System and Organization Controls Report Relevant

to Security, Availability and Confidentiality

(SOC 3)

September 1, 2022 – August 31, 2023

1
Independent Service Auditor’s Report
DoiT International Ltd.

Scope

We have examined DoiT International Ltd. (“DoIT”) accompanying assertion titled “Management of DoiT’s
Assertion” (assertion) that the controls related to DoiT International Ltd.’s Cloud Management platform were
effective throughout the period September 1, 2022 to August 31, 2023 (the “Description”), to provide
reasonable assurance that DoIT’s service commitments and system requirements were achieved based on the
trust services criteria relevant to Security, Availability, and Confidentiality set forth in TSP section 100, 2017
Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
(“applicable trust services criteria”).

The description of the boundaries of the system indicates that certain applicable trust services criteria specified
in the description of the boundaries of the system can be met only if complementary user-entity controls
contemplated in the design of DoIT’s controls are suitably designed and operating effectively, along with related
controls at DoIT. We have not evaluated the suitability of the design or operating effectiveness of such
complementary user entity controls.

DoiT uses Google Cloud Platform, GCP (“subservice organization”) for its Cloud computing services. The
description of the boundaries of the system indicates that certain applicable trust services criteria can be met
only if certain types of controls that management expects to be implemented at the subservice organization are
suitably designed and operating effectively. The description of the boundaries of the system presents the types
of controls that the service organization expects to be implemented, suitably designed, and operating effectively
at the subservice organizations to meet certain applicable trust services criteria. The description of the
boundaries of the system does not disclose the actual controls at the subservice organizations. Our examination
did not extend to the services provided by the subservice organizations, and we have not evaluated whether the
controls management expects to be implemented at the subservice organizations have been implemented or
whether such controls were suitability designed and operating effectively throughout the period September 1,
2022 to August 31, 2023.

Service Organization's Responsibilities

DoiT international Ltd. is responsible for its service commitments and system requirements and for designing,
implementing, and operating effective controls within the system to provide reasonable assurance that DoiT
international Ltd.’s service commitments and system requirements were achieved. DoiT has also provided the
accompanying assertion about the effectiveness of controls within the system. When preparing its assertion,
DoiT is responsible for selecting, and identifying in its assertion, the applicable trust service criteria and for
having a reasonable basis for its assertion by performing an assessment of the effectiveness of the controls
within the system.

2
Service Auditor’s Responsibilities
Our responsibility is to express an opinion, based on our examination, on whether management’s
assertion that controls within the system were effective throughout the period to provide reasonable
assurance that the service organization’s service commitments and system requirements were achieved
based on the applicable trust services criteria. Our examination was conducted in accordance with
attestation standards established by the American Institute of Certified Public Accountants. Those
standards require that we plan and perform our examination to obtain reasonable assurance about
whether management’s assertion is fairly stated, in all material respects. We believe that the evidence
we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

Our examination included:

• Obtaining an understanding of the system and the service organization’s service commitments
and system requirements
• Assessing the risks that controls were not effective to achieve DoIT’s service
commitments and system requirements based on the applicable trust services criteria
• Performing procedures to obtain evidence about whether controls within the system were
effective to achieve DoIT’s service commitments and system requirements based the
applicable trust services criteria
Our examination also included performing such other procedures as we considered necessary in the
circumstances.

Inherent Limitations

There are inherent limitations in the effectiveness of any system of internal control, including the possibility of
human error and the circumvention of controls.

Because of their nature, controls may not always operate effectively to provide reasonable assurance that the
service organization’s service commitments and system requirements were achieved based on the applicable
trust services criteria. Also, the projection to the future of any conclusions about the effectiveness of controls is
subject to the risk that controls may become inadequate because of changes in conditions or that the degree of
compliance with the policies or procedures may deteriorate.
Opinion

In our opinion management’s assertion that the controls over the information systems and technology
supporting DoiT’s Cloud Management platform were effective throughout the period September 1, 2022 to
August 31, 2023, to provide reasonable assurance that DoiT international Ltd.’s service commitments and
system requirements were achieved based on the applicable trust services criteria is fairly stated, in all material
respects.

November 28, 2023

3
Management of DoiT’s Assertion
We are responsible for designing, implementing, operating and maintaining effective controls over the
information systems and technology supporting DoiT international Ltd.’s (the “Service Organization” or “DoiT”)
Cloud management platform throughout the period September 1, 2022 to August 31, 2023 to provide
reasonable assurance that DoiT international Ltd.’s service commitments and system requirements relevant to
Security, Availability and Confidentiality were achieved. Our description of the boundaries of the system is
presented in Attachment A below and identifies the aspects of the system covered by our assertion.

DoiT uses Google Cloud Platform to provide Cloud computing services. The description of the boundaries of the
system includes only controls and applicable trust services criteria of DoIT and excludes controls and applicable
trust services criteria of GCP (Google Cloud Platform). The description of the boundaries of the system indicates
that the applicable trust services criteria specified in the description can be achieved only if controls at the
subservice organizations contemplated in the design of DoIT’s controls are suitably designed and operating
effectively, along with the related controls at DoIT. We have not evaluated the suitability of the design or
operating effectiveness of such subservice organization controls.

We have performed an evaluation of the effectiveness of the controls within the system throughout the period
September 1, 2022 to August 31, 2023, to provide reasonable assurance that DoiT international Ltd.’s service
commitments and system requirements were achieved based on the trust services criteria relevant to Security,
Availability, and Confidentiality (applicable trust services criteria) set forth in TSP Section 100, 2017 Trust
Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (“applicable trust
services criteria”). DoiT’s objectives for the system in applying the applicable trust services criteria are embodied
in its service commitments and system requirements relevant to the applicable trust services criteria.

There are inherent limitations in any system of internal control, including the possibility of human error and the
circumvention of controls. Because of these inherent limitations, a service organization may achieve reasonable,
but not absolute, assurance that its service commitments and system requirements are achieved.

We assert that the controls within the system were effective throughout the period September 1, 2022 to
August 31, 2023 to provide reasonable assurance that DoiT international Ltd.’s service commitments and system
requirements were achieved based on the applicable trust services criteria.

7
Attachment A
DoiT international Ltd.’s Description of the Boundaries of its Cloud
Management platform

Services Provided

The company tackles complex problems of scale for its customers, using various expertise in resolving problems,
machine learning, algorithms, complexity analysis, and system design.

DoiT International core technology, - DoiT Platform helps the developers and cloud operators at digital-native
companies improve cloud operations, maintain security, control cost, and ensure governance of its cloud estate.
It has five strategic pillars: Analytics, Optimization, Enablement, Productivity, and Governance.

Note to Readers: The following system description is for illustrative purposes only and is not meant to be
prescriptive. For brevity, the illustration does not include everything that might be described in the description
of the service organization's system.

Principle Service Commitments and System Requirements

DoiT International designs its processes and procedures related to DoiT Platform to meet its objectives for its
Customer Reliability Engineering (CRE) services. Those objectives are based on the service commitments that
DoiT International makes to user entities, the laws and regulations that govern the provision of CRE services, and
the financial, operational, and compliance requirements that DoiT International has established for the services.
The CRE services of DoiT International are subject to the security and privacy requirements of the state laws and
regulations in the jurisdictions in which DoiT International operates.

Security commitments to user entities are documented and communicated in Service Level Agreements (SLAs)
and other customer agreements, as well as in the description of the service offering provided online.

Security commitments are standardized and include, but are not limited to, the following:

• Security principles within the fundamental designs of the DoiT Platform that are designed to permit
system users to access the information they need based on their role in the system while restricting
them from accessing information not needed for their role.

• Use of encryption technologies to protect customer data both at rest and in transit.

DoiT International establishes operational requirements that support the achievement of security commitments,
relevant laws and regulations, and other system requirements. Such requirements are communicated in DoiT
International system policies and procedures, system design documentation, and contracts with customers.
Information security policies define an organization-wide approach to how systems and data are protected.

These include policies around how the service is designed and developed, how the system is operated, how the
internal business systems are managed and how employees are hired and trained. In addition to these policies,
standard operating procedures have been documented on how to carry out specific manual and automated
processes required in the operation and development of the DoiT platform.

7
Subservice Organization

DoiT uses subservice organizations that provides services as follows:

• Google Cloud Platform (GCP) - GCP is a separate service organization that provides DoiT's infrastructure
within its cloud IaaS and PaaS offering. DoiT International designs its processes and procedures related
to DoiT Platform to meet its objectives for its Customer Reliability Engineering (CRE) services. Those
objectives are based on the service commitments that DoiT International makes to user entities, the
laws and regulations that govern the provision of CRE services, and the financial, operational, and
compliance requirements that DoiT International has established for the services. The CRE services of
DoiT International are subject to the security and privacy requirements of the state laws and regulations
in the jurisdictions in which DoiT International operates.

Control Environment Area

Management Philosophy: DoiT International control environment reflects the philosophy of senior management
concerning the importance of security of customers' data and information. DoiT International Security Steering
Committee meets on a monthly basis and reports to the board quarterly. The committee, under the direction of
the DoiT International board, oversees the security activities of DoiT International. The committee is charged
with establishing overall security policies and procedures for DoiT International. The importance of security is
emphasized within DoiT International through the establishment and communication of policies and procedures.
And is supported by investment in resources and people to carry out the policies. In designing its controls, DoiT
International has taken into consideration the relevance of controls to meet the relevant trust criteria.

Organization and Management

Management Philosophy: DoiT International control environment reflects the philosophy of senior management
concerning the importance of security of customers' data and information. DoiT International Security Steering
Committee meets on a monthly basis and reports to the board quarterly. The committee, under the direction of
the DoiT International board, oversees the security activities of DoiT International. The committee is charged
with establishing overall security policies and procedures for DoiT International. The importance of security is
emphasized within DoiT International through the establishment and communication of policies and procedures.
And is supported by investment in resources and people to carry out the policies. In designing its controls, DoiT
International has taken into consideration the relevance of controls to meet the relevant trust criteria.

People

Background checks are performed on new employees, who are also required to review and acknowledge their
receipt of relevant security policies. The new positions are supported by job descriptions. Once employed,
employees are subject to DoiT International procedures for accessing systems and sanctions for violating DoiT
International information security policy. Employees are instructed to report potential security incidents to the
Head of InfoSec.

7
Integrity and ethical values

Integrity and ethical values are essential elements of the control environment.

DoiT’s code of conduct is a set of company values, rules, and includes principles for outlining the behavioral
expectations within DoiT.

● All employees are required to read and accept the code of conduct as part of DoiT’s onboarding process.
● DoiT's policies include probation, suspension, and termination as potential consequences of employee
misconduct.

Communication and Information

An Information Security Policy is in place addressing system requirements for all users. The policy is reviewed
and updated on an annual basis and as needed by the Head of Information Security.

Associates have access to security policies. DoiT published its IT security policies using the HR management
system.

Risk Assessment

DoiT International regularly reviews the risks that may threaten the achievement of its service commitments and
system requirements related to security based on the applicable trust services criteria set forth in DoiT Platform
section 100, 2017 Trust Services Principles and Criteria for Security, Availability, Processing Integrity,
Confidentiality, and Privacy (AICPA, Trust Services Criteria).

The Head of InfoSec assesses security risks on an ongoing basis. This is done through regular.

meetings with engineering personnel, reviewing and acting upon security incidents, performing.

vulnerability assessments and conducting a formal annual risk assessment in conjunction with the company-
wide risk assessment.

An annual Security Program is developed annually by the Head of InfoSec and is communicated to and approved
by senior management and the Security Steering Committee. As part of this program, strategic risks affecting
the organization and recommended courses of action are identified and discussed.

Senior management, as part of its annual information security policy review, considers developments in
technology and the impact of applicable laws and regulations on DoiT International security policies.

Changes in security threats and risks are reviewed by DoiT International, and updates to existing control
activities and information security policies are performed as necessary.

Monitoring

In addition to the daily oversight and periodical vulnerability assessments, security monitoring through the
internal audit is executed, which performs systems and procedures audits to identify and remediate security
7
gaps.

Monitoring usage:

DoiT International uses GCP monitoring services to monitor production environments. Alerts and notifications
are sent to email and slack channels for management attention as needed along with engineering teams. DoiT
International uses a suite of monitoring tools to monitor its production environment. Alerts are sent to relevant
stakeholders based on predefined rules. Also, audit trail is produced automatically after every access to GCP,
resources and to client's confidential information within the DoiT International production and Application. The
logs are reviewed when there is an alert notification. Logs are retained for 12 months. Data regarding
availability-related incidents is generated from the GCP event management system. An analysis of device
outages, availability events, and capacity utilization is prepared by the relevant team. This report is reviewed at
the staff meeting. Based on the review, additional incident tickets or change management tickets may be
created to address trends and patterns identified.

Logical Access Management

DoiT International has implemented role-based security to limit and control access within the DoiT Platform.
Employees are granted access to in-scope systems based on documented approvals by appropriate
management personnel and systems. The ability to create or modify user access accounts and user access
privileges is limited to authorized personnel. User access is periodically reviewed to verify whether individuals'
access is necessary for their job functions and to identify the existence of inappropriate accounts.

The user termination in DoiT Platform and other DoiT International systems is executed automatically according
to the employment termination, which is initiated by the PeopleOps team.

Each user termination notifies the relevant personnel, such as Head of InfoSec and System administrator.

Administrative access to Directory, DoiT Platform services, and databases is restricted to authorized employees
only according to their role and business need.

Unique user identification names and passwords in conjunction with the Two-Factor Authentication (2FA) are
required to authenticate all DoiT International users to the DoiT Platform.

Password convention is enforced, and consists of the minimum length, including lower\upper case, at least one
digit and symbol.

Physical Security and Environmental Controls: Born in the cloud, DoiT International does not utilize any physical
facilities. All physical access is restricted, maintained and controlled by cloud service providers on a highest level.

Incident Management

Security incidents and other system related problems are reported via the ticketing system. Issues are tracked
using a help desk ticket and monitored until resolved.

7
Antivirus

All workstations must have software-based firewalls with intrusion prevention and anti-virus software always
running on the system and are updated to their latest versions.

Availability

Database Backup

DoiT International database backup procedure outlines the backup schedule and location of DoiT’s production
environment in Google Cloud Platform. Customer database information backup is formed in ongoing basis, and
DoiT International is working on multi cloud deployment and backup and part of the disaster recovery
procedure. Daily backup is performed using an automated application.

Restoration

DoiT International follows several procedures and database backup policies to save its customer information. As
backups are done daily, the ability to restore the customer database information is immediate and everything is
done at Google cloud environment. Restore tests are performed on an annual basis. The test includes a full
restore to a separate database service and bringing up the database to verify data integrity and accessibility.

Data center availability procedures

DoiT International is using the Google Cloud Platform (GCP) to host its service. GCP provides DoiT International
with a secured location implementing security measures to protect against environmental risks or disaster. GCP
let’s take advantage of the powerful network and technologies that Google uses to deliver its own products.

Business Continuity Plan (BCP)

DoiT business continuity plan has been designed and written to be used in the event of a disaster affecting DoiT
International. This plan contains all the information necessary to restore an operational service in the event of a
serious disruption of computer services at DoiT International. DoiT International has developed a Disaster
Recovery Plan in order to continue to provide critical services in the event of disaster. The BCP is updated on an
annual basis.

Change Management

DoiT International has a formalized change management process in place, which requires identification and
recording of significant changes, assessment of risk and potential effect of such changes, approval of proposed
changes, and testing of changes to verify operational functionality. Proposed changes are evaluated to
determine if they present a security risk and what mitigating actions must be performed.

Emergency changes follow the formalized change management process, but at an accelerated timeline. Prior to
initiating an emergency change, necessary approvals are obtained and documented.

Changes to infrastructure and software are developed and tested in a separate development or test
7
environment before implementation. Additionally, developers do not have the ability to migrate changes into
production environments.

DoiT International has a formalized security and systems development methodology that includes project
planning, design, testing, implementation, maintenance, and disposal or decommissioning.

Confidentiality

DoiT International retains customers' data consistent with the entity’s objectives related to confidentiality.
Confidentiality commitments described through contracts with DoiT International clients, in order to protect
confidential information. In addition, new employees are required to sign a standard employment agreement
outlining the confidentiality and the intellectual property clauses.

DoiT International enforces confidentiality procedure to protect its customers and own information:

Use only approved business software for storing and processing confidential information - DoiT International
policies clearly state how and where confidential information is obtained, stored and processed.

Encryption - DoiT International encrypts information at rest and in transit, following best security practices in
the industry and Google Cloud Platform recommendations.

User Access - A very limited number of people have access to the production environment and can execute any
changes on the production environment and data. Access of these users is monitored for malicious behavior
detection.

Complementary User Entity Controls

DoiT’s International implementation of information technology and general IT controls is designed with the
assumption that certain controls will be implemented by user entities. Such controls are called complementary
user entity controls. It is not feasible for all the control objectives related to DoiT International general controls
to be solely achieved by DoiT’s control activities. Accordingly, user entities, in conjunction with the information
technology general controls system, should establish their own internal controls or procedures to complement
those of DoiT International.

The following complementary user entity controls should be implemented by user entities to provide additional
assurance that the specified control objectives described within this report are met:

CUEC # Complementary User Entity Control Considerations Related Trust Services

Criteria

CUEC-1 User entities are responsible for notifying DoiT International in a CC6.3
timely manner of any updates regarding the list of authorized
personnel that could impact services.

CUEC-2 User entities are responsible to ensure that procedures are in CC6.3
place to properly segregate duties and help ensure only

7
 authorized personnel can perform sensitive functions and that
access to these functions are periodically reviewed.

CUEC-3 User entities are responsible for the backup of their Customer CC1.1, CC6.3, CC6.4
Data and may be subject to export control laws applicable to
Customer or in Customer's jurisdiction.

CUEC-4 User entities are responsible to implement control and prevent CC6.6
or detect and act upon the introduction of unauthorized or
malicious software to meet the commitments and requirements
as they relate to security.

CUEC-5 User entities are responsible for granting and revoking DoiT CC6.3
International access to their users as appropriate, for periodically
reviewing such access to ascertain access remains appropriate,
and for monitoring access logs and addressing discrepancies.

CUEC-6 User entities are responsible for enforcing use of unique IDs and CC6.1
for configuring password parameters to DoiT International, or
their directory service where a directory service sync is utilized,
which authenticates users to DoiT International in accordance
with their internal policies.

CUEC-7 User entities are responsible for monitoring log-in attempts and CC6.1
enforcing workstations to automatically lock after a
predetermined period of inactivity.

CUEC-8 User entities are responsible for the security of content once it is CC6.4
exported from DoiT International.

7
Complementary Subservice Organization Controls (CSOC)

DoiT International controls cover a portion of overall internal control for each user entity of DoiT International
Virtual Networking Platform Services, as it is not feasible for applicable criteria related to physical and
environmental security to be achieved solely by DoiT International. Therefore, each user entity must take into
account the related complementary subservice organizations controls expected to be implemented at
subservice organizations as described below:

CSOC# Complementary Subservice Provider Control Considerations Related Trust

Services Criteria

CSOC-1 Implement controls to enable security and monitoring tools CC1.5, CC5.2, CC7.1.
within the production environment

CSOC-2 Implement logical access security measures to infrastructure CC6.1, CC6.2, CC6.3
components including native security or security software and
appropriate configuration settings

CSOC-3 Availability, monitor compliance with commitments and CC2.2

requirements and maintenance of virtual and physical servers

CSOC-4 Implement controls to provide continuous monitoring of the CC7.2

network and detection of potential security breaches

CSOC-5 Restrict the access to the virtual and physical servers, software, CC6.4, CC6.6, CC6.8
firewalls, and physical storage to authorize individuals and to
review the list of users and permissions on a regular basis.

CSOC-6 Implement controls to: CC6.1, CC6.2, CC6.3,

CC6.4
- Provision access only to authorized persons.

- Remove access when no longer appropriate.

- Secure the facilities to permit access only to

authorized persons.

- Monitor access to the facilities.

CSOC-7 Implement controls related to backups according to regulatory CC1.1, CC6.3, CC6.4
requirements, business and customer needs.