EcoStruxure IT Cybersecurity

1. EcoStruxure IT Cybersecurity Confidential Property of Schneider Electric |

2. EcoStruxure IT – End-to-end security Secure sign-on with password policy and multifactor authentication Secure connection preventing changes to be made from the outside Only device data is sent Only the devices you choose to monitor send data to the cloud. You are therefore in control of the data getting sent Confidential Property of Schneider Electric |

3. EcoStruxure IT is committed to complying with its obligations under the GDPR PERSONAL DATA COLLECTED BY SUBPROCESSORS Names Email addresses Telephone numbers IP addresses HOSTING SERVICES SUBPROCESSORS Email open rates Login log information • Microsoft Azure • Amazon Web Services Confidential Property of Schneider Electric |

4. How do you access your data in the EcoStruxure IT cloud? Using mandatory 2-factor authentication (2FA) IN THE CLOUD ON-PREMISE Analytics EcoStruxure IT Web App 2FA EcoStruxure IT Gateway 2FA EcoStruxure IT Platform Data Center Expert Service Bureau 2FA EcoStruxure IT Mobile App 2FA Schneider Electric 2FA Data Center Operation Support portal Customer 2-factor authentication on your mobile phone Confidential Property of Schneider Electric |

5. PRODUCT SECURITY FEATURES Secure development • Background checks and annual security training for all EcoStruxure IT software developers • Mandatory peer review of any change to the EcoStruxure IT platform Application vulnerabilities • Use of 3rd party security tools to continuously dynamically scan EcoStruxure IT for vulnerabilities • Continuous scan of source code changes for bugs, security and licence issues via static analysis tooling • Use of rotating number of 3rd party certified hackers to perform detailed penetration tests on all components of EcoStruxure IT • Efficient incident response through definition of vulnerability management processes Authentication security • Secure sign on with password policy and multifactor authentication • Secure credential storage • Brute force protection Gateway security • Secure outbound connection through Port 443. All connections from gateway to cloud validated using an industry standard 2048 bit RSA certificate. Data encrypted in transit using 256 bit AES encryption • Requests from gateway signed using a unique private key created on installation and stored in the gateway • Auto-update functionality for automatic software security patching • User-initiated discovery of devices using provided credentials and IP range. If discovery of an unknown device, customer can allow the EcoStruxure IT Gateway to perform a targeted walk to help improve device support APPLICATION SECURITY Confidential Property of Schneider Electric |

6. DATA CENTER & NETWORK SECURITY EcoStruxure IT servers hosted in the United States on Microsoft Azure Cloud, EU-US Privacy Shield certified Network security • Access to EcoStruxure IT Production Network restricted by explicit need-to-know basis • Use of Azure always-on traffic monitoring and real-time mitigation of common network-level attacks • Continuous employment of rotating number of 3rd party certified hackers to perform detailed penetration tests of EcoStruxure IT platform • Continuous monitoring and scanning of EcoStruxure IT system for potential security vulnerabilities. Validation of connections to EcoStruxure IT cloud using industry standard 2048 bit RSA certificate. Encryption of data in transit and at rest using 256 bit AES encryption Deployment of components of EcoStruxure IT platform in high availability configuration to eliminate single point of failure. Data back up to prevent data loss Data privacy at Schneider Electric: https://www.schneider-electric.com/en/about-us/legal/data-privacy.jsp EcoStruxure IT is committed to complying with its obligations under the GDPR. Sharing of personal information with 3rd party data processors on a need-to-know basis Collection of machine data only, tagged to specific customer. No access from EcoStruxure IT to data stored on customer server Use of customer machine data to optimize EcoStruxure IT products and services First cybersecurity certification planned in H1 2019 DATA PRIVACY Confidential Property of Schneider Electric |

7. How is your data segregated from othercustomers’ data? EcoStruxure IT is a multi-tenant solution and limits user access across all systems EcoStruxure IT Cloud • Secure sign-on with password policy and multifactor authentication • All sessions are made with digitally signed JWT tokens following RFC-7519 • The user identity is part of the signed JWT and can’t be altered to access another tenant • When any user is accessing data, the organization ID is used to limit access across all systems 1 2 3 • All customer data is tagged with customer ID • All data access verifies that the customer ID matches the JWT token • All logs and metrics are anonymized Tenant 1 Tenant 2 Tenant 3 Confidential Property of Schneider Electric |

8. Before you can start monitoring your devices with EcoStruxure IT: • Ask your security expert for approval • Allow the installation of the Windows or Linux-based EcoStruxure IT Gateway Software • Allow the configuration of the Firewall for one outbound-only connection • The EcoStruxure IT Gateway software collects data from yourdevices and sends it to the EcoStruxure IT cloud. • It is an enabler of the EcoStruxure IT solution. What is the EcoStruxure IT Gateway? Confidential Property of Schneider Electric |

9. How does your data leave your site? • Secure connection preventing changes to be made from the outside • Outbound connection through Port 443 • All external communication is encrypted using TLS 1.2 • Connection validation using 2048 bit RSA certificate • Communication using 40.84.62.190 and 23.99.90.28. • Data encryption in transit and at rest using 256 bit AES encryption. • All requests coming from the EcoStruxure IT gateway are signed using a unique private key • 2048 bit RSA key Confidential Property of Schneider Electric |

10. How does EcoStruxure IT apply updates on your infrastructure in a secure way? EcoStruxure IT Expert users trigger an action remotely Schneider Electric engineering assists with debugging or recovery • EcoStruxure IT Expert makes a general mailbox API available to all gateways. • Messages can describe an action for a gateway to take, such as: • Sync data with cloud • Send log data • Download and apply a Gateway software update • Download and apply firmware to a set of devices • Copy a device configuration from one device to a set of others • This mailbox API leverages the same authentication and encryption as other ITE cloud APIs. The EcoStruxure IT Cloud is capable of initiating actions on your infrastructure via an outbound-only connection, using https port 443. Messages are placed in the mailbox Gateway performs an HTTPS GET to the mailbox API using its gatewayunique Id to check messages Gateway performs an HTTPS POST to the same mailbox API URL to acknowledge the message was received and to provide status updates Confidential Property of Schneider Electric |

11. What we can do Our intent To helpprotectourcustomers’ investment in our products and solutions. Schneider Electric does not provide detailedsecurity test reports or releasedetailed information aboutspecificsecurityvulnerabilities or enhancementsunlesstheyareassociated with a publiclydisclosedvulnerability and resolution. Provide a summary version of a security test reportupon requestand under non-disclosure agreement (NDA). It maydetailscope, approach, qualifications, categoricalresults, and mitigation status, as applicable. Contact your sales representative for more information. Schneider Electric security test report sharing policy Learn more about our security test sharing policy Confidential Property of Schneider Electric |

12. Additional cybersecurity resources EcoStruxure IT security webpagehttps://ecostruxureit.com/security/ EcoStruxure IT list of subprocessorshttps://ecostruxureit.com/subprocessors-and-subcontractors Confidential Property of Schneider Electric |