Arvato Digital Services LLC CTPAT Security Letter of Agreement Dear Valued Supplier and Business partner,

Please be advised that Arvato Digital Services LLC is a member of Customs and Border Protection’s (CBP) Customs Trade Partnership Against Terrorism (C-TPAT). The C-TPAT is an initiative sponsored by the United States Customs and Border Protection Agency with the objective of securing our supply streams. Please familiarize yourself with the C-TPAT information and requirements listed in the attachment to this letter. More detailed information about C-TPAT can be found on the following US Customs & Border protection Website: http://www.cbp.gov/border-security/ports-entry/cargo-security/c-tpat-customs-trade-partnership-againstterrorism A requirement for this partnership is to continue to develop, implement, and manage plans that ensure the integrity of security practices throughout the supply stream. (Supplier Name) must ensure that its vendors and service providers are either part of the C-TPAT Program or are willing to adhere to the security procedures of the program. Please fill out the Security Questionnaire and the Security Letter of Agreement and forward these documents to your Procurement Agent.  W e are a member of C-TPAT (If so, please send a copy of the Certificate along with this letter).  W e are currently not a member, but will apply for membership and in the meantime adhere to all of the CTPAT policies and procedures.  W e are not a member, do not plan on applying for membership, but we will adhere to all of the C-TPAT policies and procedures.  W e are not a member, do not plan on applying for membership, and will not adhere to the C-TPAT policies and procedures.  W e are a member of a C-TPAT equivalent World Customs Organization security program administered by a foreign (non-US) customs authority. Program (name). (Please send a copy of the membership document).  Please describe any security related weaknesses your company currently has and how these weaknesses will be addressed.

Name/ title of the company representative (Print)

Company name (Print)

Signature

Date

1

Arvato Digital Services LLC Security Questionnaire Company Name: 1. Business Partner Requirement

Yes

No

N/A

1.1

Do you have written and verifiable processes for the selection of business partners including manufactures, product suppliers, and vendors

1.2

Do you require your vendors to adhere to security standards?

1.3

Do you use financial assessments to evaluate your vendors?

1.4

Do you monitor vendors' performance?

1.5

Do you perform inspections of vendors' facilities as a part of a normal policy?

1.6

Do you discuss security issues with your vendors?

2. Container Security

Yes

No

N/A

2.1

Do you ship/receive containerized shipments?

2.2

Do you have written procedures in place that stipulate how seals are to be controlled and affixed to loaded containers to include procedures for recognizing compromised seals and/or containers?

2.3

Do you have procedures in place to verify the physical integrity of the container structure prior to stuffing, to include reliability of the locking mechanisms of the doors?

2.4

Do you store containers in a secure area to prevent unauthorized access and /or manipulation?

2.5

Do you have written procedures in place for reporting and neutralizing unauthorized entry into containers or container storage areas?

2.6

Do you have a third party (for example, a freight forwarder) who handles your containerized shipments?

2.7

If yes, does your third party implement 2.2 - 2.5 requirements?

2

3. Physical Access Controls

Yes

No

N/A

3.1

Do you have access controls that prevent unauthorized entry to facilities, maintain control of employees and visitors, and protect company assets?

3.2

Do access controls include the positive identification of all employees, visitors, and vendors at all points of entry?

3.3

Do you utilize a photo identification system for employees?

3.4

Do your employees have access only to those secure areas needed for the performance of their duties?

3.5

Do employees, visitors, and vendors gain entrance to facilities through a secure point of entry using electronic card keys, buzzer/release doors, security guard check points or similar methods?

3.6

Do you control the issuance and removal of employee, visitor, and vendor identification badges?

3.7

Do you have a logbook to keep visitors' names, companies they represent, purpose of visit, and entrance/exit times?

3.8

Are visitors required to present a photo identification document for documentation purposes upon arrival?

3.9

Are visitors always escorted and required to wear identification badges while visiting your facilities?

3.10

Do you have procedures in place to identify, challenge and address unauthorized/unidentified persons?

3.11

Do you periodically screen arriving packages and mail before dissemination?

3.12

Do you have documented procedures for the issuance, removal, and changing of access devices (e.g. keys, key cards, etc.)?

3

4. Personnel Security

Yes

No

N/A

4.1

Do you verify applications submitted by perspective employees for work history?

4.2

Are you permitted by your government to conduct background checks on perspective employees?

4.3

If yes, do you conduct background checks of perspective employees?

4.4

If yes, please list what kind of background checks do you conduct:

4.5

Do you conduct periodic background checks of existing employees?

4.6

Do you have an employee termination procedure that includes recovering keys, identification badges, and other access devices?

5. Procedural Security

Yes

No

N/A

5.1

Do you have procedures in place to ensure that all information used in the clearing of merchandise/cargo is legible, complete, accurate, and protected against the exchange, loss or introduction of erroneous information?

5.2

Do you have procedures safeguarding computer access and information?

5.3

Do you have procedures in place to ensure that information received from business partners is reported accurately and timely?

5.4

Do you have shipping/receiving procedures in place?

5.5

Do you have procedures for detecting, recording, and investigating shortages/overages?

5.6

Do you have procedures for notifying Customs and or other law enforcement agencies if illegal or suspicious activities are detected or suspected?

5.7

Do you review security measures on a periodic basis to prevent unauthorized access to facilities, equipment, document processes and cargo?

5.8

Do you have a procedure for data and record retention security?

4

5.9

Do you have theft prevention program (s), procedures, or policies in place and are they documented, controlled, and periodically reviewed by management?

5.10

Do you conduct random assessments of areas in your company's control within the supply chain?

6. Physical Security

Yes

No

N/A

6.1

Are all your buildings, yards, warehouses, on and off ramp facilities constructed of materials, which resist unlawful entry and protect against outside intrusion?

6.2

Do you have locking devices on all external and internal doors, windows, gates, and fences?

6.3

Do you have adequate lighting inside and outside the facility including the following areas: entrances and exits, cargo handling and storage areas, fence lines and parking areas?

6.4

Does your facility have an electronic alarm system?

6.5

Does your facility have surveillance cameras?

6.6

Do you monitor enter/exit gates?

6.7

Do you have perimeter fencing to enclose the areas around cargo handling and storage facilities?

6.8

Does interior fencing within the cargo handling structure segregate domestic, international, high value, and hazardous cargo?

6.9

Do you regularly inspect all fencing for integrity and damage?

5

6.10

Are private passenger vehicles prohibited from parking in or adjacent to cargo handling and storage areas?

6.11

Do you have an internal security department?

6.12

Do you utilize the services of an outside security company?

7. Information Technology Security

Yes

No

N/A

Do you assign passwords to your computer users?

7.1

7.2

Do you require a periodic change of passwords?

7.3

Are Information Technologies Security policies and procedures documented, controlled, communicated to applicable employees and periodically reviewed and updated by company management?

7.4

Do you have a system in place to identify the abuse of IT including improper access, tampering or the altering of business data?

7.5

Do you apply disciplinary actions for IT abuse?

8. Security Training and threat Awareness

Yes

No

N/A

8.1

Do you provide a security awareness training program to employees?

8.2

Do you provide additional training to employees in the shipping and receiving areas, as well as those receiving and opening mail?

8.3

Do you offer incentives for active employee participation in reporting internal conspiracies?

6

Company Name: Signature: Title: Name: (Print)

7