Privacy & Security

SECURITY SUMMARY

We use highly robust security configurations – the same used by entities protecting some of the most sensitive
and valuable information such as banks and other fiscal software services. Any and all connections with Estate
Map are forced to take place over SSL (an encrypted method of communication between a browser and a server). The
system uses strict routes (software components that interpret browser requests made by the user), each of which
uses filters to scrub data and enforce limited input types to prevent invalid input. As for storing information,
Estate Map™ uses some of the highest-grade encryption techniques available. One in particular (XTS), uses a
combination of three different types of encryption with subsequent different unlocking keys – a technique
approved by both the NIST and the IEEE (organizations that make recommendations on security). All user
information is stored on a remote server which has no direct internet access – only Estate Map™’s primary servers
know how and where to access it. Estate Map™’s password system is also highly secure and unique, using both
hashing and a salted bcrypt algorithm, but with a salt that is changed each time a user logs in. When proxies
are assigned, they use a complex key relay to release data from the Network Attached Storage (NAS) system. This
relay is enforced deep within the system, so even if one piece of information were breached, other user
information cannot be accessed. Finally, each user has a level of control over the security; first with the
system’s requirement of a complex password, second, through the use of a security image technique that helps the
user know that he or she has reached the proper site, and third, by requiring the user to verify each new proxy
before that person is granted access to user information.

PRIVACY SUMMARY

Your privacy is not for sale. Simply put, we do not and will not sell or rent User Personal Information to
anyone, for any reason, at any time. We use and disclose Personal Information only as follows:

  • in providing the Services;
  • to anonymously analyze site usage and improve the Services;
  • to deliver any administrative notices, alerts and communications relevant to use of the Services;
  • to respond to or fulfill User requests;
  • for internal research, project planning, troubleshooting problems, detecting and protecting against
    error, fraud or other criminal activity;
  • to third-party contractors that provide services to Provider and are bound by these same privacy
    restrictions;
  • to enforce the Terms; and
  • as otherwise set forth in this Privacy & Security Policy.

In addition, overall usage practices and behaviors of Users may be collected in aggregate for reporting purposes
but will never include identifiable Personal Information in the process.

PRIVACY AND SECURITY POLICY

We are committed to maintaining the confidentiality, integrity and security of every piece of personal
information and materials input and stored (“Personal Information”) by and concerning each and every subscriber
(“User”) in the course of utilizing these services (“Services”). This Privacy & Security Policy explains how
we protect and may use that Personal Information.

Your Estate Map™ account subscription is managed by the estate attorney or professional services provider with
whom you have contracted to receive estate planning services (“Professional”). This Professional has engaged
EstateMap, LLC, a Minnesota limited liability company (“Provider” or “We” or “Us”), to provide you,
the User, with these Services. In receiving the benefits of such Services, User signifies his or her agreement
to (1) this Privacy & Security Policy, as well as (2) the Terms of Use, linked on the User login page and
incorporated herein by reference (“Terms”) and further clarifying the relationship between User and Provider. If
you do not agree to the Terms or the Privacy & Security Policy in their entirety, please do not use the
Services.

1. USE OF PERSONAL INFORMATION FOR SUPPORT AND MAINTENANCE

Certain areas and features of the Services may require the provision of Personal Information directly from you
which may include basic registration information or the provision of certain account credentials (“Account
Credentials”) in order to allow Provider to access your account data. In order to support the full functionality
of the Services, more detailed pieces of Personal Information may be accessed by Provider for purposes strictly
related to providing User support and in support of User functionality, but to the extent reasonably possible,
will be avoided.

For broader support and maintenance purposes, access to Personal Information, Account Credentials, and any
User-generated content may be accessed in extremely limited and controlled capacities. Such access is strictly
restricted and undertaken only in accordance with specific internal procedures and safeguard governing such
access, in order to operate, develop or improve the Services. The individuals provided with such access have
been selected in accordance with security policies and practices and are bound by confidentiality obligations.
They may be subject to discipline, including termination and criminal prosecution, if they fail to meet these
obligations. Provider may also use third party vendors or service providers to help provide the Services, such
as sending e-mail messages or hosting and operating a particular feature or functionality of the Services. Our
contracts with these third parties outline the appropriate use and handling of your information and prohibit
them from using any of your Personal Information for purposes unrelated to the product or service they’re
providing. We require such third parties to maintain the confidentiality of the information we provide to
them.

2. CHANGES TO YOUR REGISTRATION INFORMATION

If your registration information changes during the course of your subscription, you may be required to provide
certain Account Credentials to support such changes.

3. SESSION INFORMATION MAY BE USED TO IMPROVE USER EXPERIENCE

When you visit your account, we may collect technical and navigational information, such as computer browser
type, Internet protocol address, pages visited, and average time spent on our website. This information may be
used, for example, to alert you to software compatibility issues, or it may be analyzed to improve our Web
design and functionality.

We may collect cookies from User in order to assist User’s experience, by not requiring User to enter information
more than once, to help User quickly find software, services or information; and to help User find relevant
content. “Cookies” are alphanumeric identifiers in the form of text files that are inserted and stored by your
Web browser on your computer’s hard drive. Provider may set and access cookies on your computer to track and
store preferential information about you. Provider may gather information about you through cookie technology.
For example, Provider may assign a cookie to you, to limit the amount of times you are required to enter Account
Credentials. Please note that most Internet browsers will allow you to stop cookies from being stored on your
computer and to delete cookies stored on your computer. If you choose to eliminate cookies, the full
functionality of the Services may be impaired for you.

We encode our cookies so that only we can interpret the information stored in them. Web beacons are images
embedded in a Web page or email for the purpose of measuring and analyzing site usage and activity. Provider, or
third party service providers acting on our behalf, may use Web beacons to help us analyze website usage and
improve the Services. We may use third party service providers to help us analyze certain online
activities. For example, these service providers may help us analyze visitor activity on the website. We may
permit these service providers to use cookies and other technologies to perform these services for Provider. We
do not share any Personal Information with these third party service providers, and these service providers do
not collect such information on our behalf. Our third party service providers are required to comply fully with
this Privacy & Security Policy.

4. DISCLOSURE OF PERSONAL INFORMATION TO PROTECT OUR RIGHTS OR IF REQUIRED BY
LAW

Notwithstanding the foregoing, Provider reserves the right (and you authorize Provider) to share or disclose your
Personal Information when Provider determines, in its sole discretion, that the disclosure of such information
is necessary or appropriate:

  • To enforce our rights against you or in connection with a breach by you of this Privacy & Security
    Policy or the Terms;
  • To prevent prohibited or illegal activities; or
  • When required by any applicable law, rule, regulation, subpoena or other legal process.

5. DATA MAY BE TRANSFERRED UPON CHANGE OF CONTROL IN ACCORDANCE WITH THIS
POLICY

Personal Information may be transferred to a third party as a result of a sale, acquisition, merger,
reorganization or other change of control. If we sell, merge or transfer any part of our business, part of the
sale may include your Personal Information. If so, strict control protections will be mandated to protect your
Personal Information consistent with this Privacy & Security Policy.

6. YOU CAN TRANSPORT OR DELETE YOUR PERSONAL INFORMATION

Your Personal Information is yours. You can remove it anytime you want and, as part of the Services, may have the
ability to download, share or transfer it. When you request deletion of your account, we will also promptly
disconnect any connection we had established to your Personal Information and delete all Account Credentials.
However, portions of your data, consisting of aggregate data derived from your account, may remain on our
production servers indefinitely. Your data may also remain on a backup server or media. Provider keeps these
backups to ensure our continued ability to provide the Services to you in the event of malfunction or damage to
our primary production servers. We also reserve the right to use any aggregated or anonymous data derived from
or incorporating your Personal Information.

7. EMAIL COMMUNICATIONS FROM PROFESSIONALS OR PROVIDER

Users may be provided with email communications and alerts regarding their account. Also, as part of the
provision of Services, Professionals are allowed to communicate with their corresponding Users and such User’s
Proxy or Proxies. Users and Proxies have the ability to opt-out of receiving such email communication but such
termination may impair the full functionality of the Services.

8.  YOUR PERSONAL INFORMATION IS SECURE

We use a combination of firewall barriers, encryption techniques and authentication procedures, among others, to
maintain the security of your online session and to protect User accounts and systems from unauthorized access.
When you subscribe to the Services, Provider requires a login name and password from you for your privacy and
security. Provider transmits information such as your Registration Information for the Services or Account
Credentials securely.

Our servers are in a secure facility. Access requires multiple levels of authentication. Security personnel
monitor the system 7 days a week, 24 hours a day. Our databases are protected from general employee access
both physically and logically. We encrypt your Services password and enforce authentication procedures so that
your password cannot be recovered by anyone but you. All backup drives and tapes also are encrypted. We
enforce physical access controls to our buildings. No employee may put any sensitive content on any
insecure machine (i.e., nothing can be taken from the database and put on an insecure laptop).

However, it is important to understand that these precautions apply only to the Services and our systems. We
exercise no control over how Personal Information or Account Credentials are stored, maintained or displayed by
third parties or on third-party sites.

9.  YOUR RESPONSIBILITIES

Your participation is important to our security efforts. While Provider uses a high degree of security in
protecting the Personal Information stored on its servers, we shall not be responsible for the unauthorized
access thereto undertaken through the use of a User’s legitimate username and password. User is responsible for
protecting the confidentiality of User’s password(s) and for the strength thereto. We maintain strict rules to
help prevent others from guessing your password. We also recommend that you change your password periodically.
Your password must be 8-16 characters in length. You are responsible for maintaining the security of your Login
ID and Password. Do not provide these credentials to any third party. If you believe that they have been stolen
or been made known to others, you must contact us immediately at security@estatemap.com, but in any event you
should change your password immediately via the Services. We are not responsible if someone else accesses your
account through information they obtained from you or through a violation by you of this Privacy & Security
Policy or the Terms.

How can I protect my Personal Information?

  • Don’t share your login or password with anyone.
  • Make sure that your password is complex, including both numbers and capital letters.
  • Be certain that you have virus protection and a firewall on any computer you use to access your profile.
  • Don’t install programs from people or companies you don’t know.
  • Learn to prevent identity theft and identify phishing attempts.
  • Keep your computer and browser software current with security updates.
  • Install and update anti-virus and anti-spyware software and use personal firewalls to protect your
    computer.
  • Be alert to the threats posed by malware–(malicious software) which can damage or disrupt your system, or
    secretly record information such as keystrokes.
  • Do not enable automatic login to your account profile or pre-fill the Login ID or password fields.
  • Change your password periodically and avoid using passwords that you commonly use for other purposes.
  • Always log off after completing your activities on your profile.
  • Be careful about using third-party computers or computers that you are not familiar with such as those in
    Internet cafés and be careful to ensure you have fully logged out.
  • Do not provide personal or financial information in response to an email request or by clicking on a link,
    unless you are able to verify the authenticity of the site to which you are taken through the SSL padlock or
    other means.
  • Do not open an email if you do not recognize the sender and be particularly cautious of any attachments to
    emails from unrecognized sources.
  • If you suspect you have received a fraudulent email from your Professional or from Provider, please contact:
    security@estatemap.com.

How can I protect myself from phishing attacks?

Phishing is the illegal attempt to mislead consumers into providing personal or financial information, including
account numbers, passwords and Social Security numbers, via email or through fraudulent Web sites.

The most frequent phishing attacks occur through emails disguised to appear as though they came from a reputable
financial institution or company. Most phishing attempts urge you to update or validate your account
information, typically through a link in an email directing you to a fake Web site that appears to be
legitimate. A phishing attack can be detected. While there are many phishing attacks active on the
Internet, there are some typical characteristics:

  • An email contains an “urgent” tone requesting your immediate action on an account-related matter.
  • An email is sent from a user falsely claiming to be a legitimate company with an attachment. An unsolicited
    email attachment more than likely contains a virus. Do not open it.
  • A pop-up window appears from a user falsely claiming to be a legitimate company’s Web site asking for
    personal information.
  • Additional information can be found at www.antiphishing.org or www.consumer.gov/idtheft

We update this Privacy & Security Policy periodically. The date last revised appears at the top of the
Policy. Changes take effect immediately upon posting. It is the Users responsibility to check for updates.