiality of your personal identifiable information, such as firewalls, system security measures and Secure Socket Layers (SSL). Please be advised that “perfect security” does not exist in commercial Internet applications and that such security measures may not prevent all loss, misuse or alteration of information on our web sites.

The registration pages, where you enter your personal and credit card information, are secure. This means that any information you send us is protected by encryption. It is easy to tell when you are protected by encryption - your browser displays a lock or a key which is no longer broken or it changes color when you are on a secure page. The actual icon and its location may vary depending on your browser. For example, Netscape has a “Security” padlock icon at the top of the page, which closes when you have entered a secure page. Internet Explorer displays a closed padlock at the bottom of the page when a page is secure.

Except as specifically permitted by this section, you may not disclose your ExpenseWire password to any third parties nor share it with any third parties. If you lose control of your password, you may lose substantial control over your personally identifiable information and may be subject to legally binding actions taken on your behalf. Therefore, if your password has been compromised for any reason, you should immediately change your password. You may, however, disclose your password to certain third parties with whom ExpenseWire has entered into specific contractual and technical arrangements designed to safeguard your password (“Authorized Password Users”), in order to enjoy the benefits of those third parties’ services in relation to the ExpenseWire services.

ACH SECURITY INFORMATION

All banking information (company & employee) is TripleDES encrypted on our server. Only the application has the “key” to decode. Both the administrator and the employee are required to re-authenticate before they can see or maintain banking information. Access to banking information is limited to the specific user only.

Transmission of transactions to the clearing house is done through a secure web service (https://call). The clearing house server will only respond to requests from agreed-upon IP Addresses.