JupiterOne Policies, Standards, and Procedures

Addendum and References

The following is a list of policy addendum and references.

Controls and Procedures

Key Definitions

2018.2

Application

An application hosted by JupiterOne, either maintained and created by JupiterOne, or maintained and created by a Customer or Partner.

Application Level

Controls and security associated with an Application. In the case of PaaS Customers, JupiterOne does not have access to and cannot assure compliance with security standards and policies at the Application Level.

Audit

Internal process of reviewing information system access and activity (e.g., log-ins, file accesses, and security incidents). An audit may be done as a periodic event, as a result of a customer complaint, or suspicion of employee wrongdoing.

Audit Controls

Technical mechanisms that track and record computer/system activities.

Audit Logs

Encrypted records of activity maintained by the system which provide: 1) date and time of activity; 2) origin of activity (app); 3) identification of user doing activity; and 4) data accessed as part of activity.

Access

Means the ability or the means necessary to read, write, modify, or communicate data/ information or otherwise use any system resource.

BaaS

Backend-as-a-Service. A set of APIs, and associated SDKs, for rapid mobile and web application development. APIs offer the ability to create users, do authentication, store data, and store files.

Backup

The process of making an electronic copy of data stored in a computer system. This can either be complete, meaning all data and programs, or incremental, including just the data that changed from the previous backup.

Backup Service

A logging service for unifying system and application logs, encrypting them, and providing a dashboard for them. Offered with all JupiterOne Add-ons and as an option for PaaS Customers.

Breach

Means the acquisition, access, use, or disclosure of Customer data (PII) in a manner not authorized by JupiterOne or the affected Customer. For purpose of this definition, “compromises the security or privacy of the customer data” means poses a significant risk of financial, reputational, or other harm to the Customer or individual.

De-identification

The process of removing identifiable information so that data is rendered to not be PII.

Disaster Recovery

The ability to recover a system and data after being made unavailable.

Disaster Recovery Service

A disaster recovery service for disaster recovery in the case of system unavailability. This includes both the technical and the non-technical (process) required to effectively stand up an application after an outage. Offered with all JupiterOne Add-ons and as an option for PaaS Customers.

Disclosure

Disclosure means the release, transfer, provision of, access to, or divulging in any other manner of information outside the entity holding the information.

Customers

Contractually bound users of JupiterOne Platform and/or services.

Environment

The overall technical environment, including CSP account, all servers, network devices, and applications.

Event

An event is defined as an occurrence that does not constitute a serious adverse effect on JupiterOne, its operations, or its Customers, though it may be less than optimal. Examples of events include, but are not limited to:

Hardware (or hard drive)

Any computing device able to create and store PII.

IaaS

Infrastructure-as-a-Service.

Immutable Infrastructure

An maintenance paradigm for cyber infrastructure where servers and services are never modified after they’re deployed. All changes result in new instances of the cyber infrastructure being deployed, and old instances are automatically decommissioned.

Indication

A sign that an Incident may have occurred or may be occurring at the present time. Examples of indications include:

Intrusion Detection System (IDS)

A software tool use to automatically detect and notify in the event of possible unauthorized network and/or system access.

IDS Service

An Intrusion Detection Service for providing IDS notification to customers in the case of suspicious activity. Offered with all JupiterOne Add-ons and as an option for PaaS Customers.

Law Enforcement Official

Any officer or employee of an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law; or prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law.

Logging Service

A logging service for unifying system and application logs, encrypting them, and providing a dashboard for them. Offered with all JupiterOne Add-ons and as an option for PaaS Customers.

Messaging

API-based services to deliver and receive SMS messages.

Minimum Necessary Information

Protected PII information that is the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. The “minimum necessary” standard applies to all protected health information in any form.

Off-Site

For the purpose of storage of Backup media, off-site is defined as any location separate from the building in which the backup was created. It must be physically separate from the creating site.

Organization

For the purposes of this policy, the term “organization” shall mean JupiterOne.

PaaS

Platform-as-a-Service.

Partner

Contractual bound 3rd party vendor with integration with the JupiterOne Platform. May offer Add-on services.

PII

Personally Identifiable Information, such as email address, full name, social security number, or telephone number.

Role

The category or class of person or persons doing a type of job, defined by a set of similar or identical responsibilities.

Sanitization

Removal or the act of overwriting data to a point of preventing the recovery of the data on the device or media that is being sanitized. Sanitization is typically done before re-issuing a device or media, donating equipment that contained sensitive information or returning leased equipment to the lending company.

Trigger Event

Activities that may be indicative of a security breach that require further investigation.

Restricted Area

Those areas of the building(s) where confidential organizational information is stored, utilized, or accessible at any time.

Precursor

A sign that an Incident may occur in the future. Examples of precursors include:

Risk

The likelihood that a threat will exploit a vulnerability, and the impact of that event on the confidentiality, availability, and integrity of customer data, other confidential or proprietary electronic information, and other system assets.

Risk Management Team

Individuals who are knowledgeable about the Organization’s Privacy and Security policies, procedures, training program, computer system set up, and technical security controls, and who are responsible for the risk management process and procedures.

Risk Assessmen

Identifies the risks to information system security and determines the probability of occurrence and the resulting impact for each threat/vulnerability pair identified given the security controls in place. Prioritizes risks and results in recommended possible actions/controls that could reduce or offset the determined risk.

Risk Management

Within this policy, it refers to two major process components: risk assessment and risk mitigation. This differs from the HIPAA Security Rule, which defines it as a risk mitigation process only. The definition used in this policy is consistent with the one used in documents published by the National Institute of Standards and Technology (NIST).

Risk Mitigation

A process that prioritizes, evaluates, and implements security controls that will reduce or offset the risks determined in the risk assessment process to satisfactory levels within an organization given its mission and available resources.

SaaS

Software-as-a-Service.

Security Incident

or just Incident): A security incident is an occurrence that exercises a significant adverse effect on people, process, technology, or data. Security incidents include, but are not limited to:

Threat

The potential for a particular threat-source to successfully exercise a particular vulnerability. Threats are commonly categorized as:

Threat Source

Any circumstance or event with the potential to cause harm (intentional or unintentional) to an IT system. Common threat sources can be natural, human or environmental which can impact the organization’s ability to protect customer data.

Threat Action

The method by which an attack might be carried out (e.g., hacking, system intrusion, etc.).

Unrestricted Area

Those areas of the building(s) where confidential and/or sensitive organizational information is not stored or is not utilized or is not accessible there on a regular basis.

Vendors

Persons from other organizations marketing or selling products or services, or providing services to JupiterOne.

Vulnerability

A weakness or flaw in an information system that can be accidentally triggered or intentionally exploited by a threat and lead to a compromise in the integrity of that system, i.e., resulting in a security breach or violation of policy.

Workstation

An electronic computing device, such as a laptop or desktop computer, or any other device that performs similar functions, used to create, receive, maintain, or transmit data. Workstation devices may include, but are not limited to: laptop or desktop computers, personal digital assistants (PDAs), tablet PCs, and other handheld devices. For the purposes of this policy, “workstation” also includes the combination of hardware, operating system, application software, and network connection.

Workforce

Means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

Zero-Day Vulnerability

A computer software vulnerability that is currently unknown to the software community and/or the software vendor shipping the vulnerable product or service. Since it is unknown, no patches or mitigation strategies are available and the vulnerability remains exploitable.

Employee Handbook and Policy Quick Reference

2020.1

This is an abridged version of JupiterOne’s security policy that all workforce members are required to be familiar with and comply with.

Your Responsibilities

You are assumed to have read and fully understood the corporate security and privacy policies, standards, guidelines, controls and procedures even if you haven’t. This handbook is meant to serve as a “Getting Started” guide and quick reference.

Security is everyone’s responsibility. If this is not your first job, don’t do anything that might get you in trouble at your previous workplace. When in doubt, stop and ask.

Acceptable Use Policy (AUP) for end-user computing

All employees and contractors of JupiterOne must agree to and comply with the following policy:

As a JupiterOne employee, I acknowledge that

!!! Important Compliance with JupiterOne’s AUP is mandatory, regardless of level-of-employment or job function!

Training

You will be prompted as part of onboarding, and periodically going forward, to complete the following security training:

Your responsibilities for computing devices

JupiterOne provides company-issued laptops and workstations to all employees. JupiterOne currently does not require or support employees bringing their own computing devices.

The laptops and/or workstations assigned to you are yours to configure and manage according to company security policy and standards. You are responsible to

IT and Security provides automated scripts for end-user system configurations and/or technical assistance as needed.

You are also responsible for maintaining a backup copy of the business files local on your laptop/workstation to the appropriate location on JupiterOne file sharing / team site (e.g. Google Drive). Examples of business files include, but are not limited to:

!!! important

DO NOT backup critical data such as eCustomer data or PII to file sharing sites.
If you have such critical data locally on your device, contact IT and
Security for the appropriate data management and protection solution.

Unless the local workstation/device has access to Critical data, backups of user workstations/devices are self managed by the device owner. Backups may be stored on an external hard drive or using a cloud service such as iCloud if and only if the data is both encrypted and password protected (passwords must meet JupiterOne requirements).

Getting help

Support for most of our business applications are self-service, such as password reset via Google G Suite.

If needed, users may use our internal service desk to request IT and Security support. Common requests include:

How to report an incident or suspicious activity

You are responsible to report all suspicious activities and security-related incidents immediately to the Information Security team, by one of the following channels:

Approved Software

2020.1

Software approved for use at JupiterOne includes, but is not limited to:

Reputable and well documented open source / free software may be used for development purposes at the discretion of the Engineering team. Cb Defense agents must be active to monitor the behavior of all application processes. Additional periodic audit may be conducted to review the usage of open source tools. Examples of such software include, but are not limited to:

Software not in the list above may be installed if it is necessary for a business purpose, legal, with a valid license, and approved on a case-by-case basis by your manager or the Security Officer.

Approved Vendors

2020.1

For confidentiality reasons, the list of approved vendors is maintained internally using the JupiterOne Platform.

Cookie Policy

2020.1

We at JupiterOne (JupiterOne, Inc. and our subsidiaries and affiliates) are committed to protecting your privacy. We and our partners use cookies and similar technologies on our services, including our websites and mobile applications, if any (the “Services”). This Cookie Policy explains these technologies, why we use them, and the choices you have.

By visiting or using our Services, you are consenting to us gathering and processing information (as defined in our Privacy Policy) about you in accordance with this Cookie Policy.

TECHNOLOGIES WE USE

Like many Internet-enabled services, we use technologies that place small files/code on your device or browser for the purposes identified in our Privacy Policy, primarily to remember things about you so that we can provide you with a better experience.

Cookies. A cookie is a small data file stored on your browser or device. They may be served by the entity that operates the website you are visiting (“first-party cookies”) or by other companies (“third-party cookies”).

Pixels (Clear Gifs/Web Beacons/Web Bugs/Embedded Pixels). These are small images on a web page or in an email. They collect information about your browser or device and can set cookies.

Local Storage. Local storage allows data to be stored locally on your browser or device and includes HTML5 local storage and browser cache.

Software development kits (“SDKs”). SDKs are blocks of code provided by our partners that may be installed in our applications. SDKs help us understand how you interact with our applications and collect certain information about the device and network you use to access the application.

OUR USE OF THESE TECHNOLOGIES

Below are the ways that we and our partners use these technologies on our Services.

CATEGORY OF USE PURPOSE OF USE
Preferences To help us remember your settings and preferences so that we can provide you with a more personalized experience.
Authentication and Security To log you into the Services; enable us to show you your account data; and help us keep your data and the Services safe and secure.
Service Features and Performance To provide you with functionality and optimize the performance of the Services. For example, to allow you to share information from JupiterOne apps with friends within your social networks/circles.
Analytics and Research To help us understand how you are using the Services so that we can make them better, faster, and safer.

YOUR CHOICES

You have a number of options to control or limit how we and our partners use cookies and similar technologies, including for advertising. Please note that JupiterOne websites and our Services do not respond to Do Not Track signals because we do not track our users over time and across third-party websites to provide targeted advertising. However, we believe that you should have a choice regarding interest-based ads served by our partners, which is why we outline the options available to you here below.

You can set your device or browser to accept or reject most cookies, or to notify you in most situations that a cookie is offered so that you can decide whether to accept it. However, if you block cookies, certain features on our Services may not function. Additionally, even if you block or delete Cookies, not all tracking will necessarily stop.

As an additional step, these advertising companies may participate in one of the following advertising industry self-regulatory programs for online behavioral advertising, with corresponding user opt-outs:

CONTACT US

If you have questions about our use of cookies and similar technologies, please contact us at privacy@jupiterone.com.

Privacy Officer JupiterOne, Inc. 1500 Perimeter Park Dr. Ste 310, Morrisville, NC 27560

Privacy Policy

Updated:

JupiterOne, Inc. (“JupiterOne”, “we”, “our”, “us”) respects your privacy. This Privacy Policy describes how we collect, use and disclose Personal Information through our website, jupiterone.com (the “Website”), or any of our related websites, applications, aor services that link to this Privacy Policy (each a “Service”) that are owned and controlled by JupiterOne. As used in this Privacy Policy, “Personal Information” means information that identifies or that could be used to identify you, and “Services” means, collectively, the Website and the Services.

INFORMATION WE COLLECT ABOUT YOU AND HOW WE USE IT

The Personal Information we collect and how we use it depends on the context of your interactions with us. As explained below, we collect Personal Information when you provide it directly to us and when we receive it from third parties. We also collect certain information automatically when you interact with the Services.

INFORMATION YOU PROVIDE US

We collect Personal Information that you choose to share with us when you use the Services, as described below.

ACCOUNT INFORMATION

If you visit our Website or sign up to use our Services, such as the JupiterOne platform, we will collect Personal Information that you choose to share with us, including through forms presented on the Website and through the Services. This Personal Information may include:

PAYMENT INFORMATION

If you make a payment through the Website or our Services, we will need to collect your payment card number, expiration date, CVV, credit card type, and billing name and address.

ADDITIONAL INFORMATION

If you contact us or participate in a survey, contest, or promotion, we collect the information you submit such as your name, email address, contact information, and message. Additionally, if you apply for a job through the “Careers” page on our Website, we will collect information necessary to evaluate and contact you about your application, which may include your contact details, your resume/CV, employment history, job preferences, educational background, achievements, career trajectory and interests, immigration status and entitlement to work; as well as information for diversity monitoring, such as your gender, race, disability or veteran status.

INFORMATION WE COLLECT AUTOMATICALLY

In addition to the information you share with us, we collect some information automatically when you use the Services. The types of information that we collect automatically may include:

We collect some of this information through tracking technologies such as cookies and web beacons. For more information, please see the How We Use Cookies and Other Tracking Technologies section below.

INFORMATION WE COLLECT FROM THIRD PARTIES

In some cases, we receive Personal information from third parties. For instance, while using our Services, individuals may provide information about another individual, or an authorized user (such as an account administrator) creating an account on your behalf may provide information about you.

We may also receive Personal Information from other third-party sources, including:

When one individual provides us with information (including Personal Information) about another individual, we assume that the individual has permission and authority to do so and to consent on behalf of that individual to the collection and use of personal information as described in this Privacy Policy. Please contact us immediately if you become aware of an individual providing us with Personal Information about another individual without being authorized to do so.

HOW WE USE PERSONAL INFORMATION

We may use the Personal Information that we collect or receive through the Services for the following purposes:

We collect information about your use of the Services through tracking technologies such as cookies and web beacons. A “cookie” is a unique numeric code that is transferred to your computer to track your interests and preferences and to recognize you as a return visitor. A “Web beacon” is a transparent graphic image placed on a website, e-mail or advertisement that enables the monitoring of things such as user activity and site traffic.

We and third parties with whom we work may use cookies and web beacons on the Services to improve user experience, to help remember your preferences and allow us to bring you the content and features that are likely to be of interest to you, and to analyze the use of our Services and to improve the Services’ functionality. These third parties may collect information about your online activities over time and across different Web sites. One of the ways we do this is through the use of Google Analytics. For more information about how Google Analytics uses and processes data, please visit https://www.google.com/policies/privacy/partners/.

Most web browsers accept cookies automatically, but can be configured not to do so or to notify the user when a cookie is being sent. If you wish to disable cookies, refer to your browser help menu to learn how to disable cookies. Please note that if you disable cookies, you may not be able to use some customized features available through the Services.

HOW WE SHARE PERSONAL INFORMATION

To accomplish the purposes set out above, we may share your Personal Information with other parties that may include the following:

YOUR CHOICES

You can always choose whether or not to provide information to the Services. However, if you choose not to disclose certain information, you may not be able to establish an account on the Services, which may limit your access to certain functions of the Services.

Other examples of your choices include:

The Services may contain links to other third-party websites and services. These websites and services are not subject to this Privacy Policy. They are not controlled by JupiterOne and JupiterOne is not responsible for their content or their privacy policies, which may differ from ours. We have not reviewed and make no representations about the accuracy of information on third-party websites, or about their information handling practices. Visits you make to these websites are at your own risk, and we encourage you to review their privacy policies.

OUR GLOBAL PRACTICES

We may process and store your Personal Information in the United States and in any other country where we or our or service providers operate. By your use of the Services you acknowledge that we will maintain your Personal Information in jurisdictions which may have different data protection rules than in your country, and that your Personal Information may become accessible as permitted by law in those jurisdictions, including to law enforcement or national security authorities.

ADDITIONAL INFORMATION FOR RESIDENTS OF CALIFORNIA

This section of the Privacy Policy applies solely to consumers who reside in the State of California and to the Personal Information of a particular California consumer or household (“California Personal Information”). It describes how we collect, use, and share California Personal Information to the extent we act as a “business” under the California Consumer Privacy Act of 2018 (“CCPA”), and the rights that consumers have under the CCPA. California Personal Information does not include, and this section of the Privacy Policy does not apply to:

CALIFORNIA PERSONAL INFORMATION WE COLLECT

We may have collected the following categories of California Personal Information regarding consumers within the last 12 months:

SOURCES OF CALIFORNIA PERSONAL INFORMATION

We may obtain the categories of California Personal Information that we collect as indicated above from the following categories of sources:

USE OF CALIFORNIA PERSONAL INFORMATION

We may use the categories of California Personal Information that we collect, as described above, for one or more of the business purposes and commercial purposes described in the How We Use Personal Information section above.

SHARING CALIFORNIA PERSONAL INFORMATION

We may disclose the categories of California Personal Information that we collect as indicated above to the categories of third parties described in the How We Share Personal Information section above. In the preceding 12 months, we may have disclosed all of the categories of California Personal Information listed above to our service providers and other third parties when you direct us to do so, or when you use our Services to do so.

In the preceding 12 months, we have not sold California Personal Information. We do not sell California Personal Information, and we do not have actual knowledge that we sell the California Personal Information of Consumers under the age of 16.

CALIFORNIA PERSONAL INFORMATION RIGHTS AND CHOICES.

The CCPA and other California laws provide consumers with specific rights regarding their California Personal Information. This section describes the rights you may have and explains how to exercise those rights.

EXERCISING ACCESS, DATA PORTABILITY, AND DELETION RIGHTS

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by sending an email to privacy@jupiterone.com, or sending your request by mail as set out in the How to Contact Us section below, with your first name, last name, and email address, and a detailed explanation of your request.

Only you, or an authorized agent registered with the California Secretary of State that you provide written permission authorize to act on your behalf, may make a verifiable consumer request related to your California Personal Information. If an authorized agent makes a request on your behalf, prior to responding we may require the authorized agent to present written and signed proof of authorization to act on your behalf, verify your identity, and confirm the authorized agent’s permission to act on your behalf directly. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. Your request must provide information sufficient to permit us to reasonably verify you are the person about whom we collected California Personal Information, or an authorized agent. To verify your request, we may ask you to provide information such as your first and last name, email address, mailing address, telephone number, or any other information necessary to verify your identity representative of that person. Your request also must include sufficient detail for us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with California Personal Information if we cannot verify your identity or authority to make the request and confirm the California Personal Information relates to you.

If you have an online account with us, we may deliver our written response to that online account. If you do not have an online account with us, we will deliver our written response by mail or electronically.

Making a verifiable consumer request does not require you to create an account with us. However, if you have a password-protected account with us we consider requests made through that account sufficiently verified when the request relates to California Personal Information associated with that specific account.

Any disclosures we provide will only cover the 12-month period preceding our receipt of the verifiable request. If we cannot fulfill, or are permitted to decline, your request then we will alert you or your authorized agent. For data portability requests, we will select a format to provide your California Personal Information that is readily usable.

If your request is manifestly unfounded, repetitive, or excessive, including if you have made several repetitive requests, we may charge a reasonable fee to respond. We also may decline to respond, in which case we will notify you.

NON-DISCRIMINATION

Subject to certain exceptions, you have a right to not receive discriminatory treatment for exercising your access, data portability, and deletion rights described above.

HOW TO CONTACT US

If you have any questions or comments about this Privacy Policy, if you need to report a problem, or if you would like to exercise one of your rights under this policy, please contact us using the information below.

Please include your name, contact information, and the nature of your request so that we can respond appropriately and promptly to your communication.

Email: privacy@jupiterone.com Postal Mail: 1500 Perimeter Park Dr. Ste 310, Morrisville, NC 27560 Attn: Privacy Office

MODIFICATIONS AND UPDATES TO THIS PRIVACY POLICY

We reserve the right to change the terms of this Privacy Policy at any time. Any changes to this Privacy Policy will be reflected on this page with a new “Last Updated” date. We encourage you to review this Privacy Policy regularly for any changes. Your continued use of the Services after we post changes is deemed to be acceptance of those changes.

Effective Date: 2/18/2021 Last Updated: 2/18/2021

GDPR Data Processing Agreement/Addendum (“DPA”)

Data Protection Addendum

This Data Protection Addendum (this “Addendum”) is made and entered into as of the date appearing on the signature page hereto (the “Effective Date”) by and between JupiterOne, Inc. (“Company”) and the Supplier named on the signature page hereto, and upon execution shall be incorporated by reference into each agreement for services (“Services Agreement”) pursuant to which Supplier may Process (as defined below) Personal Data (as defined below) for, from, or on behalf of Company.

A. Personal Data Protection

For the purposes of this Addendum, the terms “Controller”, “Data Subjects”, “Personal Data”,“Processor” and “Process” shall have the meaning as defined in the General Data ProtectionRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016(“GDPR”) or any successor European Union data protection framework; and “Data ProtectionLaws” means the GDPR and any applicable European data protection laws and regulations andany other applicable data protection and privacy laws and regulations.

The parties agree that to the extent Supplier, in the context of performing the agreed services,processes any Personal Data of Company, Supplier shall be the Processor and Company shall bethe Controller of such Personal Data. Further details of the Processing activities to be performedby Processor are described on the attached Exhibit 1 (Description of Processing), incorporatedherein by reference.

  1. Supplier Obligations. With respect to the Processing of Personal Data, Supplier undertakesthe following as Processor:

(a) to process Personal Data only as reasonably necessary for the provision of Services and consistent with the Services Agreement, in accordance with the terms of this Addendum andany other documented and agreed-upon lawful instructions provided by Company, unless (i) Company has given its express prior consent, or (ii) Supplier is required to do so underapplicable European Data Protection Law (as defined below); in such a case, Supplier shallto the extent permitted by applicable law inform Company of that legal requirement before Processing.

(b) to ensure that any person who is authorized by Company to Process Personal Data (including its staff, agents, and subcontractors) are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

(c) to engage Sub-processors, including affiliated companies, to Process Personal Data on Supplier’s behalf, including any Sub-processor currently engaged by Supplier. Supplier shall enter into a written agreement with the Sub-Processor which requires the Sub-Processor to protect the Personal Data to the same standard required by this Addendum. Supplier shall take commercially reasonable measures to ensure that Sub-Processors have the requisite capabilities to Process Personal Data in accordance with this Addendum.

Supplier shall remain responsible for its compliance with the obligations in this Addendum and for any acts or omissions of the Sub-processor that cause Company to breach any of its obligations under this Addendum. Supplier will notify Company in the event that it intends to engage different or additional Sub-processors that will Process Personal Data pursuant tothis Addendum, which may be done by email or posting on a website identified by Supplier to Company. Company must raise any objection to posted Sub-processors within five (5) calendar days of the posted update. Company’s objection shall only be effective if submitted to Supplier in writing, specifically describing Company’s reasonable belief that Supplier’s proposed use of the Sub-processor(s) will materially, adversely affect Company’s compliance with GDPR. In any such case, the parties will make reasonable efforts to reconcile the matter. In the event Company’s concern cannot be resolved, Supplier may terminate the Services Agreement with no penalty and Company shall immediately pay all fees and costs then owing and incurred by Supplier as a result of termination.

(d) at Company’s written direction and to the extent to required by Data Protection Laws, to provide reasonable assistance to Company to facilitate such actions in response to any commercially reasonable request by Company to correct, amend, or delete Personal Data, or block or restrict Processing of Personal Data, taking into account the information available to Supplier. Supplier shall, to the extent legally permitted, promptly notify Company if it receives a request from an individual data subject for access to, correction, amendment or deletion of that person’s Personal Data, or a request to restrict Processing. Supplier shall provide Company with commercially reasonable cooperation and assistance in relation to handling of a data subject’s request, to the extent legally permitted and to the extent Company does not have the ability to address the request independently.

(e) to provide commercially reasonable cooperation to assist Company in its response to any requests from data protection authorities with authority relating to the Processing of Personal Data under the Services Agreement. In the event that any such request is made directly to Supplier, Supplier shall not respond to such communication directly without Company’s prior authorization, unless legally compelled to do so. If Supplier is required to respond to such a request, Supplier shall promptly notify Company and provide it with a copy of the request unless legally prohibited from doing so.

(f) upon Company’s written request, to provide Company with reasonable cooperation and assistance as needed to fulfill Company’s obligation under GDPR to carry out a data protection impact assessment related to Company’s use of the Services, to the extent Company does not otherwise have access to the relevant information, and to the extent such information is available to Supplier. Supplier shall further provide reasonable assistance to Company in the cooperation or prior consultation with the supervisory authority in the performance of its tasks, to the extent required under GDPR.

(g) to notify Company without undue delay after becoming aware of any Data Breach. Supplier shall make reasonable efforts to identify the cause of the Data Breach and shall undertake such steps as Supplier deems necessary and reasonable to remediate the cause of such Data Breach. Supplier shall provide information related to the Data Breach to Company in a timely fashion and as reasonably necessary for Supplier to maintain compliance with Data Protection Laws. As used herein, “Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data Processed by Supplier or a Sub-processor.

(h) to provide written responses (on a confidential basis) to all reasonable requests for information made by Company regarding Processing of Personal Data, including responses to information security reviews that are necessary to confirm Supplier’s compliance with this Addendum. To the extent Supplier’s responses are not sufficient to enable Company to satisfy its obligations under applicable Data Protection Laws, Supplier shall cooperate with audits and inspections performed by Company or a vendor of Company reasonably acceptable to Supplier, provided however, that any audit or inspection: (i) may not beperformed unless necessary to determine Supplier’s compliance with this Addendum and Company reasonably believes that Company is not complying with this Addendum, or as otherwise specifically required by applicable Data Protection Laws; (ii) must be conducted at Company’s sole expense and subject to reasonable fees and costs charged by Supplier; (iii) may be conducted on no less than thirty (30) days prior written notice from Company, at a date and time and for a duration mutually agreed by the parties; and (iv) must be performed in a manner that does not cause any damage, injury, or disruption to Supplier’s premises, equipment, personnel, or business. Notwithstanding the foregoing, Supplier will not be required to disclose any proprietary or privileged information to Company or an agent or vendor of Company in connection with any audit or inspection undertaken pursuant to this Addendum.

  1. Law Enforcement Requests. If a law enforcement or other governmental agency sends Supplier a request or other lawful process for Personal Data (for example, a subpoena or court order), Supplier may attempt to redirect the agency to request that data directly from Company. As part of this effort, Supplier may provide Company’s basic contact information to the law enforcement agency. If compelled to disclose Personal Data to a law enforcement agency, then Supplier shall give Company reasonable notice of the demand to allow Company to seek a protective order or other appropriate remedy unless Supplier is legally prohibited from doing so.

  2. Data Security. Each party shall take appropriate technical and organizational measures against unauthorized or unlawful Processing of Personal Data or its accidental loss, destruction, or damage. Supplier shall implement and maintain commercially reasonable technical and organizational security measures designed to protect Personal Data from Data Breaches, including the security measures described on Exhibit 1 to this Addendum. Company agrees that it is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit, and taking any appropriate steps to securely encrypt or backup Personal Data, as well as the security obligations outlined in the Services Agreement.

  3. Company Obligations. Company agrees that (i) it shall comply with its obligations as a Data Controller under the Data Protection Laws in respect of its Processing of Personal Data and any Processing instructions it issues to Suppliers; and (ii) it has provided all notices, and obtained all consents and rights, necessary under Data Protection Laws for Supplier to Process Personal Dataand provide the Services as described in the Services Agreement. Company shall immediately notify Supplier and cease Processing Personal Data in the event any required authorization or legal basis for Processing is revoked or terminates.

Company shall ensure that Company is entitled to transfer the relevant Personal Data to Supplier so that Supplier may lawfully use, process, and transfer the Personal Data in accordance with the Services Agreement on the Company’s behalf. Supplier will not be liable for any claim brought against Supplier arising from any action or omission by Company to the extent that such action or omission resulted directly from Company’s instructions and/or any failure of Company to comply with this Addendum.

  1. International Transfers. Supplier may Process Personal Data anywhere in the world where Supplier or its Sub-processors maintain data Processing operations. Supplier shall at all times provide an adequate level of protection for the Personal Data Processed, in accordance with the requirements of Data Protection Laws. To the extent Supplier’s performance of the Services requires the transfer of Personal Data from within the EEA to a country outside the EEA not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in the GDPR), the Standard Contractual Clauses will apply to the transfer and are incorporated by reference herein.

B. Termination. In the event of Supplier’s violation of any obligation under Data Protection Laws or this Addendum, Company, without prejudice to any other rights which it may have, shall be entitled to terminate any Services Agreement forthwith. Any terms of this Addendum that by their nature extend beyond the termination of the Services Agreement, including without limitation this Addendum, Section A(i), shall remain in effect. Upon expiration or termination of the Services Agreement, Supplier shall (at Company’s election) delete or return, if feasible, to Company all Personal Data remaining in its possession or control, save that this requirement shall not apply: (i) to the extent Supplier is required by applicable law to retain some or all of the Personal Data; or (ii) to Personal Data Supplier has archived on back-up systems. In all such cases, Supplier shall maintain the Personal Data securely and limit Processing to the purposes that prevent deletion or return of the Personal Data. The terms of this Addendum shall survive for so long as Supplier continues to retain any Personal Data.

C. Precedence. In the event of a conflict between this Addendum and other provisions of the Services Agreement, this Addendum shall prevail. Any claims brought under or in connection with this Addendum shall be subject to the terms and conditions, including but not limited to the exclusions and limitations of liability, set forth in the Services Agreement.

D. Miscellaneous. Except as may be otherwise provided pursuant to the Standard Contractual Clauses, no one other than a party to this Addendum, its successors and permitted assignees shall have any right to enforce any of its terms. Unless otherwise required by the Standard Contractual Clauses or other data transfer requirements, this Addendum will be subject to the governing law identified in the Services Agreement without giving effect to conflict of laws principles.

[Signature page follows.]

IN WITNESS WHEREOF, the parties hereto have caused this Agreement to be executed as of ________, ___, 20___ by their respective officers thereunto duly authorized.

COMPANY: JupiterOne, Inc.

By: Name: Title:

SUPPLIER: ________________________

By: Name: Title:

Exhibit 1 to Data Protection Addendum

Description of Processing

A. Subject-matter, nature and purpose of the Processing

Supplier provides certain services to Company, including its software platform for asset discovery, configuration management, cybersecurity and compliance, as further specified in the Services Agreement.

In the context of performing the obligations under the Services Agreement, Supplier may Process certain of Company’s Personal Data as necessary for the purposes as specified in the Services Agreement. Such processing may include: hosting the data provided by the Company in its software platform and providing access to the authorized users of the Company for data analysis.

B. Duration of the Processing

The agreed Processing of Personal Data shall commence upon the effective date of the Services Agreement and be carried out for the term of the Services Agreement. The services relating to Processing of Personal Data shall automatically end in case the Services Agreement is effectively terminated or expires, in which case the Personal Data shall be handled in accordance with Section B of the Services Agreement. To the extent the Processing of Personal Data by Supplier is necessary for the winding-up of the Services Agreement, e.g. with respect to returning the Personal Data, the provisions of Section B of the Services Agreement shall continue to apply until the completion of the winding-up.

C. Categories of Data Subjects

The Processing will concern the following categories of Data Subjects:

a. Managers, employees, agents or other contact persons at business partners

D. Types of Personal Data

The Processing will concern the following types of Personal Data:

Managers, employees, agents or other contact persons at business partners: contact details (name,address, phone number and direct line, e-mail address).

The Processing will not include any special categories of data.

The Processing will not include Personal Data relating criminal convictions and offenses.

E. Technical and Organizational Security

Supplier has implemented and will maintain the following technical and organizational security measures for the Processing of Personal Data:

Supplier’s software-as-a-service platform services are hosted by Amazon Web Services (AWS), with its security program implemented according to AWS’s Shared Security Model. Personal Data through the platform is encrypted at rest using AES cryptographic algorithm in Galois/Counter Mode (GCM) with 256-bit secret keys, and data in transit through the platform isencrypted via 256-bit AES session keys for TLS encryption. Supplier employs 24 x 7 monitoring systems at the application and infrastructure layers to monitor performance, availability, capacity, and security of the cloud-native platform. Supplier’s in-house cybersecurity team manages security, risk-management and compliance services. Additionally, 3rd-party cybersecurity firms may be used to provide specialized services like penetration testing. Supplier maintains compliance with SOC2 Security compliance framework.

Exhibit 2 to Data Processing Addendum

Standard Contractual Clauses (procesessors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

The entity identified as “Company” in the Addendum (the “data exporter”)

and

JupiterOne, Inc. 1500 Perimeter Park Drive, Suite 310, Morrisville, NC 27560, United States (the “data importer”)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduceadequate safeguards with respect to the protection of privacy and fundamental rights andfreedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’,’processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in the Processing Appendix which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to(i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to(e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or byoperation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

  3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to(e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where boththe data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

  1. The parties do not object to a data subject being represented by an association orother body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only onthe data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d)that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out inaccordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about: (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, (ii) any accidental or unauthorised access, and (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent; (i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

  2. If a data subject is not able to bring a claim for compensation in accordance withparagraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contractor by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: (a)to refer the dispute to mediation, by an independent person or, where applicable,by the supervisory authority; (b)to refer the dispute to the courts in the Member State in which the data exporter isestablished.

  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable dataprotection law.

  2. The parties agree that the supervisory authority has the right to conduct an auditof the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreementthe data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

Data exporter

The data exporter is the entity identified as “Company” in the Addendum, and uses the data importer’s software-as-a-service platform in connection with the management and monitoring of security configuration and events in its IT environments.

Data importer

The data importer is a provider of a software-as-a-service platform and associated professional services used in connection with managing and monitoring of security configuration and events in its customers’ IT environments.

Data subjects

Data subjects are defined in Section A.1(a) of the Addendum.

Categories of data

The categories of Personal Data are defined in Section A.1(a) of the Addendum.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Special categories of data are not required or contemplated under the service.

Processingoperations

The personal data transferred will be subject to the following basic processing activities (please specify):

The nature of the Processing of Personal Data is providing the Services as described in the Services Agreement.

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

The data importer shall implement and maintain the technical and organizational security measures described on Exhibit 1 of the Addendum.

NIST Mappings to JupiterOne Policies and Controls

2018.2

Below is a list of NIST SP 800-53 Controls Families and the mappings to JupiterOne policies and controls in place.

ID NIST SP 800-53 Control Family JupiterOne Policies and Controls
AC Access Control Access
AT Awareness and Training Roles and Responsibilities
AU Audit and Accountability Roles and Responsibilities; Compliance Audits
CA Security Assessment and Authorization Risk Management; Access
CM Configuration Management Configuration and Change Management
CP Contingency Planning Business Continuity and Disaster Recovery
IA Identification and Authentication Access
IR Incident Response Incident Response; Breach Notification
MA Maintenance Configuration and Change Management
PE Physical and Environmental Protection Facility and Physical Security
PL Planning Security Program Overview; Security Architecture & Operating Model
PS Personnel Security HR & Personnel Security
RA Risk Assessment Risk Management
SA System and Services Acquisition Third Party Security, Vendor Risk Management and Systems/Services Acquisition
SC System and Communications Protection Data Management; Data Protection; and Threat Detection & Prevention
SI System and Information Integrity Data Management; Data Protection; Product Security & Secure Software Development; Vulnerability Management;and System Audits, Monitoring & Assessments
PM Program Management Security Program Overview; Roles and Responsibilities; and Policy Management

Index of JupiterOne-Defined Review Periods

2020.1

Several policies and procedures define periodic review actions to be taken by one or more JupiterOne staff members. Below is a comprehensive index of these review items, cross-referenced by section.

ID Review/Action Item Review Period Reviewer(s)
PROG1 Full PSP documents Annually Cross-functional team
ACC1 All system access Annually Security team member
ACC2 Admin/privileged production access Every 60d Security team member
ACC3 Temporary and/or inactive accounts Every 60d Security team member
ACC4 Employees with access to customer data Every 30d Director of Engineering
RAR1 Employee training requirements met Every 30d Security Officer
RISK1 Conduct risk assessment Annually Security Team
RISK2 Quarterly risk-mgmt compliance review Every 90d Security Team
RISK3 Financial and account auditing Annually KSM Business Services
RISK4 Executive review of plan and revenue Every 30d Executive Team
AUDT1 External audit of security controls Annually External audit/assessor
AUDT2 Review of non J1-monitored systems Every 90d Security Team
AUDT3 Review of exceptional net connections Annually Security Team
AUDT4 Review of specific-cause audit data, if any Every 30d Designated staff member(s)
HR1 Ensure new-hire training and AUP complete Every 30d HR Manager
FAC1 Audit of physical access records Annually Security Team
FAC2 Audit of special physical access records Every 90d Security Team
SDLC1 Security code review of JupiterOne Platform Every 90d Security Team
SDLC2 External pentest of the JupiterOne Platform Annually Security Team or Other
CCM1 Manual review/inspection of PRODCM artifacts Every 90d Security Team
VULN1 Product systems vulnerability scan Every 90d Security Team
VULN2 Internal penetration testing Every 90d Security Team
VULN3 Assess validity of documented Exceptions Every 180d Security Team
BCDR1 Validate/test the BCDR plan Annually Director of Engineering
BCDR2 Test system status notification process Every 90d Director of Engineering and Security Team
IR1 Test Incident Response plan Annually Security and Development Teams
VEND1 Review list of approved vendors/partners Annually Security Officer
VEND2 Review all vendor contracts, if any Annually Security Officer
VEND3 Review vendor service provider SLAs vs uptime Every 90d Director of Engineering or delegate

{ “bomFormat”: “CycloneDX”, “specVersion”: “1.2”, “version”: 1, “metadata”: { “tools”: [ { “vendor”: “JupiterOne”, “name”: “Node.js module”, “version”: “0.1.0”, “hashes”: [] } ] }, “components”: [ { “type”: “library”, “bom-ref”: “pkg:npm/@sentry/tracing@5.25.0”, “name”: “@sentry/tracing”, “version”: “5.25.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@sentry/tracing@5.25.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/graphql@14.0.2”, “name”: “graphql”, “version”: “14.0.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/graphql@14.0.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-server-errors@2.4.1”, “name”: “apollo-server-errors”, “version”: “2.4.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-server-errors@2.4.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@sentry/node@5.25.0”, “name”: “@sentry/node”, “version”: “5.25.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “BSD-3-Clause” } } ], “purl”: “pkg:npm/@sentry/node@5.25.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/aws-sdk@2.732.0”, “name”: “aws-sdk”, “version”: “2.732.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “Apache-2.0” } } ], “purl”: “pkg:npm/aws-sdk@2.732.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/abac@4.0.2”, “name”: “@lifeomic/abac”, “version”: “4.0.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@lifeomic/abac@4.0.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/p-map@3.0.0”, “name”: “p-map”, “version”: “3.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/p-map@3.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/koa-route@3.2.0”, “name”: “koa-route”, “version”: “3.2.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/koa-route@3.2.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@msgpack/msgpack@1.12.2”, “name”: “@msgpack/msgpack”, “version”: “1.12.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “ISC” } } ], “purl”: “pkg:npm/@msgpack/msgpack@1.12.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/bunyan@1.8.14”, “name”: “bunyan”, “version”: “1.8.14”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/bunyan@1.8.14”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/uuid@8.3.2”, “name”: “uuid”, “version”: “8.3.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/uuid@8.3.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/koa-compose@3.2.1”, “name”: “koa-compose”, “version”: “3.2.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/koa-compose@3.2.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/date-fns@1.30.1”, “name”: “date-fns”, “version”: “1.30.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/date-fns@1.30.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/graphql-tools@4.0.3”, “name”: “graphql-tools”, “version”: “4.0.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/graphql-tools@4.0.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/graphql-scalars@1.2.7”, “name”: “graphql-scalars”, “version”: “1.2.7”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/graphql-scalars@1.2.7”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-server-koa@2.19.2”, “name”: “apollo-server-koa”, “version”: “2.19.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-server-koa@2.19.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/alpha@1.4.1”, “name”: “@lifeomic/alpha”, “version”: “1.4.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@lifeomic/alpha@1.4.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/graphql-type-json@0.3.2”, “name”: “graphql-type-json”, “version”: “0.3.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/graphql-type-json@0.3.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@types/koa-router@7.0.42”, “name”: “@types/koa-router”, “version”: “7.0.42”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@types/koa-router@7.0.42”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/koa-router@7.4.0”, “name”: “koa-router”, “version”: “7.4.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/koa-router@7.4.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/ajv@6.12.2”, “name”: “ajv”, “version”: “6.12.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/ajv@6.12.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/attempt@3.0.0”, “name”: “@lifeomic/attempt”, “version”: “3.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@lifeomic/attempt@3.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@graphql-tools/schema@6.0.10”, “name”: “@graphql-tools/schema”, “version”: “6.0.10”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@graphql-tools/schema@6.0.10”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/koa-helmet@5.2.0”, “name”: “koa-helmet”, “version”: “5.2.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/koa-helmet@5.2.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@types/supertest@2.0.10”, “name”: “@types/supertest”, “version”: “2.0.10”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@types/supertest@2.0.10”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/aws-lambda@1.0.5”, “name”: “aws-lambda”, “version”: “1.0.5”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/aws-lambda@1.0.5”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-link-context@1.0.19”, “name”: “apollo-link-context”, “version”: “1.0.19”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-link-context@1.0.19”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/axios-fetch@1.4.2”, “name”: “@lifeomic/axios-fetch”, “version”: “1.4.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@lifeomic/axios-fetch@1.4.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@types/graphql@14.0.3”, “name”: “@types/graphql”, “version”: “14.0.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@types/graphql@14.0.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-server-lambda@2.19.0”, “name”: “apollo-server-lambda”, “version”: “2.19.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-server-lambda@2.19.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/aws-xray-sdk-core@2.5.0”, “name”: “aws-xray-sdk-core”, “version”: “2.5.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “Apache-2.0” } } ], “purl”: “pkg:npm/aws-xray-sdk-core@2.5.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash.get@4.4.2”, “name”: “lodash.get”, “version”: “4.4.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash.get@4.4.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-link@1.2.3”, “name”: “apollo-link”, “version”: “1.2.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-link@1.2.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/graphql-resolvers-xray-tracing@4.0.0”, “name”: “@lifeomic/graphql-resolvers-xray-tracing”, “version”: “4.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@lifeomic/graphql-resolvers-xray-tracing@4.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-link-batch-http@1.2.3”, “name”: “apollo-link-batch-http”, “version”: “1.2.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-link-batch-http@1.2.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/dayjs@1.8.17”, “name”: “dayjs”, “version”: “1.8.17”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/dayjs@1.8.17”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/io-ts@2.2.12”, “name”: “io-ts”, “version”: “2.2.12”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/io-ts@2.2.12”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/dataloader@1.4.0”, “name”: “dataloader”, “version”: “1.4.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “BSD-3-Clause” } } ], “purl”: “pkg:npm/dataloader@1.4.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/delay@4.4.1”, “name”: “delay”, “version”: “4.4.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/delay@4.4.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/p-filter@2.1.0”, “name”: “p-filter”, “version”: “2.1.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/p-filter@2.1.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/graphql-middleware@4.0.2”, “name”: “graphql-middleware”, “version”: “4.0.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/graphql-middleware@4.0.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/p-queue@6.6.2”, “name”: “p-queue”, “version”: “6.6.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/p-queue@6.6.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/io-ts-reporters@1.2.2”, “name”: “io-ts-reporters”, “version”: “1.2.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/io-ts-reporters@1.2.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/dynamodb-parallel-scanner@1.0.2”, “name”: “dynamodb-parallel-scanner”, “version”: “1.0.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/dynamodb-parallel-scanner@1.0.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/fp-ts@2.8.5”, “name”: “fp-ts”, “version”: “2.8.5”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/fp-ts@2.8.5”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/dynamodb-dataloader@1.0.2”, “name”: “@lifeomic/dynamodb-dataloader”, “version”: “1.0.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@lifeomic/dynamodb-dataloader@1.0.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/archiver@2.1.1”, “name”: “archiver”, “version”: “2.1.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/archiver@2.1.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/nested-error-stacks@2.0.1”, “name”: “nested-error-stacks”, “version”: “2.0.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/nested-error-stacks@2.0.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/graphql-type-long@0.1.1”, “name”: “graphql-type-long”, “version”: “0.1.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “ISC” } } ], “purl”: “pkg:npm/graphql-type-long@0.1.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@elastic/elasticsearch@7.8.0”, “name”: “@elastic/elasticsearch”, “version”: “7.8.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “Apache-2.0” } } ], “purl”: “pkg:npm/@elastic/elasticsearch@7.8.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/tempy@0.2.1”, “name”: “tempy”, “version”: “0.2.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/tempy@0.2.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/io-ts-types@0.5.11”, “name”: “io-ts-types”, “version”: “0.5.11”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/io-ts-types@0.5.11”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/koa@2.5.2”, “name”: “koa”, “version”: “2.5.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/koa@2.5.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/compromise@11.14.3”, “name”: “compromise”, “version”: “11.14.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/compromise@11.14.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/is-url-superb@5.0.0”, “name”: “is-url-superb”, “version”: “5.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/is-url-superb@5.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@types/fuzzy-search@2.1.0”, “name”: “@types/fuzzy-search”, “version”: “2.1.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@types/fuzzy-search@2.1.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/json2csv@4.5.4”, “name”: “json2csv”, “version”: “4.5.4”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/json2csv@4.5.4”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/fs-extra@8.0.1”, “name”: “fs-extra”, “version”: “8.0.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/fs-extra@8.0.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/graphql-primitive@1.1.0”, “name”: “graphql-primitive”, “version”: “1.1.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/graphql-primitive@1.1.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/fuzzy-search@3.2.1”, “name”: “fuzzy-search”, “version”: “3.2.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “ISC” } } ], “purl”: “pkg:npm/fuzzy-search@3.2.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/axios@0.19.2”, “name”: “axios”, “version”: “0.19.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/axios@0.19.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/elasticsearch-sanitize@2.0.0”, “name”: “elasticsearch-sanitize”, “version”: “2.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/elasticsearch-sanitize@2.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/itiriri@2.0.1”, “name”: “itiriri”, “version”: “2.0.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/itiriri@2.0.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/string-hash@1.1.3”, “name”: “string-hash”, “version”: “1.1.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “CC0-1.0” } } ], “purl”: “pkg:npm/string-hash@1.1.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash@4.17.15”, “name”: “lodash”, “version”: “4.17.15”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash@4.17.15”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/fastify@2.15.3”, “name”: “fastify”, “version”: “2.15.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/fastify@2.15.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/ip-range-check@0.2.0”, “name”: “ip-range-check”, “version”: “0.2.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/ip-range-check@0.2.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/node-fetch@2.6.1”, “name”: “node-fetch”, “version”: “2.6.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/node-fetch@2.6.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/chalk@2.4.2”, “name”: “chalk”, “version”: “2.4.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/chalk@2.4.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/lambda-runtime-tools@3.3.0”, “name”: “@lifeomic/lambda-runtime-tools”, “version”: “3.3.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “UNLICENSED” } } ], “purl”: “pkg:npm/@lifeomic/lambda-runtime-tools@3.3.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/axios-retry@3.1.1”, “name”: “axios-retry”, “version”: “3.1.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “Apache-2.0” } } ], “purl”: “pkg:npm/axios-retry@3.1.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/util.promisify@1.0.0”, “name”: “util.promisify”, “version”: “1.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/util.promisify@1.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/logging@1.0.3”, “name”: “@lifeomic/logging”, “version”: “1.0.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “UNLICENSED” } } ], “purl”: “pkg:npm/@lifeomic/logging@1.0.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/graphql.js@0.6.7”, “name”: “graphql.js”, “version”: “0.6.7”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/graphql.js@0.6.7”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@octokit/rest@17.6.0”, “name”: “@octokit/rest”, “version”: “17.6.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@octokit/rest@17.6.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/qs@6.5.2”, “name”: “qs”, “version”: “6.5.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “BSD-3-Clause” } } ], “purl”: “pkg:npm/qs@6.5.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@octokit/plugin-throttling@3.2.0”, “name”: “@octokit/plugin-throttling”, “version”: “3.2.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@octokit/plugin-throttling@3.2.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@octokit/auth-app@2.4.5”, “name”: “@octokit/auth-app”, “version”: “2.4.5”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@octokit/auth-app@2.4.5”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@koa/cors@2.2.3”, “name”: “@koa/cors”, “version”: “2.2.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@koa/cors@2.2.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/koa-bodyparser@4.2.1”, “name”: “koa-bodyparser”, “version”: “4.2.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/koa-bodyparser@4.2.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/jsonwebtoken@8.5.1”, “name”: “jsonwebtoken”, “version”: “8.5.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/jsonwebtoken@8.5.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@graphql-tools/merge@6.2.3”, “name”: “@graphql-tools/merge”, “version”: “6.2.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@graphql-tools/merge@6.2.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/url-join@4.0.1”, “name”: “url-join”, “version”: “4.0.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/url-join@4.0.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash.groupby@4.6.0”, “name”: “lodash.groupby”, “version”: “4.6.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash.groupby@4.6.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash.isequal@4.5.0”, “name”: “lodash.isequal”, “version”: “4.5.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash.isequal@4.5.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/koa-better-body@3.0.4”, “name”: “koa-better-body”, “version”: “3.0.4”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/koa-better-body@3.0.4”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/query-string@6.12.1”, “name”: “query-string”, “version”: “6.12.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/query-string@6.12.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/koa-convert@1.2.0”, “name”: “koa-convert”, “version”: “1.2.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/koa-convert@1.2.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/url-parse@1.4.7”, “name”: “url-parse”, “version”: “1.4.7”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/url-parse@1.4.7”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/aws-sdk-mock@4.5.0”, “name”: “aws-sdk-mock”, “version”: “4.5.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “Apache-2.0” } } ], “purl”: “pkg:npm/aws-sdk-mock@4.5.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-server@2.16.1”, “name”: “apollo-server”, “version”: “2.16.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-server@2.16.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-server-fastify@2.16.1”, “name”: “apollo-server-fastify”, “version”: “2.16.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-server-fastify@2.16.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/fastify-cors@3.0.3”, “name”: “fastify-cors”, “version”: “3.0.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/fastify-cors@3.0.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/fastify-helmet@3.0.2”, “name”: “fastify-helmet”, “version”: “3.0.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/fastify-helmet@3.0.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@apollo/gateway@0.19.1”, “name”: “@apollo/gateway”, “version”: “0.19.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@apollo/gateway@0.19.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/moo@0.4.3”, “name”: “moo”, “version”: “0.4.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “BSD-3-Clause” } } ], “purl”: “pkg:npm/moo@0.4.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@babel/code-frame@7.10.4”, “name”: “@babel/code-frame”, “version”: “7.10.4”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@babel/code-frame@7.10.4”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/nearley@2.16.0”, “name”: “nearley”, “version”: “2.16.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/nearley@2.16.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/humanize-duration@3.21.0”, “name”: “humanize-duration”, “version”: “3.21.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “Unlicense” } } ], “purl”: “pkg:npm/humanize-duration@3.21.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/p-all@3.0.0”, “name”: “p-all”, “version”: “3.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/p-all@3.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/bowser@2.5.2”, “name”: “bowser”, “version”: “2.5.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/bowser@2.5.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/cartesian@1.0.1”, “name”: “cartesian”, “version”: “1.0.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/cartesian@1.0.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/didyoumean@1.2.1”, “name”: “didyoumean”, “version”: “1.2.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “Apache” } } ], “purl”: “pkg:npm/didyoumean@1.2.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/jwt-decode@2.2.0”, “name”: “jwt-decode”, “version”: “2.2.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/jwt-decode@2.2.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-boost@0.4.9”, “name”: “apollo-boost”, “version”: “0.4.9”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-boost@0.4.9”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/ts-node@9.1.1”, “name”: “ts-node”, “version”: “9.1.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/ts-node@9.1.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/cross-fetch@3.0.4”, “name”: “cross-fetch”, “version”: “3.0.4”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/cross-fetch@3.0.4”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-link-http@1.5.14”, “name”: “apollo-link-http”, “version”: “1.5.14”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-link-http@1.5.14”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/configstore@3.1.2”, “name”: “configstore”, “version”: “3.1.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “BSD-2-Clause” } } ], “purl”: “pkg:npm/configstore@3.1.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/platform-headers@1.3.2”, “name”: “@lifeomic/platform-headers”, “version”: “1.3.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “UNLICENSED” } } ], “purl”: “pkg:npm/@lifeomic/platform-headers@1.3.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/commander@2.19.0”, “name”: “commander”, “version”: “2.19.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/commander@2.19.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/js-yaml@4.0.0”, “name”: “js-yaml”, “version”: “4.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/js-yaml@4.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/walk-object@4.0.0”, “name”: “walk-object”, “version”: “4.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/walk-object@4.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/request@2.88.0”, “name”: “request”, “version”: “2.88.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “Apache-2.0” } } ], “purl”: “pkg:npm/request@2.88.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/luxon@1.24.1”, “name”: “luxon”, “version”: “1.24.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/luxon@1.24.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/request-promise-native@1.0.7”, “name”: “request-promise-native”, “version”: “1.0.7”, “description”: “”, “licenses”: [ { “license”: { “id”: “ISC” } } ], “purl”: “pkg:npm/request-promise-native@1.0.7”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/bottleneck@2.19.5”, “name”: “bottleneck”, “version”: “2.19.5”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/bottleneck@2.19.5”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/aws-lambda-fastify@1.4.4”, “name”: “aws-lambda-fastify”, “version”: “1.4.4”, “description”: “”, “licenses”: [ { “license”: { “id”: “unset” } } ], “purl”: “pkg:npm/aws-lambda-fastify@1.4.4”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@apollo/federation@0.19.1”, “name”: “@apollo/federation”, “version”: “0.19.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@apollo/federation@0.19.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/minimist@1.2.5”, “name”: “minimist”, “version”: “1.2.5”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/minimist@1.2.5”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/tri@1.0.2”, “name”: “tri”, “version”: “1.0.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/tri@1.0.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/require-self-ref@2.0.1”, “name”: “require-self-ref”, “version”: “2.0.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/require-self-ref@2.0.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/terraform-plan-parser@1.6.0”, “name”: “terraform-plan-parser”, “version”: “1.6.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/terraform-plan-parser@1.6.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/alpha-cli@0.2.0”, “name”: “@lifeomic/alpha-cli”, “version”: “0.2.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@lifeomic/alpha-cli@0.2.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/ejs@2.7.4”, “name”: “ejs”, “version”: “2.7.4”, “description”: “”, “licenses”: [ { “license”: { “id”: “Apache-2.0” } } ], “purl”: “pkg:npm/ejs@2.7.4”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/semver@7.3.2”, “name”: “semver”, “version”: “7.3.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “ISC” } } ], “purl”: “pkg:npm/semver@7.3.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/yargs@16.2.0”, “name”: “yargs”, “version”: “16.2.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/yargs@16.2.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/ora@5.4.0”, “name”: “ora”, “version”: “5.4.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/ora@5.4.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/inquirer-command-prompt@0.0.8”, “name”: “inquirer-command-prompt”, “version”: “0.0.8”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/inquirer-command-prompt@0.0.8”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/walker@1.0.7”, “name”: “walker”, “version”: “1.0.7”, “description”: “”, “licenses”: [ { “license”: { “id”: “Apache-2.0” } } ], “purl”: “pkg:npm/walker@1.0.7”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/ignore@5.1.4”, “name”: “ignore”, “version”: “5.1.4”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/ignore@5.1.4”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/inquirer@7.3.3”, “name”: “inquirer”, “version”: “7.3.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/inquirer@7.3.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/runtypes@5.1.0”, “name”: “runtypes”, “version”: “5.1.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/runtypes@5.1.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/async-retry@1.3.1”, “name”: “async-retry”, “version”: “1.3.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/async-retry@1.3.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/string-format@2.0.0”, “name”: “string-format”, “version”: “2.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “WTFPL OR MIT” } } ], “purl”: “pkg:npm/string-format@2.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/dynamoose@0.8.7”, “name”: “dynamoose”, “version”: “0.8.7”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/dynamoose@0.8.7”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/moment@2.24.0”, “name”: “moment”, “version”: “2.24.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/moment@2.24.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/object-hash@2.1.1”, “name”: “object-hash”, “version”: “2.1.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/object-hash@2.1.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash.chunk@4.2.0”, “name”: “lodash.chunk”, “version”: “4.2.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash.chunk@4.2.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/dtrace-provider@0.8.8”, “name”: “dtrace-provider”, “version”: “0.8.8”, “description”: “”, “licenses”: [ { “license”: { “id”: “BSD-2-Clause” } } ], “purl”: “pkg:npm/dtrace-provider@0.8.8”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/deep-diff@1.0.2”, “name”: “deep-diff”, “version”: “1.0.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/deep-diff@1.0.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/bunyan-format@0.2.1”, “name”: “bunyan-format”, “version”: “0.2.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/bunyan-format@0.2.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash.omit@4.5.0”, “name”: “lodash.omit”, “version”: “4.5.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash.omit@4.5.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/json-2-csv@3.7.6”, “name”: “json-2-csv”, “version”: “3.7.6”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/json-2-csv@3.7.6”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash.clonedeep@4.5.0”, “name”: “lodash.clonedeep”, “version”: “4.5.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash.clonedeep@4.5.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/mustache@4.0.1”, “name”: “mustache”, “version”: “4.0.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/mustache@4.0.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-link-schema@1.1.6”, “name”: “apollo-link-schema”, “version”: “1.1.6”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-link-schema@1.1.6”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/graphql-tag@2.10.0”, “name”: “graphql-tag”, “version”: “2.10.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/graphql-tag@2.10.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/graphql-custom-types@1.5.0”, “name”: “graphql-custom-types”, “version”: “1.5.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/graphql-custom-types@1.5.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/mkdirp@0.5.5”, “name”: “mkdirp”, “version”: “0.5.5”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/mkdirp@0.5.5”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/tmp@0.0.31”, “name”: “tmp”, “version”: “0.0.31”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/tmp@0.0.31”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/findit@2.0.0”, “name”: “findit”, “version”: “2.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/findit@2.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash.camelcase@4.3.0”, “name”: “lodash.camelcase”, “version”: “4.3.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash.camelcase@4.3.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-cache-inmemory@1.6.6”, “name”: “apollo-cache-inmemory”, “version”: “1.6.6”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-cache-inmemory@1.6.6”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-client@2.6.10”, “name”: “apollo-client”, “version”: “2.6.10”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-client@2.6.10”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash.pickby@4.6.0”, “name”: “lodash.pickby”, “version”: “4.6.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash.pickby@4.6.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@hapi/joi@15.1.1”, “name”: “@hapi/joi”, “version”: “15.1.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “BSD-3-Clause” } } ], “purl”: “pkg:npm/@hapi/joi@15.1.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash.omitby@4.6.0”, “name”: “lodash.omitby”, “version”: “4.6.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash.omitby@4.6.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash.isundefined@3.0.1”, “name”: “lodash.isundefined”, “version”: “3.0.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash.isundefined@3.0.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash.identity@3.0.0”, “name”: “lodash.identity”, “version”: “3.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash.identity@3.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lru-cache@5.1.1”, “name”: “lru-cache”, “version”: “5.1.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “ISC” } } ], “purl”: “pkg:npm/lru-cache@5.1.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@graphql-tools/utils@6.0.10”, “name”: “@graphql-tools/utils”, “version”: “6.0.10”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@graphql-tools/utils@6.0.10”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/mime-types@2.1.18”, “name”: “mime-types”, “version”: “2.1.18”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/mime-types@2.1.18”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/p-iteration@1.1.7”, “name”: “p-iteration”, “version”: “1.1.7”, “description”: “”, “licenses”: [ { “license”: { “id”: “ISC” } } ], “purl”: “pkg:npm/p-iteration@1.1.7”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/globby@10.0.2”, “name”: “globby”, “version”: “10.0.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/globby@10.0.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/serverless-http@2.3.1”, “name”: “serverless-http”, “version”: “2.3.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/serverless-http@2.3.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/p-throttle@2.1.1”, “name”: “p-throttle”, “version”: “2.1.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/p-throttle@2.1.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/promise-retry@1.1.1”, “name”: “promise-retry”, “version”: “1.1.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/promise-retry@1.1.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/parse-data-url@2.0.0”, “name”: “parse-data-url”, “version”: “2.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/parse-data-url@2.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/file-type@12.4.2”, “name”: “file-type”, “version”: “12.4.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/file-type@12.4.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/form-data@2.3.3”, “name”: “form-data”, “version”: “2.3.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/form-data@2.3.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/raw-body@2.4.1”, “name”: “raw-body”, “version”: “2.4.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/raw-body@2.4.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/child-process-promise@2.2.1”, “name”: “child-process-promise”, “version”: “2.2.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/child-process-promise@2.2.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/jupiter-policy-builder@0.5.23”, “name”: “@lifeomic/jupiter-policy-builder”, “version”: “0.5.23”, “description”: “”, “licenses”: [ { “license”: { “id”: “UNLICENSED” } } ], “purl”: “pkg:npm/@lifeomic/jupiter-policy-builder@0.5.23”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/glob@6.0.4”, “name”: “glob”, “version”: “6.0.4”, “description”: “”, “licenses”: [ { “license”: { “id”: “ISC” } } ], “purl”: “pkg:npm/glob@6.0.4”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/promisify@0.0.3”, “name”: “promisify”, “version”: “0.0.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “unset” } } ], “purl”: “pkg:npm/promisify@0.0.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/koa@6.10.0”, “name”: “@lifeomic/koa”, “version”: “6.10.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “UNLICENSED” } } ], “purl”: “pkg:npm/@lifeomic/koa@6.10.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/he@1.2.0”, “name”: “he”, “version”: “1.2.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/he@1.2.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/ava@0.25.0”, “name”: “ava”, “version”: “0.25.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/ava@0.25.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/docker-file-parser@1.0.5”, “name”: “docker-file-parser”, “version”: “1.0.5”, “description”: “”, “licenses”: [ { “license”: { “id”: “MPL” } } ], “purl”: “pkg:npm/docker-file-parser@1.0.5”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/kms-crypt@0.2.0”, “name”: “@lifeomic/kms-crypt”, “version”: “0.2.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@lifeomic/kms-crypt@0.2.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash.pick@4.4.0”, “name”: “lodash.pick”, “version”: “4.4.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash.pick@4.4.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-server-env@2.4.5”, “name”: “apollo-server-env”, “version”: “2.4.5”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-server-env@2.4.5”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/fashion-model@6.1.0”, “name”: “fashion-model”, “version”: “6.1.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “unset” } } ], “purl”: “pkg:npm/fashion-model@6.1.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/concat-stream@2.0.0”, “name”: “concat-stream”, “version”: “2.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/concat-stream@2.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/msgpack-lite@0.1.26”, “name”: “msgpack-lite”, “version”: “0.1.26”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/msgpack-lite@0.1.26”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/json-diff@0.5.4”, “name”: “json-diff”, “version”: “0.5.4”, “description”: “”, “licenses”: [ { “license”: { “id”: “unset” } } ], “purl”: “pkg:npm/json-diff@0.5.4”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/inflation@2.0.0”, “name”: “inflation”, “version”: “2.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/inflation@2.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/netmask@2.0.2”, “name”: “netmask”, “version”: “2.0.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/netmask@2.0.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/koa-compress@5.0.1”, “name”: “koa-compress”, “version”: “5.0.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/koa-compress@5.0.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/node-cache@5.1.2”, “name”: “node-cache”, “version”: “5.1.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/node-cache@5.1.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/md5@2.3.0”, “name”: “md5”, “version”: “2.3.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “BSD-3-Clause” } } ], “purl”: “pkg:npm/md5@2.3.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/apollo-graphql@0.6.0”, “name”: “apollo-graphql”, “version”: “0.6.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/apollo-graphql@0.6.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@types/koa-compose@3.2.5”, “name”: “@types/koa-compose”, “version”: “3.2.5”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@types/koa-compose@3.2.5”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/csvtojson@2.0.10”, “name”: “csvtojson”, “version”: “2.0.10”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/csvtojson@2.0.10”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@types/md5@2.2.1”, “name”: “@types/md5”, “version”: “2.2.1”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@types/md5@2.2.1”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/lodash.times@4.3.2”, “name”: “lodash.times”, “version”: “4.3.2”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/lodash.times@4.3.2”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@types/json-schema@7.0.5”, “name”: “@types/json-schema”, “version”: “7.0.5”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@types/json-schema@7.0.5”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/slack-webhook@1.0.0”, “name”: “slack-webhook”, “version”: “1.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/slack-webhook@1.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/array-to-sentence@1.1.0”, “name”: “array-to-sentence”, “version”: “1.1.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/array-to-sentence@1.1.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/jira-client@6.16.0”, “name”: “jira-client”, “version”: “6.16.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/jira-client@6.16.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/okta-support-role-bot@1.2.7”, “name”: “@lifeomic/okta-support-role-bot”, “version”: “1.2.7”, “description”: “”, “licenses”: [ { “license”: { “id”: “UNLICENSED” } } ], “purl”: “pkg:npm/@lifeomic/okta-support-role-bot@1.2.7”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/promise-map-series@0.2.3”, “name”: “promise-map-series”, “version”: “0.2.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/promise-map-series@0.2.3”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@lifeomic/dynamodb-dao@2.0.0”, “name”: “@lifeomic/dynamodb-dao”, “version”: “2.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “UNLICENSED” } } ], “purl”: “pkg:npm/@lifeomic/dynamodb-dao@2.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/argparse@1.0.10”, “name”: “argparse”, “version”: “1.0.10”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/argparse@1.0.10”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/p-timeout@3.2.0”, “name”: “p-timeout”, “version”: “3.2.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/p-timeout@3.2.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@types/lodash@4.14.165”, “name”: “@types/lodash”, “version”: “4.14.165”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/@types/lodash@4.14.165”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/@puresec/function-shield@2.0.16”, “name”: “@puresec/function-shield”, “version”: “2.0.16”, “description”: “”, “licenses”: [ { “license”: { “id”: “CC-BY-ND-4.0” } } ], “purl”: “pkg:npm/@puresec/function-shield@2.0.16”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/ini@2.0.0”, “name”: “ini”, “version”: “2.0.0”, “description”: “”, “licenses”: [ { “license”: { “id”: “ISC” } } ], “purl”: “pkg:npm/ini@2.0.0”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/graphql-add-middleware@0.3.7”, “name”: “graphql-add-middleware”, “version”: “0.3.7”, “description”: “”, “licenses”: [ { “license”: { “id”: “MIT” } } ], “purl”: “pkg:npm/graphql-add-middleware@0.3.7”, “externalReferences”: [], “scope”: “required” }, { “type”: “library”, “bom-ref”: “pkg:npm/combine-errors@3.0.3”, “name”: “combine-errors”, “version”: “3.0.3”, “description”: “”, “licenses”: [ { “license”: { “id”: “unset” } } ], “purl”: “pkg:npm/combine-errors@3.0.3”, “externalReferences”: [], “scope”: “required” } ] }

JupiterOne uses certain sub-processors to assist in providing JupiterOne’s services. A sub-processor is a third party data processor engaged by JupiterOne who agrees to receive customer data from JupiterOne intended for processing activities to be carried out:

(i) on behalf of JupiterOne customers;

(ii) in accordance with customer instructions as communicated by JupiterOne; and

(iii) in accordance with the terms of a written contract between JupiterOne and the sub-processor.

JupiterOne maintains an up-to-date list of the names and locations of all sub-processors. This list is below, or you can obtain a copy by contacting privacy@jupiterone.com.

Application, Data, and Hosting Infrastructure Subprocessors

Sub-Processor Purpose Data Types HQ Address Location of Servers URL
Amazon Web Services JupiterOne application and data hosting All data imported or uploaded into the JupiterOne platform 10 Terry Avenue North, Seattle, WA 98109-5210 USA https://aws.amazon.com/
ChurnZero Analytics tool to improve user experience Data of logged-in users including name, email address, title, browsing activity and any email and/or chat conversation 740 15th St NW FL 8, Washington, DC 20005 USA https://churnzero.net/
Pendo Analytics tool to understand page specific events Time spent on page, items clicked, user email address 150 Fayetteville St., Raleigh, NC 27601 USA https://www.pendo.io/
Sentry Debugging and application error tracking, monitoring, and reporting Detailed error information including account name, account ID, account access policy, and environment specific data such as browser version and O/S 132 Hawthorne St, San Francisco, CA 94107 USA https://www.sentry.io/