DataGo Security - MDC Technology Group.

All communications between DataGo Backup Server and your computer are transported in a 128-bit SSL (Secure Socket Layer) channel. Although all your backup files travel through a public network (internet), eavesdroppers have no knowledge of what has been exchanged.

All of your files are first zipped and encrypted with your defined encrypting key before they are sent to DataGo backup server. The files remain encrypted while in storage and would appear to be no more than some garbage files with random content to anyone without the encryption key.

If the Customer so chooses, the encrypting key used to encrypt your files resides only on your computer and is known only to you. It is never transmitted anywhere across the network. Thus, even the system administrators will not be able to decrypt and view the content of your files stored on the backup server without your permission. This unfortunately means if the encrypting key is lost, you will never be able to recoveryour backup files.

Currently, the algorithm that we are using to encrypt your files is 128-bit Twofish. It is a block cipher And is one of the five Advanced Encryption Standard (AES) finalists chosen by National Institute of Standard and Technology (NIST).

A 128-bit key size has 2128 or around 3.4 x 1038 possible combination. Even if you have the world best super computer, , ASCI White, SP Power3 375 MHz has 8192 processors which totals a capability of 12.3 teraflops (trillions of operations/second), manufactured by IBM as of November 2000, available to you. It would take 8.77 x 1017years to test all combinations.

Assuming you actually have the super computer and the will to do this, To use brute force attack (checking all combinations) on this encryption algorithm would take:

That is : 876530835323573935 years (8.77 x 1017 years) to successfully try all combinations. Let alone ASCI White cannot process as fast as what is described here. You can be sure that your data stored on our server is as secure as it can possible be made. In most cases, it is more secure on our servers than it is on yours!

We can also restrict access to your backup files from the set of IP addresses you defined. If someone tries to access your data from an IP address not on your defined list, their access will be denied. This additional security ensures backup files are not open to all location, even if the username and password were known.

Health Insurance Portability and Accountability Act (HIPAA). The Following are known Requirements for HIPPA and the storing of data.

1. Requirement: Electronic personal health information (ePHI) must be protected against any reasonably anticipated threats or hazards.

~ What we do: The data is housed in a Steel Data Center within our facility. Redundant systems protect the data in every step of the backup and storage process.

2. Requirement: Access to ePHI must be protected against any reasonably anticipated uses or disclosures that are not permitted or required by the Privacy Rule.

~ What we do: The data is encrypted before transmission and is always maintained in encrypted state. Currently, the algorithm that we are using to encrypt your files is 128-bit Twofish. It is a block cipher and is one of five Advanced Encryption Standard (AES) finalists chosen by National Institute of Standard and Technology (NIST). Access is restricted by password authentication. As needed for compliance with this rule : THE CLIENT WILL BE THE ONLY ONE WITH KNOWLEDGE OF THE ENCRYPTION PASSWORD AND THE ONLY ONE WITH ACCESS TO THE DATA. NO EMPLOYEE OF MDC TECHNOLOGY GROUP WILL HAVE ACCESS TO THE READABLE OR UN-ENCRYPTED DATA. THIS INCLUDES: IN THE EVENT THE CLIENT LOSES THE PASSWORD FOR THE ENCRYPTION KEY, MDC TECHNOLOGY GROUP CAN NOT GAIN ACCESS TO THE DATA, NOR WILL WE BE ABLE TO RECOVER THE PASSWORD. THIS IS A SECURE SYSTEM AND THE CLIENT MUST NOT LOSE THE PASSWORD!!!

~ What we do: Access to data is date and time-stamped by account name, providing a clear audit trail.

4. Requirement: If the data is processed through a third party, entities are required to enter into a chain of trust partner agreement.

~ What we do: MDC Technology Group enters into a Business Associate Agreement with client, in which the parties agree to electronically exchange data and to protect the transmitted data. The Agreement states that the receiver of data (MDC Technology Group - DataGo) will maintain the integrity and confidentiality of the transmitted information.

5. Requirement: Preserve the records exclusively in a non-rewriteable, non-erasable format.

~ What we do: We will, as needed for compliance with this rule, write your data to a non-rewriteable, non-erasable format. (This will be an image of the backup and will be placed on DVD Media)

6. Requirement: Verify automatically the quality and accuracy of the storage media recording process.

~ What we do: The data is verified automatically every time a backup takes place.

7. Requirement: Serialize the original, and, if applicable, duplicate units of the storage media, and time-date for the required period of retention the information placed on such electronic storage media.

~ What we do: Even if data is restored to the client system, the original remains on the DataGo Server in the same exact state as the initial backup until it is cycled off at the end of the cycle. The cycle length may be from one day to a much as the customer has chosen. We will, as needed for compliance with this rule and on an appropriate schedule, make a non-rewriteable, non-erasable media. (See Sec#2.0.5). MDC Technology Group will assign the media disk a serial number, and record such number onto an invoice for tracking purposes. The disk will then either be delivered to the client or locked in our fire safe. (Depending on the customers preference)

8. Requirement: Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable.

~ What we do: The data is available for online restores 24/7, 365 days a year.

9. Requirement: Store separately from the original a duplicate copy of the record stored on any medium acceptable for the time required.

~ What we do: We use a process that backs up the original files to another backup server. Located below ground. We will further, as needed for compliance with this rule, make images of the backups which will be held on a DVD Media Disk. (See Sec# 2.0.5)

2.1 SEC/NASD Requirements

Below is a list of known Requirements to comply with the SEC/NASD. The rules, effective as of May 12, 2003, apply to many types of records, including financial accounting documents, all communications received and all communications sent. The DataGo Offsite Backup Service enables clients to meet or exceed SEC and NASD regulatory compliance in regard to the preservation of financial records and electronic communications.

1. Requirement: Information cannot be tampered with or altered by any employee.

~ What we do: Data is always encrypted with 128-bit encryption (See Section 1.1 thru 1.5) . MDC Technology Group does not have access to the password. (See Sec# 2.0.2)

2. Requirement: Trail of transactions must be discernable and kept in sequence.

~ What we do: Each backup generates a log file for that particular day to show all files that were backed up on each backup job. .

3. Requirement: Audit trails

~ What we do: Each Backup and Restore process is time and date stamped and keep in a log file by date.

4. Requirement: Information is available only to client's authorized personnel.

~ What we do: Client access is only through authorized personnel with the password.(See Sec# 2.0.2)

5. Requirement: Records must be accessible.

~ What we do: All backups are immediately available 24/7/365.

6. Requirement: Certain data must be maintained for not less than 7 years.

~ What we do: Data will remain in the DataGo Data Vaults for as long as the client chooses to retain it. Long term retention is set during the initial agreement.

2.0 HIPPA Requirements

2.1 SEC/NASD Requirements