SOC 2 Type II Report

For the Period of October 1, 2023 to September 30, 2024

REPORT ON CONTROLS PLACED IN OPERATION AT RISKIFIED LTD

RELEVANT TO SECURITY, AVAILABILITY AND CONFIDENTIALITY
WITH THE INDEPENDENT SERVICE AUDITOR'S REPORT
INCLUDING TEST PERFORMED AND RESULTS THEREOF

CONFIDENTIAL INFORMATION

The information contained in this report is confidential and shall not be duplicated, published, or disclosed in whole or in part, or used for other
purposes, without the prior written consent of Riskified Ltd Corporate Entity.
 Table of Contents
Section I - Riskified Ltd.’s Management Assertion 1

Section II - Independent service auditor’s report 2

Section III - Description of the Riskified Platform relevant to Security, Availability and
Confidentiality for the Period October 1, 2023 to September 30, 2024 5
Company Overview and Background 5
Purpose and Scope of the Report 5
Products and Services 5
Organizational Structure 6
Overview of Company’s Internal Controls 7
Control Environment 7
Control Activities 9
Risk Management 9
Risk Mitigation 10
Information and Communication 10
General Company Policies 11
Access Controls 11
Assignment of Access 12
Access Control, User and Permissions Management 12
Recertification of Access Permissions 12
Revocation Process 12
Production Environment Logical Access 12
Remote Access 13
Physical Access and Visitors 13
Software Development Lifecycle (SDLC) Overview 13
Monitoring the Change Management Processes 14
Infrastructure Change Management Overview 14
Description of the Production Environment 15
Network Infrastructure 15
Web, Application and Service Supporting Infrastructure Environment 15
Production Monitoring 16
Security and Architecture 16
Data Center Security 16
Infrastructure Security 16
Application Security 17
Operational Security 17
Human Resource Security 17
Data Encryption 17
Support 18
Ticketing and Management 18
Incident Management Process 18
Escalation Process 18
Availability Procedures 18
Database Backup and Restoration 18
Data center availability procedures 19
 Business Continuity Plan (BCP) 19
Monitoring Usage 19
Confidentiality Procedures 19
Subservice Organizations carved-out controls: Amazon Web Services (‘AWS’) 20
Riskified’s Merchants’ responsibilities 20

Section IV - Description of Criteria, Controls, Tests and Results of Tests 21

Testing Performed and Results of Tests of Entity-Level Controls 21
Procedures for Assessing Completeness and Accuracy of Information Provided by the Entity (IPE) 21
Criteria and controls 21
Control Environment 22
Communication and Information 25
Risk Assessment 27
Monitoring Activities 32
Control Activities 33
Logical and Physical Access Controls 35
System Operations 42
Change Management 46
Risk Mitigation 49
Availability 52
Confidentiality 53
Section I - Riskified Ltd.’s Management Assertion

November 14, 2024

We have prepared the accompanying Description of the Riskified Platform relevant to Security, Availability, and
Confidentiality throughout the period October 1, 2023 to September 30, 2024 (Description) of Riskified Ltd. (Service
Organization) in accordance with the criteria for a description of a service organization's system set forth in the
Description Criteria DC section 200 2018 Description Criteria for a Description of a Service Organization's System in a
SOC 2 Report (Description Criteria). The Description is intended to provide report users with information about the
Riskified Platform (System) that may be useful when assessing the risks arising from interactions with the System ,
particularly information about system controls that the Service Organization has designed, implemented and operated
to provide reasonable assurance that its service commitments and system requirements were achieved based on the
trust services criteria relevant to Security, Availability, and Confidentiality set forth in TSP section 100, 2017 Trust
Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, in AICPA Trust Services
Criteria.

Carved-out Unaffiliated Subservice Organization: Riskified Ltd. uses Amazon Web Services to provide infrastructure
management services. The Description indicates that complementary controls at Amazon Web Services that are
suitably designed and operating effectively are necessary, along with controls at Riskified Ltd. to achieve the service
commitments and system requirements. The Description presents Riskified Ltd.’s controls and the types of
complementary subservice organization controls assumed in the design of Riskified Ltd.’s controls. The Description does
not disclose the actual controls at the carved-out Amazon Web Services.

We confirm, to the best of our knowledge and belief, that:

a. The Description presents the System that was designed and implemented throughout the period October 1,
2023 to September 30, 2024 in accordance with the Description Criteria.

b. The controls stated in the Description were suitably designed throughout the period October 1, 2023 to
September 30, 2024 to provide reasonable assurance that Riskified Ltd. service commitments and system
requirements would be achieved based on the applicable trust services criteria, if the controls operated
effectively and if the carved-out subservice organization applied the controls assumed in the design of Riskified
Ltd.’s controls throughout that period.

c. The Riskified Ltd. controls stated in the Description operated effectively throughout the period October 1, 2023
to September 30, 2024 to provide reasonable assurance that Riskified Ltd.’s service commitments and system
requirements were achieved based on the applicable trust services criteria, if the carved-out subservice
organization applied the controls assumed in the design of Riskified Ltd.’s controls throughout that period.

1
 Kost Forer Gabbay & Kasierer Tel: +972-3-6232525
144 Menachem Begin Road, Building A Fax: +972-3-5622555
[Link]
Tel-Aviv 6492102, Israel

Section II - Independent service auditor’s report

The Board of Directors

Riskified Ltd

Scope
We have examined Riskified Ltd.’s accompanying “Description of Riskified Ltd.’s Riskified Platform throughout the period
October 1, 2023 to September 30, 2024” (Description) in accordance with the criteria for a description of a service
organization’s system set forth in the Description Criteria DC section 200 2018 Description Criteria for a Description of a
Service Organization’s System in a SOC 2 Report (With Revised Implementation Guidance — 2022) (Description Criteria)
and the suitability of the design and operating effectiveness of controls stated in the Description throughout the period
October 1, 2023 to September 30, 2024 to provide reasonable assurance that the service commitments and system
requirements were achieved based on the trust services criteria relevant to Security, Availability, and Confidentiality
(applicable trust services criteria) set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability,
Processing Integrity, Confidentiality, and Privacy (With Revised Points of Focus — 2022), in AICPA Trust Services Criteria.

Riskified Ltd. uses Amazon Web Services (subservice organization) to provide infrastructure management services. The
Description indicates that complementary subservice organization controls that are suitably designed and operating
effectively are necessary, along with controls at Riskified Ltd., to provide reasonable assurance that Riskified Ltd.’s service
commitments and system requirements are achieved based on the applicable trust services criteria. The description
presents Riskified Ltd.’s system; its controls relevant to the applicable trust services criteria; and the types of
complementary subservice organization controls that the service organization assumes have been implemented, suitably
designed, and operating effectively at Amazon Web Services. The Description does not disclose the actual controls at
Amazon Web Services. Our examination did not include the services provided by Amazon Web Services and we have not
evaluated whether the controls management assumes have been implemented at Amazon Web Services have been
implemented or whether such controls were suitably designed and operating effectively throughout the period October
1, 2023 to September 30, 2024.

Riskified Ltd.’s responsibilities

Riskified Ltd. is responsible for its service commitments and system requirements and for designing, implementing, and
operating effective controls within the system to provide reasonable assurance that its service commitments and system
requirements were achieved. Riskified Ltd. has provided the accompanying assertion titled, Management Assertion of
Riskified Ltd. (Assertion) about the presentation of the Description based on the Description Criteria and the suitability
of design and operating effectiveness of controls stated therein to provide reasonable assurance that the service
commitments and system requirements would be achieved based on the applicable trust services criteria. Riskified Ltd.
is responsible for (1) preparing the Description and Assertion; (2) the completeness, accuracy, and method of
presentation of the Description and Assertion; (3) providing the services covered by the Description; (4) selecting the
trust services categories addressed by the engagement and stating the applicable trust services criteria and related
controls in the Description; (5) identifying the risks that threaten the achievement of the service organization’s service
commitments and system requirements; and (6) designing, implementing, and documenting controls that are suitably
designed and operating effectively to achieve its service commitments and system requirements.

2
Service auditor’s responsibilities
Our responsibility is to express an opinion on the presentation of the Description and on the suitability of design and
operating effectiveness of controls stated therein to achieve the Service Organization’s service commitments and system
requirements based on our examination.

Our examination was conducted in accordance with attestation standards established by the American Institute of
Certified Public Accountants (AICPA) . Those standards require that we plan and perform our examination to obtain
reasonable assurance about whether, in all material respects, (1) the Description is presented in accordance with the
Description Criteria, and (2) the controls stated therein were suitably designed and operating effectively to provide
reasonable assurance that the service organization’s service commitments and system requirements were achieved
based on the applicable trust services criteria throughout the period October 1, 2023 to September 30, 2024. The nature,
timing, and extent of the procedures selected depend on our judgment, including an assessment of the risk of material
misstatement, whether due to fraud or error. We believe that the evidence we have obtained is sufficient and appropriate
to provide a reasonable basis for our opinion.

An examination of a description of a service organization’s system and the suitability of the design and operating
effectiveness of controls involves:
• obtaining an understanding of the system and the service organization’s service commitments and system
requirements
• assessing the risks that the Description is not presented in accordance with the Description Criteria and that
controls were not suitably designed or operating effectively based on the applicable trust services criteria.
• performing procedures to obtain evidence about whether the Description is presented in accordance with the
Description Criteria
• performing procedures to obtain evidence about whether controls stated in the Description were suitably
designed to provide reasonable assurance that the service organization achieved its service commitments and
system requirements based on the applicable trust services criteria.
• testing the operating effectiveness of those controls to provide reasonable assurance that the service
organization’s service commitments and system requirements were achieved based on the applicable trust
services criteria.
• evaluating the overall presentation of the Description.

Our examination also included performing such other procedures as we considered necessary in the circumstances.

We are required to be independent of Riskified Ltd. and to meet our other ethical responsibilities, as applicable for
examination engagements set forth in the Preface: Applicable to All Members and Part 1 – Members in Public Practice of
the Code of Professional Conduct established by the AICPA.

Inherent limitations
The Description is prepared to meet the common needs of a broad range of report users and may not, therefore, include
every aspect of the system that individual users may consider important to meet their informational needs.

There are inherent limitations in the effectiveness of any system of internal control, including the possibility of human
error and the circumvention of controls. Because of their nature, controls at a service organization may not always
operate effectively to provide reasonable assurance that the service organization’s service commitments and system
requirements are achieved based on the applicable trust services criteria. Also, the projection to the future of any
evaluation of the presentation of the Description, or conclusions about the suitability of the design or operating
effectiveness of the controls to meet the applicable trust services criteria, is subject to the risk that the system may
change or that controls at a service organization may become ineffective.

3
Description of tests of controls
The specific controls we tested, and the nature, timing, and results of those tests are listed in the accompanying
Description of Criteria, Controls, Tests, and Results of Tests (Description of Tests and Results).

Opinion
In our opinion, in all material respects:

a. the Description presents the Riskified Platform system that was designed and implemented throughout the
period October 1, 2023 to September 30, 2024 in accordance with the Description Criteria.

b. the controls stated in the Description were suitably designed throughout the period October 1, 2023 to
September 30, 2024, to provide reasonable assurance that Riskified Ltd.’s service commitments and system
requirements would be achieved based on the applicable trust services criteria if its controls operated
effectively throughout that period and if the subservice organizations applied the complementary controls
assumed in the design of Riskified Ltd.’s controls throughout that period.
c. the controls stated in the Description operated effectively throughout the period October 1, 2023 to
September 30, 2024 to provide reasonable assurance that Riskified Ltd. service commitments and system
requirements were achieved based on the applicable trust services criteria, if the complementary subservice
organization and user entity controls assumed in the design of Riskified Ltd.’s controls operated effectively
throughout that period.

Restricted use
This report, including the description of tests of controls and results thereof in the Description of Tests and Results, is
intended solely for the information and use of Riskified Ltd., user entities of Riskified Ltd.’s system during some or all of
the period October 1, 2023 to September 30, 2024 and prospective user entities, independent auditors and practitioners
providing services to such user entities, and regulators who have sufficient knowledge and understanding of the
following:

• The nature of the service provided by the service organization

• How the service organization’s system interacts with user entities, subservice organizations, or other parties.
• Internal control and its limitations
• Complementary subservice organization controls and how those controls interact with the controls at the service
organization to achieve the service organization’s service commitments and system requirements
• User entity responsibilities and how they interact with related controls at the service organization
• The applicable trust services criteria
• The risks that may threaten the achievement of the service organization’s service commitments and system
requirements and how controls address those risks

This report is not intended to be, and should not be, used by anyone other than these specified parties.

Kost Forer Gabbay and Kasierer

A member firm of Ernst & Young Global

November 14, 2024
Tel-Aviv, Israel

4
Section III - Description of the Riskified Platform relevant to Security, Availability and
Confidentiality for the Period October 1, 2023 to September 30, 2024

Company Overview and Background

Riskified empowers businesses to realize the potential of eCommerce by making it safe, accessible, and frictionless.
Riskified has built a next-generation platform that allows online Merchants to create trusted relationships with their
Merchants and end customers. Leveraging machine learning that benefits from a global Merchant network, the platform
identifies the individual behind each online interaction, helping Merchants—Riskified's Merchants—eliminate risk and
uncertainty from their business. Riskified drives higher sales, improves end customer experiences, and reduces fraud and
other operating costs for their Merchants as compared to the Merchants’ performance prior to onboarding.

Purpose and Scope of the Report

The scope of this report is limited to the controls supporting Riskified’s systems and the data the systems retain. The
scope does not extend to other available software products and services nor the controls at third-party service providers.

Note: Parenthetical references have been included in the following narrative as a cross-reference to the applicable control
procedures included in the Description of Criteria, Controls, Tests, and Results of Tests section of this report

Products and Services

● Chargeback Guarantee: Riskified’s core product. Automatically approves or denies Commerce orders with
guaranteed performance levels that vary in accordance with Merchants’ priorities.
● Policy Protect: Protects Merchants from abusive Merchants using multiple accounts to circumvent the store's
policy privilege.
● Account Secure: Protects Merchants and end customers from account takeover (ATO) attacks - in which an end
customers’ store account is compromised by fraudsters.
● PSD2 Optimize: Enables Merchants to minimize the negative effect of the European Union’s Payment Service
Directive regulation on their eCommerce revenues.

5
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

Organizational Structure
Riskified's organizational structure provides the overall framework for planning, directing, and controlling operations. Personnel and business functions are segregated into
departments according to job responsibilities, lines of reporting, and communications–allowing employees to focus on the specific business issues impacting their Merchants. Riskified
maintains a comprehensive organizational chart that effectively outlines the authorities of the management team and establishes a clear reporting hierarchy (3).
Below is a description of key Riskified departments:

6
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

Business Technologies: The Business Technologies department includes the following:

● Information Technology (IT): The IT department is responsible for providing Riskified with the required IT
environments.
● Security: The Security department is responsible for the production SaaS environment’s availability, security,
and scalability. Riskified control, monitor, and resolve in case of a failure. The Security Compliance team is
responsible for ongoing information security and privacy compliance maintenance activities.
● Business Applications: The Business Application department is responsible for overseeing Riskified’s business
software applications onboarding and implementation. It is comprised of technical leaders who analyze the
impact of applying new software and business processes, creating, executing, and maintaining a wide area of
business software.
● Business Intelligence: The Business Intelligence department is responsible for enabling data driven decision
making. It manages a centralized data warehouse that acts as the single version of truth for business metrics
and KPIs and creates reporting dashboards and business alerts for different business stakeholders.

Finance, Legal & Admin: The Finance, Legal and Admin department is responsible for the company’s legal, financial, and
control activities including financial planning and administrative tasks.

Product: The Product team at Riskified serves as a bridge between the company's strategy/business goals and R&D. Each
product manager is an end-to-end owner of a product domain either managing a part of the chargeback guarantee
solution or an additional product offering. The Product team works with many teams including legal, finance, sales,
marketing, account management, research, data science,and others in order to execute development plans based on
product roadmaps.

Research & Development (R&D):

Development team: The Development team practices agile methodologies, building cross functional teams around
business value with a high level of independence. The R&D department aims for a DevOps culture, where each team has
end to end ownership of their product, with a can-do and collaborative mindset. R&D works with various programming
languages and data platforms to optimize the right technological solutions for each product.
Research team: The Research team focuses on bringing value to Riskified through the development of machine learning
models and analytical solutions across domains. Research uses a wide variety of advanced techniques and algorithms to
provide maximum value from data in all shapes and sizes: classic ML and deep learning, supervised and unsupervised
NLP, anomaly detection, graph theory, and more. The team leverages the most cutting-edge solutions from event driven,
to big data solutions, cloud operations, workflow orchestration and machine learning platforms.

Overview of Company’s Internal Controls

A company’s internal control is a process impacted by the entity's boards of directors, management, and other personnel
designed to enable: (a) reliability of financial reporting, (b) effectiveness and efficiency of operations, and (c) compliance
with applicable laws and regulations. The following section is a description of the five components of internal control for
Riskified.

Control Environment
Riskified's executive management recognizes its responsibility for directing and controlling operations and for
establishing, communicating, and monitoring control policies and procedures. The documented procedures for significant
processes, including those that address system requirements and relevant updates, are available on Riskified’s internal
document repository and / or knowledge base. Riskified maintains an internal knowledge base for the design,
development, implementation, and operation of systems affecting security, availability, and confidentiality (6).

7
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

Authority and Responsibility: Lines of authority and responsibility are clearly established throughout the organization and
are communicated through Riskified:
1. Official documents
2. Management operating style
3. Organizational structure
4. Employee job descriptions
5. Organizational policies and procedures

Board of Directors - The Board of Directors (the “Board”) of Riskified Ltd. (the “Company”) is composed of 8 directors. six
(6) of the Company’s directors satisfy the U.S. Securities and Exchange Commission and New York Stock Exchange
independence requirements and the remaining two (2) directors are the Company’s co-founders and Chief Executive
Officer and Chief Technology Officer, respectively. The Board has established three standing committees: An Audit
Committee, a Compensation Committee and a Nominating & Governance Committee (together, the “Committees”). The
Board of Directors is actively engaged in the governance of the Company and its strategic direction. Members of the
Board meet on at least a quarterly basis to discuss matters pertinent to the Company and to review financial information.
The Committees meet on an as-needed basis to carry out their responsibilities. Riskified's Board meets on a quarterly
basis. The board meeting has a fixed agenda regarding (1) Financial aspects details, (2) HR, (3) Pipeline of merchants, (4)
Support issues review, (5) Discussion on new product features (1).The Board’s responsibilities include, but are not limited,
to (1) monitoring the actual performance of the Company through its financial results, (2) monitoring the Company’s
compliance with legal and regulatory requirements, (3) analysis of the budget vs actual results, (4) guiding the Company
in the way it funds its operation, (5) approving arrangements with executive officers relating to their employment
relationships with the Company, including, without limitation, employment agreements, severance agreements, change
in control agreements and restrictive covenants, and (6) approving equity-based compensation plans in which directors,
officers or employees may participate.

Management Philosophy and Operating Style - The Management team, chaired by the Chief Executive Officer (“CEO”),
has been delegated by the Board the responsibility to manage Riskified and its business daily. Riskified is led by a team
with proven ability in the SaaS, fraud risk management, and payments industries. It is charged with managing the
Company in the execution of its mission to empower businesses to realize the full potential of eCommerce by making it
safe, accessible, and frictionless. In its role, the Management team assigns authority and responsibility for operating
activities and establishes reporting relationships and authorization hierarchies. Policies and procedures are documented,
reviewed and approved on an annual basis by the management team and available to Riskified's employees within
Riskified's internal portal (2). The Management team designs policies and communications so that personnel understand
Riskified’s objectives, know how their individual actions interrelate and contribute to those objectives, and recognize
how and for what they will be held accountable. The Executive Leadership team (comprised of the CEO, Chief Financial
Officer, Chief Technology Officer, Chief Operating Officer, Chief Revenue Officer, Chief Of Staff, SVP Global HR, SVP
Product, VP Strategy, General Counsel, CIO, SVP Engineering & VP Account Manager. In addition, the Management team
convenes “off-site” on a half-year basis for strategic purposes.

Integrity and Ethical Values - Integrity and ethical behavior are the products of Riskified's ethical and behavioral standards
and are outlined in Riskified’s Code of Conduct. They include management’s actions to remove or reduce inappropriate
incentives, extraneous pressures, and opportunities that might prompt personnel to engage in dishonest, illegal, or
unethical acts. They also include the communication of the organization’s values and behavioral standards to personnel
through policy statements and from the executives. The Board of Directors and Management team recognize their
responsibility to foster a strong ethical environment within Riskified to ensure that its business affairs are conducted with
integrity and in accordance with high standards of personal and corporate conduct. All employees are required to sign
and adhere to the Code of Conduct throughout their tenure at Riskified.
Human Resources Policy and Practices - Human resource policies and practices relate to hiring, training, evaluating,
promoting, and compensating personnel. The competence and integrity of Riskified's personnel are essential elements

8
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

of its control environment. The organization’s ability to recruit and retain highly trained, competent, and responsible
personnel is dependent to a great extent on its human resource policies and practices. Job descriptions are documented
and maintained on the Riskified website. Additionally, candidates go through screening and appropriate reference checks
(4). Teams are expected to adhere to Riskified's policies that define how services should be delivered and how products
need to be developed. These are available to all Riskified personnel and are communicated by email on an as-needed
basis.

Commitment to Competence - Competence at Riskified is designed to (1) identify and hire competent personnel, (2)
provide employees with the training and information they need to perform their jobs, (3) evaluate the performance of
employees to determine their ability to perform job assignments, and (4) through the performance evaluation process,
identify opportunities for growth and job performance improvement. Every Riskified employee that joins Riskified is
automatically enrolled in the company global onboarding program. Employees are provided with necessary knowledge
about Riskified, eCommerce and fraud prevention, general work procedures, their responsibilities and Riskified policies
(5). In addition, background checks are performed for new employees (to the extent permitted by law) as part of the
recruitment process in order to review in detail their qualifications.

Riskified's team leaders are responsible for training plans for their new hires. It is the manager’s role to decide what
training a particular employee requires as they relate to specific job requirements.

An annual review for all employees takes place. Main review topics are job perception, performance feedback, and
manager-employee open discussion. Currently this review is not based on quantitative objectives. The review is written
and submitted in native language (per site). Salary increases depend on promotion as well as evaluation discussions.

Control Activities
Control activities are the policies and procedures that enable management directives to be carried out to address risks
to the achievement of the entity’s objectives. The responsibility and accountability for developing and maintaining the
policies are assigned to the relevant personnel and approved by the management team.

Riskified’s operating and functional units are required to implement control activities that help achieve business
objectives associated with:
(1) Reliability of financial reporting,
(2) Effectiveness and efficiency of operations, and
(3) Compliance with applicable laws and regulations.

The control activities are designed to address specific risks associated with Riskified operations and are reviewed as part
of the risk assessment process. Riskified has developed formal policies and procedures covering various operational
matters to document the requirements for performance of many control activities.

Risk Management
Riskified maintains a comprehensive Risk Management Process designed to identify potential problems before they occur
and mitigate adverse impacts on its company, Merchants, and their end-Merchants. Risk mitigation activities include the
development of planned policies, procedures, communications, and alternative processing solutions to respond to,
mitigate, and recover from security events that disrupt business operations. Those policies and procedures include
monitoring processes and information as well as communications to meet Riskified’s objectives during response,
mitigation, and recovery efforts (16). Riskified’s Risk Management process is established in its Risk Management Policy
and is based on ISO 31000. It enables Riskified to follow an organized, best-practice process for overseeing and
administering risk. The Risk Management Policy provides a disciplined approach to risk management that is iterative and

9
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

scalable. Consistent application of this process enables continuous improvement in decision making and performance.
Riskified’s Risk Management Policy is presented to and approved by senior management annually.

Risk identification: The process of identifying, assessing, and managing risks is a critical component of Riskified's internal
control system. Riskified manages a comprehensive risk assessment process that identifies and evaluates changes to
business objectives, commitments and requirements, internal operations, and external factors that threaten the
achievement of business objectives. The risk assessment is performed annually. As part of this process, threats to system
security are identified, evaluated, and the risk from these threats is formally assessed. The process is documented,
maintained, and approved by management (14).

The purpose of Riskified's risk assessment process is to identify, assess, and manage risks that affect the organization’s
ability to achieve its objectives. A critical component is the identification of key assets and / or business processes in
which potential exposures of some consequence exist. These exposures include a particular set of threats to the
confidentiality, integrity, or availability of Riskified systems or services over a specific timeframe. Risk identification
includes (1) identifying information assets, including physical devices and systems, virtual devices, software, data and
data flows, external information systems, and organizational roles, (2) assessing the criticality of those information assets,
(3) identifying the threats to the assets from intentional acts (including malicious), unintentional acts, and environmental
events, and (4) identifying the vulnerabilities of the identified assets. In addition, Riskified continuously assesses the risks
presented by vendors and business partners while maintaining the company's objectives (15).

Risk assessment: Ongoing monitoring and risks assessment procedures are built into the normal recurring activities of
Riskified and include regular management and supervisory activities. Potential Options include risk treatment -- such as
avoiding the risk, seeking out an opportunity, removing the source of risk, changing the likelihood, changing the
consequences, sharing the risk with another party, and risk acceptance (retaining the risk by choice).

Risk Mitigation
Once the severity and likelihood of a potential risk has been assessed, management considers how the risk should be
mitigated. Risk mitigation activities include the development of planned policies, procedures, communications, and
alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business
operations. Those policies and procedures include monitoring processes and information and communications to meet
the Riskified's objectives during response, mitigation, and recovery efforts. The risk mitigation process is integrated with
the company’s risk assessment and involves making inferences based on assumptions about the risk and carrying out a
cost-benefit analysis. Necessary actions are taken to reduce the level of impact or the likelihood of the risk
[Link] selects and develops control activities that mitigate risks to acceptable levels.

Risk responses that address and mitigate risks are carried out on a continual basis. The Security team considers how the
environment, complexity, nature, and scope of its operations affect the selection and development of control activities.
The relevant business processes are thoroughly controlled using a balance of approaches to mitigate risks, considering
both manual and automated controls and preventive and detective controls. Financial impacts of the risks are also taken
into consideration during the process. As part of its Risk Assessment and Mitigation processes, Riskified maps and assess,
on an ongoing basis, the risks that vendors and business partners (and those entities’ vendors and business partners)
represent to the achievement of the Company's objectives. In addition, Riskified obtains confidentiality commitments
that are consistent with the Riskified confidentiality commitments and requirements from vendors and business partners
who have access to confidential information (17).

Information and Communication

Information and communication are integral components of Riskified's internal control system. This includes the
identifying, capturing, and exchanging information in the form and timeframe necessary to conduct, manage, and control

10
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

the organization’s operations. At Riskified, information is identified, captured, processed, and reported by various
information systems as well as through conversations with Merchants, vendors, regulators, and employees.

A description of the Riskified system and its boundaries is also documented and communicated to Riskified employees
within the internal portal and to external users through the Riskified website (8).

Regular management meetings are held to discuss operational efficiencies within the applicable functional areas and to
disseminate new policies, procedures, controls, and other strategic initiatives. Updates to organization-wide security
policies and procedures are usually communicated to the appropriate Riskified personnel via email messages and shared
with appropriate audiences through the use of the internal communication tools. Availability, confidentiality, and security
related obligations are communicated to Riskified's employees through the Acceptable Use Policy, Confidentiality Policy,
Non-Disclosure Agreements, and other documents. New employees are required to sign a standard employment
agreement and a Non-Disclosure Agreement addressing business practices, conflicts of interest, confidentiality and
intellectual property (7). Merchant obligations and commitments are communicated within the contracts. In addition,
Riskified's approved policies as well as the data breach reporting processes are communicated to all personnel. On at
least a monthly basis, the security team meets in order to discuss security, confidentiality and availability non-compliance
issues, among others, and address them (11).

General Company Policies

Riskified has established a framework of controls, policies, and standards, as laid out in the Information Security
Management System, to protect the Confidentiality, Integrity, and Availability of information held by the company.

Riskified issues and maintains official policies in a central policy library. All policies are reviewed on an annual basis (at
minimum) by the Information Security Committee.

Company Security Policies define basic Technical and Organizational Measures (TOMs) that address Riskified’s business
and security needs and are consistent with industry best practices. These Policies are designed to guide all staff members
in the use of company assets.

Access Controls
Riskified relies heavily on computer systems to store, process, and manage business and Merchant information.
Whatever form the information takes or whatever means by which it is shared or stored, it must always be appropriately
protected. Information in any form is a valuable Riskified corporate asset and should be treated as such.

Riskified has established an organization-wide Information Security Management System (ISMS) and Information Security
Policy designed to protect information at a level commensurate with its value and risk. The policy dictates security
controls for media where information is stored, the systems that process it, and infrastructure components that facilitate
its transmission. The Information Security Policy is presented to Riskified management, reviewed, and approved on an
annual basis.

The objective of the ISMS and associated Information Security Policy is to protect against threats and security risks that
may adversely affect Riskified’s operations or professional standing or the operations and professional standings of its
Merchants or partners. An Information Security Policy is documented by Riskified management and reviewed and
approved on an annual basis by the Head of Security. The Information Security Policy is available to all Riskified employees
(9). Security problems include any loss of the confidentiality, integrity, or availability of information—whether deliberate
or accidental. The ISMS also ensures that Riskified complies with all rules, regulations, and legal requirements in the
multitude of jurisdictions in which The Company operates.

11
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

Assignment of Access
Riskified has a comprehensive on-boarding and offboarding process that, among other items, governs access rights for
employees and contractors. Internally, Riskified uses a user management system / Identity Provider (IDP) that allows it
to revoke or suspend access for a given user.

Access Control, User and Permissions Management

Riskified builds its production environment system architecture using AWS. Firewall configuration is performed by the
Riskified Security Operations team (SecOps) adhering to detailed requirements developed by the Security team.
Programmatic access to the AWS servers is temporary and performed using a two-factor authentication method and with
a token for 12 hours (31). In addition, the global management of Riskified infrastructure is performed by Riskified using
a dedicated AWS workspace. This interface allows Riskified to, among others, (1) add, modify, and manage servers, (2)
create security policies as they relate to these servers, (3) configure network and firewall parameters, (4) manage the
databases, and (5) manage the AWS users. Firewalls separate the internal network from the internet. Firewall settings
have been configured to allow only authorized traffic, as defined in Riskified's Information Security Policy.

Riskified manages and delivers its services using a variety of systems and environments. As previously described,
information security controls and procedures are implemented throughout these systems to help prevent unauthorized
access to data. Access to Riskified systems requires the same controls in and out of its physical offices. All users must
conduct multi-factor authentication (MFA) using Riskified’s IDP through Riskified’s VPN. Access to the AWS management
interface is performed using two-factor authentication (30). After the VPN connection, access to specific infrastructure,
applications, or databases is governed by role-based architecture which limits access to those who need it. Riskified has
implemented SSO for simplifying and auditing access to internal tools. Administrative permissions to the SSO tool are
granted by the system admin and are restricted to authorized personnel. Accounts are configured to require multi factor
authentication before they may be used (25). In addition, Device Trust has been implemented to verify that the device is
known, secure, and uncompromised (36).

Database servers reside within the test, sandbox, and production environment. Access to all systems is restricted to
authorized personnel (refer to section ‘Production Environment Logical Access).

Recertification of Access Permissions

Riskified has implemented a recertification process to help ensure that only authorized personnel have access to its
systems--including interfaces, servers, environments, and databases. Employees whose job functions have changed and
therefore no longer require access will have their access disabled or modified as needed. In addition, access and
permissions to the different environments (servers, database and application) are reviewed and approved by Riskified
management on an annual basis (28).

Revocation Process
Riskified maintains a comprehensive offboarding process that departing employees complete on their last day of
employment. The offboarding process for terminated employees includes timely access revocation from all environments
(35). Termination notification is documented and accessible within the Riskified Internal IT management ticket system.
This process includes revocation of access permissions to the systems and premises, as well as return of property, data,
and equipment.

12
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

Production Environment Logical Access

Riskified’s solution is multi-tenanted. In order to provide its service, data from multiple Merchants is aggregated for cross-
referencing and anti-fraud detection. Data for each Merchant is logically separated from each other. (NOTE: AWS is multi-
tenant at the hardware level). When logging into Riskified’s system, each Merchant is only able to view their specific
information.

Access to the production server is performed by using a Remote access system and is restricted to authorized personnel.
Every access requires authentication through a dedicated Remote access system (24). Users are identified through the
use of a user ID/password combination using the SSO tool. Strong password configuration settings, where applicable, are
enabled on the domain, application and database. Password requirements include: (1) a minimum password length, (2)
a limit on the number of attempts to enter a password before the user ID is suspended, (3) password complexity and (4)
restricting the use of common passwords (23). Access to the production environment is limited to authorized personnel.
Access to the production environment is limited to authorized personnel. In a case of emergency change/troubleshooting,
developers will be granted limited access through a bot for up to 12 hours. This access requires entering a valid ticket.
Log events related to production changes are kept (52).

Moreover, administrative access to the build tool is restricted to authorized personnel (26) and access to the source
control tool is restricted to authorized personnel. Accounts are configured to require multi-factor authentication before
they may be used (27). Employees are provided with the minimal access rights required to carry out their duties. New
users accessing Riskified systems are granted access upon notification from the HR department. A detailed ticket is
opened in the IT management ticketing system using a new hire template. Depending on the role (department, job title,
and team), permissions are automatically granted. If other, specific, permissions are needed, a ticket is opened in the IT
management system along with appropriate approval and documentation. In addition, access to system resources is
protected through a combination of firewalls, VPNs, native operating system security, database management system
security, application controls, and intrusion detection monitoring software (22).

Remote Access
Riskified’s internal networks are protected using commercial firewalls configured and administered by the Security
department. Access to Riskified's physical offices--and even to the secured corporate Wi-Fi network--does not grant
access to any Riskified data or services. To access data or services, users must first authenticate (via MFA) through
Riskified’s VPN. In addition, Riskified’s production environment servers are protected by AWS tools and controls
configured by Riskified. Riskified employees are granted remote access to the internal production network environment
based on the need-to-work principle. Traffic entering Riskified’s production network is monitored and screened by
firewalls and monitoring tools. Endpoints automatically lock, and some sessions terminate, after a predefined period of
inactivity. Users need to login again in order to re-establish connection to the network. Encryption between Riskified
customers and the Riskified application is enabled using an authenticated TLS tunnel (29).

Physical Access and Visitors

Riskified recognizes the significance of physical security controls as a key component in its overall security program.
Offices have 24-hour security guards and alarms. Physical access to the offices is restricted to authorized personnel
through the use of an electronic identification card / mobile access control (33). Physical access methods, procedures,
and controls have been implemented to help prevent unauthorized access to data, assets, and restricted areas. Access is
granted to Riskified's personnel by the Administrative team. Permissions to issue cards and grant access are restricted to
the administrative manager and the authorized designees. Visitors to the Riskified office are accompanied while on
premises (34).

Access to Riskified's physical offices and even to the secured Wi-Fi network does not, in and of itself, grant access to any
Riskified data or services.

13
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

Software Development Lifecycle (SDLC) Overview

Riskified deploys its service using an agile methodology. To maximize the fraud-detection algorithm, Riskified uses
continuous integration and deploys code numerous times per day.

The software development lifecycle consists of the following stages:

● Product/Engineering Requirements Definition
● Detailed Design
● Coding
● Code review -- including unit and functional testing as well as manual code review
● Deployment

Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are
documented and approved by the management team within the change management application. Change management
tickets are prioritized and labeled based on development phase and urgency (44). Each change goes through a life cycle.
Product requirements are constantly collected from a number of sources including Merchants and from market research
by Riskified Product Managers. These requirements, combined with security and additional engineering improvement
requirements, are discussed by R&D managers and Product Managers and are converted to a Product Requirements
Document (PRD) that contains a more specific description of required features and changes.

A sprint planning meeting is performed bi-weekly between the product manager and the R&D in order to approve the
versions that will be deployed to production (48). Quarterly planning is performed to address security requirements of
the software development life cycle (45). Management reviews potential changes / improvements providing a high-level
effort estimation for every feature. Prioritized features lists are developed based on the effort estimation, required
timeline, and product need of the release.

All new push-requests are subject to code-review. Code level tests and functional tests are performed using a dedicated
tool on a regular basis in order to identify issues within the application (50). Code changes are reviewed along with the
pull request and performed by the team leader. The code review is documented on the source control system. Code
review is mandatory in order to continue in the SDLC process and deploy a version to the production environment (47).
Additionally, a successful test status is mandatory in order to continue in the SDLC process and deploy a version to the
production environment (51). Manual deployment to production is performed via a dedicated deployment tool. Access
to the deployment tool is restricted to authorized personnel (49). After deployment to staging, an additional manual
check is done in staging before final deployment. Riskified uses continuous integration and deploys code numerous times
per day with this process. If problems are detected, it has the ability to instantly roll-back to a previous release. Check-in
of code triggers the unit testing process and if passed successfully, a new build is created, and automated tests are
executed on it.

Monitoring the Change Management Processes

Riskified deploys its service using an agile methodology. In an effort to maximize its fraud-detection algorithm, Riskified
uses continuous integration and deploys code numerous times per day. Riskified's systems are designed to not require
system downtime for deploying code to production. If problems are detected, Riskified has the ability to instantly roll-
back to a previous release. Changes are documented and prioritized using tasks within the change management
application. In addition, changes are connected to the source control tool in order to link the request to the actual code
change (46). Changes are reviewed at the end of every sprint to verify compatibility with Riskified’s environment and
ensure that changes were deployed correctly. Riskified employs continuous monitoring of both business and technical
KPI during the change / deployment process.

14
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

Infrastructure Change Management Overview

All of Riskified network infrastructure is hosted on Amazon Web Services (AWS) and deployed as Infrastructure as Code.
The same change management process (including 2-weeks sprints, testing, and review) that is used for Riskified’s core
product is used for its underlying support infrastructure.

Riskified regularly makes changes within its production environment in response to evolving Merchant and market needs
and as technology evolves. This may include adding/removing/changing configuration policies of existing systems or
performing routine maintenance activities, software updates, and other infrastructure-related changes. Infrastructure
changes are documented within the Change Management process. Requests are reviewed and approved using the same
Change Management process as used by core services.

Description of the Production Environment

The processes described below are executed within Riskified's production environment, hosted in co-location (cloud)
data centers by a third-party vendor, Amazon Web Services (AWS), in the United States. The facilities comply with
standards of quality, security, and reliability that enable Riskified to provide its services in an efficient and stable manner.

AWS: Riskified's infrastructure runs on top of AWS’s Infrastructure as a Service (IaaS) and utilizes various services such
as: (1) EC2, (2) S3, (3) RDS (4), ECR, (5) CloudTrail, (6) CloudFront (AWS’s CDN), and others.

AWS’s web service interface (AWS Console) allows Riskified to control its cloud-based enterprise computing resources.
AWS Console runs on AWS’s computing environment. EC2 reduces the time required to obtain and boot new server
instances, allowing Riskified to quickly scale capacity, both up and down, as computing requirements change. The use of
EC2 allows Riskified to:
● Select a pre-configured template to get up and running immediately or create a per-need AMI containing Riskified-
configured applications, libraries, data, and associated configuration settings;
● Configure security and network access on the EC2 instance;
● Choose which instance type(s), then start, terminate, and monitor as many instances as needed, using the web
service APIs; and
● Determine whether to run in multiple locations, utilize static IP endpoints, or attach persistent block storage to
instances.

Note: Controls performed by the data center service providers are not included in the scope of this report. The production
environment is completely separated from the corporate environment and follows strict access and data processing
procedures and processes. The environment is managed by selected Security personnel who use MFA to connect using a
dedicated AWS workspace.

Network Infrastructure
Robust network infrastructure is essential for reliable and secure real-time data communication between Riskified's cloud
service components. To provide sufficient capacity, Riskified’s network infrastructure relies on platforms provided by
Amazon Web Services (AWS). To ensure appropriate network security levels, Riskified security standards and practices
are backed by a multi-layered approach that incorporates practices for preventing security breaches and ensuring
confidentiality, integrity, and availability. Riskified’s security model includes the following components:

15
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

● Various authentication schemas such as multi-factor authentication (MFA), unique ID and complex password policy
● Logical security
● Penetration testing
● IP address source restriction
● Merchants' data encryption at-rest and in transit
● Network and infrastructure security, including:
o Network architecture
o Risk management
o AWS data centers
o Cloud operation security (change management, monitoring and log analysis)

Web, Application and Service Supporting Infrastructure Environment

Riskified utilizes AWS’s clustered infrastructure design to provide redundancy and high availability. In addition, the
infrastructure is configured in a way that enables auto scaling capabilities. This allows supporting high performance
during demand spikes to the services.

Production Monitoring
Riskified’s production network encompasses numerous components including web services, application and data servers,
databases, monitoring tools, and redundant network equipment provided as part of AWS services. In order to improve
service availability to Merchants and to support the operations of the Riskified environments, Riskified maintains a
dedicated Security department. The Security department is responsible for the ongoing work on the production
environment as well as investigating escalated issues. The production environment, including the servers and application,
is monitored 24/7/365 by the Engineering and Security teams. Key Riskified staff members are notified of events related
to the security, availability, or confidentiality of services.

Security and Architecture

Riskified provides a secure, reliable, and resilient SaaS platform that has been designed from the ground up based on
industry best practices. Riskified understands that it provides a mission-critical service to its Merchants and has
incorporated information security elements into its development procedures, systems, and supporting infrastructure.

Data Center Security

Riskified relies on Amazon Web Services global infrastructure, including the facilities, network, hardware, and operational
software (e.g., host OS, virtualization software, etc.) that support the provisioning and use of cloud computing resources
and storage. This infrastructure is designed and managed according to security best practices as well as a variety of
security compliance such as--including FedRAMP, HIPAA, ISO 27001:2015, AICPA SOC 1, SOC 2, SOC 3 and PCI-DSS and
more. AWS operates on a shared security model by which it manages several critical environmental and physical security
areas. These include:

● Redundancy - The data centers are designed to anticipate and tolerate failure while maintaining service levels with
core applications deployed to multiple regions.
● Fire Detection and Suppression - Automatic fire detection and suppression equipment has been installed to reduce
risk.
● Redundant Power -The data center electrical power systems are designed to be fully redundant and maintainable
without impact to operations, 24 hours a day, and Uninterruptible Power Supply (UPS) units provide back-up power
in the event of an electrical failure. Data centers use generators to provide back-up power for the entire facility.

16
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

● Climate and Temperature Controls -The data center maintains a constant operating temperature and humidity level
for all hardware.
● Physical access - AWS recognizes the significance of physical security controls as a key component in its overall
security program. Physical access methods, procedures, and controls have been implemented to help prevent
unauthorized access to data, assets, and restricted areas.

Infrastructure Security
● End-to-End Network Isolation - Riskified’s Virtual Private Cloud (VPC) is designed to be logically separated from other
cloud Merchants and to prevent data within the cloud being intercepted.
● External & Internal enforcement points - All servers are protected by restricted AWS firewall rules. The configuration
of AWS firewall rules is restricted to authorized personnel.
● Server Hardening - All servers are hardened according to industry best practices.
● Segregation Between Office and Production Networks – There is a complete separation between the Riskified’s
Corporate network (office Wi-Fi) and the Production network (AWS). Access to the production environment is
granted to authorized personnel only, and traffic between the networks is sent over an encrypted tunnel. Access to
Riskified's physical offices or to its secured Wi-Fi network does not grant access to any Riskified data or services. To
access data or services, Riskified personnel must first authenticate (via MFA) through the corporate VPN and then
subsequently authenticate to the specific resource.

Application Security
● Penetration Testing - An annual outside penetration test of external facing systems is required under Riskified's ISMS
policies. Supplemental testing may be conducted upon the introduction of major changes. The penetration tests
include, among others, procedures to prevent Merchants, groups of individuals, or other entities from accessing
confidential information other than their own. Penetration tests for public-facing services are performed on an
annual basis. High issues are investigated and resolved as part of the SDLC process (42).
● Vulnerabilities Management - Web application architecture and implementation follow OWASP guidelines.
Riskified’s API, its WebApp, and decision engine is regularly tested for common vulnerabilities (such as CSRF, XSS,
SQL Injection, and the OWASP top-10).
● Segregation of Merchant Data - Riskified employs a login system and authorization mechanism based on industry
best practices. During each user request, a validation process is performed through encrypted identifiers to ensure
that only authorized users gain access to the specific data. The process is validated by third-party security
consultants on a yearly basis.

Operational Security
● Configuration and Patch Management - Riskified employs a centrally managed configuration management system,
including infrastructure-as-code systems through which predefined configurations and the desired patch levels of
various software components are enforced on its servers. Riskified servers, OS and applications are scheduled to be
automatically updated upon the release of the latest version. New version updates are based on new vulnerabilities
and are communicated to the security team leader (43).
● Security Incident Response Management - Whenever a security incident of a physical or electronic nature is
suspected or confirmed, Riskified's engineers follow appropriate procedures. Merchants and legal authorities will
be notified as required by relevant laws / regulations.
● EDR - An EDR solution is installed on employees' laptops in order to detect and prevent infection of unauthorized or
malicious software (41). The employees’ laptops are encrypted with the use of a 256-bit AES encryption.
● Unified Endpoint Management - All Riskified endpoints are MacBook Pros. A unified endpoint management agent is
installed on employees’ laptops in order to monitor and enforce Riskified governance (40).
Human Resource Security
17
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

● Security Awareness Training - Riskified maintains a comprehensive information security training program that all
employees are required to attend during on-boarding. Additionally, security awareness training is performed by
employees on a semi-annual basis (13). The training program covers our internal policies and procedures, secure
coding, updates on trends in information security, the latest data security and privacy obligations, SDLC, and a review
of the landscape at Riskified.
● Secure Coding Standards Training - Riskified developers are trained in industry standard secure coding practices.
Furthermore, they are also involved, when appropriate, with analyzing penetration test results, mitigating any
findings, and during the ‘lessons learned’ phase of analysis. Moreover, personnel responsible for the design,
development, implementation, and operation of systems affecting security, availability and confidentiality, undergo
training on a regular basis (12).

Data Encryption
● Data in transit - all traffic between the Merchants and the Riskified platform is encrypted through TLS. Encryption
between Riskified's Merchants and Riskified’s services (e.g., the API), as well as between Riskified sites, is enabled
using an authenticated TLS tunnel. Connections to the Riskified network and databases are obtained through a
secured tunnel. Merchants’ sessions and interactions are encrypted using 256bit TLS over HTTPS. Riskified’s
webhooks add an additional layer of authentication with a pre-shared HMAC SHA which can be changed by the
Merchant via the WebApp. Internet traffic is encrypted using high class level certificates based on the PKI
infrastructure. Riskified uses encryption to supplement other measures used to protect data-at-rest. Processes are
in place to protect encryption keys during generation, storage, use, and destruction.
● Data at rest - Riskified encrypts all data at rest. All endpoints use FileVault2 (XTS-AES-128 encryption with a 256-bit
key). All Riskified data is stored on AWS and encrypted, without any action required from the Merchant, using 256-
bit Advanced Encryption Standard (AES-256). As part of the AWS solution, they offer encryption at rest on their EC2
and RDS services.

Support
Support is available via support mail and the customer support portal. Support is handled by Riskified according to the
internal service procedures (19). For critical issues, the standard is acknowledgement within 60 minutes and resolution
of 90% of issues within two hours. Support channels include an in-app form, a dedicated email address
(support@[Link]), and a dedicated phone number made available to a select group of Merchants. Riskified
provides a dedicated support portal designed to assist customers with product usage and address any inquiries they may
have (10).

Ticketing and Management

Riskified opens a ticket when an issue is raised by a Merchant or when an issue is proactively identified. Riskified uses a
third-party CRM application to manage, classify, and track the Merchant support-related issues. Tickets are classified by
the level of urgency and assigned to the appropriate support tier for resolution. Service interruptions, maintenance and
updates are communicated to customers through a dedicated status page or an email for subscribers (20).

Incident Management Process

Incidents are classified according to the level of urgency and importance. The CISO is responsible for escalating critical
incidents and performing formal Lessons Learned reviews. Incident notifications are sent to all Merchants within 72 hours
whose data has been impacted.

18
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

Escalation Process
Riskified’s goal is to resolve issues in an efficient manner. Issues are tracked and updated in the support ticketing system.
The escalation process is defined and documented by Merchant support. When necessary, tickets are escalated to
Security, R&D, or Technical Services teams. In addition, to maintain visibility on current support issues and potential
problem trends, support metrics, including Key Performance Indicators (KPI's), are generated in the support application
and discussed and reviewed in weekly meetings (21).

Availability Procedures
All of Riskified infrastructure (including its production environment) is hosted on Amazon Web Services (AWS) within
multiple availability zones (AZ) in the US-East region. The Riskified production environment is located in several
availability zones and regions to maintain high availability standards (54). A loss of utility or connectivity in one AZ would
not result in a disruption of services. For BCP purposes, Riskified also maintains a read-available copy of its database in
AWS-West. Backups are isolated from its environment to protect against ransomware or other similar incidents.
Riskified’s production environment and application level is monitored using both tools provided by AWS as well as
internal tools. In the event of a breakdown, appropriate teams are automatically alerted.

Database Backup and Restoration

Riskified application databases are backed up according to the backup policy on a daily basis. Backups are retained for at
least 30 days (53). The backup system automatically generates a backup log. In case of failure, a notification is sent to the
Operations team. All Riskified data is highly available across multiple availability zones within AWS-East. Additionally,
Riskified maintains a read-replica of our database on AWS-West for BCP purposes. Point in time backups occur continually
using AWS RDS and are readily available (7 day point in time). Access to backup and database storage is restricted to
authorized individuals (32). Restore tests are performed on an annual basis. The test includes a full restore to a separate
database server and bringing up the database to verify data integrity and accessibility. The Disaster Recovery (DR) test
process and results are documented and communicated to key Riskified personnel (55).

Data Center Availability Procedures

AWS provides Riskified with a secured location, implementing appropriate measures to protect against environmental
risks or disaster.

Business Continuity Plan (BCP)

Riskified has developed a Business Continuity Plan to enable the company to continue to provide critical services in case
of a disaster. All of Riskified infrastructure (including its API) is hosted on Amazon Web Services (AWS) within multiple
availability zones (AZ) in the US-East region. A loss of utility or connectivity in one AZ would not result in a disruption of
services. For BCP purposes, Riskified also maintains a read-available copy of its database in AWS-West. Backups are
isolated from the environment to protect against ransomware or other similar incidents. In the highly unlikely event of a
region-wide outage, Riskified maintains plans to deploy the service in additional regions.

Monitoring Usage
Riskified uses a suite of monitoring tools to monitor its service. Alerts are sent by an internal communication tool based
on pre-defined rules. The notifications are reviewed and processed according to their level of urgency (18). Vulnerability
scanning is continuously performed on the production environment using an external tool, in order to detect potential
security breaches and remediate identified vulnerabilities (39). An Endpoint DLP solution has been installed to protect
data (37). In addition, a tool is in place to monitor and prevent unauthorized use of Artificial Intelligence (AI) (38).

The management team is updated on an annual basis regarding security, confidentiality, and availability non-compliance
issues and addresses these issues as needed. Such issues are documented as part of a support process and, if necessary,

19
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

notifications are sent to the Security team or the IT team. Change reports, vulnerability reports from production and
monitoring tools, and support metrics are generated in the support application and discussed and reviewed weekly. The
production environment, including servers and application, is monitored 24/7/365 by the Operations team during the
day and by 'Dev on Shift' at night. Key Riskified managers are notified of events related to the security, availability, or
confidentiality of service to Merchants. In addition, environmental, regulatory, and technological changes are monitored.
Their effects are assessed, and their policies are updated accordingly. A summarized report is made available to relevant
managers and team members.

Confidentiality Procedures
Merchant and end customer confidentiality is critically important to Riskified. Riskified’s application was developed with
a heavy emphasis on logical security segregation–built within the application to separate one tenant's users from others.
Merchants are restricted to their own web interface environment (multi-tenant) and do not have access to view data
from other environments (57). The security measures aim to prevent unauthorized access, disclosure, alteration or
destruction of sensitive personal information. Actions performed on the production environment, including OS,
machines, and applications are monitored and automatically logged after every access. The logs are continuously
reviewed by a dedicated team and alerts are triggered upon the identification of an anomaly. All logs are encrypted (59).

Merchants’ passwords and PII are encrypted within the Riskified application database according to the Riskified security
policy (56). In addition, a confidentiality agreement is signed with Riskified's infrastructure third-party providers to
maintain the system confidentiality (58).

Subservice Organizations Carved-Out Controls: Amazon Web Services (‘AWS’)

The subservice organization is expected to:
● Implement controls to enable security and monitoring tools within the production environment;
● Implement logical access security measures to infrastructure components including native security or security
software and appropriate configuration settings;
● Restrict access to the virtual and physical servers, software, firewalls, and physical storage to authorized individuals
and to review the list of users and permissions on a regular basis;
● Implement controls to:
o Provision access only to authorized persons;
o Remove access when no longer appropriate;
o Secure the facilities to permit access only to authorized persons; and
o Monitor access to the facilities.
● Remain consistent with defined system security as it relates to the design, acquisition, implementation,
configuration modification, and management of infrastructure and software; and
● Maintain system components, including configurations consistent with the defined system security related policies.

Riskified’s Merchants’ Responsibilities

Riskified Merchants have a number of responsibilities in ensuring safe use of Riskified’s software and platform. This
includes:
● Implementing sound and consistent internal controls regarding general IT system access and system usage
appropriateness for all internal user organization components associated with Riskified;
● Ensuring timely removal of user accounts for any users who have been terminated and were previously involved
in any material functions or activities associated with Riskified’s services;
● Maintaining authorized, secure, timely, and complete transactions for user organizations relating to Riskified’s
services;

20
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

● Implementing controls requiring additional approval procedures for critical transactions relating to Riskified’s
services;
● Reporting to Riskified in a timely manner any material changes to their overall control environment that may
adversely affect services being performed by Riskified;
● Notifying Riskified in a timely manner of any changes to personnel directly involved with services performed by
Riskified;
● Notifying Riskified of any personnel who may be involved in financial, technical, or ancillary administrative
functions directly associated with services provided by Riskified;
● Adhering to the terms and conditions stated within their contracts with Riskified; and
● Developing and, if necessary, implementing a business continuity and disaster recovery plan (DRP) that will aid
in the continuation of services provided by Riskified

21
 Section III - Description of the Riskified Platform relevant to Security, Availability and Confidentiality for the
period October 1, 2023 to September 30, 2024.

Section IV - Description of Criteria, Controls, Tests and Results of Tests

Testing Performed and Results of Tests of Entity-Level Controls

In planning the nature, timing, and extent of its testing of the controls specified by Riskified Ltd, KFGK considered the
aspects of Riskified Ltd control environment, risk assessment processes, information, communication, and management
monitoring procedures and performed such procedures as we considered necessary in the circumstances.

Procedures for Assessing Completeness and Accuracy of Information Provided by the Entity (IPE)
For tests of controls requiring the use of IPE, including Electronic Audit Evidence (EAE) (e.g., controls requiring system-
generated populations for sample-based testing), we performed a combination of the following procedures where
possible based on the nature of the IPE to address the completeness, accuracy, and data integrity of the data or reports
used: (1) inspect the source of the IPE, (2) inspect the query, script, or parameters used to generate the IPE, (3) tie data
between the IPE and the source, and/or (4) inspect the IPE for anomalous gaps in sequence or timing to determine the
data is complete, accurate, and maintains its integrity. In addition to the above procedures, for tests of controls requiring
management’s use of IPE in the execution of the controls (e.g., periodic reviews of user access listings), we inspected
management’s procedures to assess the validity of the IPE source and the completeness, accuracy, and integrity of the
data or reports.

Criteria and Controls

On the pages that follow, the applicable Trust Services Criteria and the controls to meet the criteria have been specified
by and are the responsibility of Riskified. The testing performed by Kost Forer Gabbay and Kasierer (KFGK) and the results
of tests are the responsibility of the service auditor. Refer to the Trust Services criteria mapping section for the mapping
of these controls to the Trust Services criteria.

22
Section IV - Description of Criteria, Controls, Tests and Results of Tests

Control Environment
CC1.1 / COSO Principle 1: The entity demonstrates a commitment to integrity and ethical values.
# Controls specified by the Company Testing performed by the auditor Results of Testing
4 Job descriptions are documented and maintained on Inspected Riskified job descriptions on the website and No deviations noted.
the Riskified website. Additionally, candidates go determined that job descriptions were documented and
through screening and appropriate reference maintained.
checks.
Inspected a sample of Riskified recruitment
documentation and determined that candidates went
through screening and that reference checks were
conducted.

7 New employees are required to sign a standard Inspected a sample of Non-Disclosure Agreements No deviations noted.
employment agreement and a Non-Disclosure signed by new employees and determined that new
Agreement addressing business practices, conflicts employees were required to sign a standard
of interest, confidentiality and intellectual property. employment agreement.

CC1.2 / COSO Principle 2: The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal
control.
# Controls specified by the Company Testing performed by the auditor Results of Testing

1 Riskified's Board meets on a quarterly basis. The Inspected a sample of quarterly Board meeting No deviations noted.
board meeting has a fixed agenda regarding (1) presentation decks and determined that the company's
Financial aspects details, (2) HR, (3) Pipeline of Board met on a quarterly basis.
merchants, (4) Support issues review, (5) Discussion
on new product features.

23
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

CC1.3 / COSO Principle 3: Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
# Controls specified by the Company Testing performed by the auditor Results of Testing
1 Riskified's Board meets on a quarterly basis. The Inspected a sample of quarterly Board meeting No deviations noted.
board meeting has a fixed agenda regarding (1) presentation decks and determined that the company's
Financial aspects details, (2) HR, (3) Pipeline of Board met on a quarterly basis.
merchants, (4) Support issues review, (5) Discussion
on new product features.

2 Policies and procedures are documented, reviewed Inspected a sample of policies and determined that No deviations noted.
and approved on an annual basis by the policies and procedures were documented, approved
management team and available to Riskified's on at least an annual basis.
employees within Riskified's internal portal.
Inspected the internal portal and determined policies
were available to employees.
3 Riskified maintains a comprehensive organizational Inspected the Riskified organization chart and No deviations noted.
chart that effectively outlines the authorities of the determined that it was a comprehensive organizational
management team and establishes a clear reporting chart that effectively outlined the authorities of the
hierarchy. management team and established a clear reporting
hierarchy.

9 An Information Security Policy is documented by Inspected Riskified's Information Security Policy and the No deviations noted.
Riskified management and reviewed and approved company's internal portal and determined that the
on an annual basis by the Head of Security. The policy was reviewed, approved and available to all
Information Security Policy is available to all Riskified employees.
Riskified employees.

24
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
11 On at least a monthly basis, the security team meets Inspected the security team invitations and determined No deviations noted.
in order to discuss security, confidentiality and that the Riskified security team met on at least a
availability non-compliance issues, among others, monthly basis in order to discuss security,
and address them. confidentiality and availability non-compliance issues,
among others, and addressed them.

CC1.4 / COSO Principle 4: The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

# Controls specified by the Company Testing performed by the auditor Results of Testing
4 Job descriptions are documented and maintained on Inspected Riskified job descriptions on the website and No deviations noted.
the Riskified website. Additionally, candidates go determined that job descriptions were documented and
through screening and appropriate reference maintained.
checks.
Inspected a sample of Riskified recruitment
documentation and determined that candidates went
through screening and that reference checks were
conducted.

5 Every Riskified employee that joins Riskified is Inspected the Riskified onboarding documentation for a No deviations noted.
automatically enrolled in the company global sample of new employees and global onboarding
onboarding program. Employees are provided with program and determined that new employees went
necessary knowledge about Riskified, eCommerce through an onboarding process, during which among
and fraud prevention, general work procedures, others, they were communicated their responsibilities
their responsibilities and Riskified policies. and the different Riskified policies.

25
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
7 New employees are required to sign a standard Inspected a sample of Non-Disclosure Agreements No deviations noted.
employment agreement and a Non-Disclosure signed by new employees and determined that new
Agreement addressing business practices, conflicts employees were required to sign a standard
of interest, confidentiality and intellectual property. employment agreement.

12 Personnel responsible for the design, development, Inspected the training program materials and the No deviations noted.
implementation, and operation of systems affecting learning participants and determined that personnel
security, availability, confidentiality, undergo responsible for the design, development,
training on a regular basis. implementation, and operation of systems affecting
security, availability, and confidentiality went through
training on a regular basis.

13 Security awareness training is performed by Inspected the security awareness training tool and No deviations noted.
employees on a semi-annual basis. dashboard and determined that training was performed
on a semi-annual basis.

26
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

CC1.5 / COSO Principle 5: The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
# Controls specified by the Company Testing performed by the auditor Results of Testing
2 Policies and procedures are documented, reviewed Inspected a sample of policies and determined that No deviations noted.
and approved on an annual basis by the policies and procedures were documented, approved
management team and available to Riskified's on at least an annual basis.
employees within Riskified's internal portal.
Inspected the internal portal and determined policies
were available to employees.

3 Riskified maintains a comprehensive organizational Inspected the Riskified organization chart and No deviations noted.
chart that effectively outlines the authorities of the determined that it was a comprehensive organizational
management team and establishes a clear reporting chart that effectively outlined the authorities of the
hierarchy. management team and established a clear reporting
hierarchy.

Communication and Information

CC2.1 / COSO Principle 13: The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.

# Controls specified by the Company Testing performed by the auditor Results of Testing
2 Policies and procedures are documented, reviewed Inspected a sample of policies and determined that No deviations noted.
and approved on an annual basis by the policies and procedures were documented, approved
management team and available to Riskified's on at least an annual basis.
employees within Riskified's internal portal.
Inspected the internal portal and determined policies
were available to employees.

27
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

CC2.2 / COSO Principle 14: The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of
internal control.

# Controls specified by the Company Testing performed by the auditor Results of Testing
2 Policies and procedures are documented, reviewed Inspected a sample of policies and determined that No deviations noted.
and approved on an annual basis by the policies and procedures were documented, approved
management team and available to Riskified's on at least an annual basis.
employees within Riskified's internal portal.
Inspected the internal portal and determined policies
were available to employees.

5 Every Riskified employee that joins Riskified is Inspected the Riskified onboarding documentation for a No deviations noted.
automatically enrolled in the company global sample of new employees and global onboarding
onboarding program. Employees are provided with program and determined that new employees went
necessary knowledge about Riskified, eCommerce through an onboarding process, during which among
and fraud prevention, general work procedures, others, they were communicated their responsibilities
their responsibilities and Riskified policies. and the different Riskified policies.

6 Riskified maintains an internal knowledge base for Inspected the Riskified internal knowledge base and No deviations noted.
the design, development, implementation, and determined that Riskified maintained an internal
operation of systems affecting security, availability, knowledge base for the design, development,
and confidentiality. implementation, and operation of systems affecting
security, availability and confidentiality.

28
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
8 A description of the Riskified system and its Inspected Riskified system description on the company's No deviations noted.
boundaries is documented and communicated to internal portal and website and determined that a
Riskified employees within the internal portal and to description of the Riskified environment and its
external users through the Riskified website. boundaries were documented and communicated to
Riskified employees within the internal portal and to
external users through the Riskified website.

13 Security awareness training is performed by Inspected the security awareness training tool and No deviations noted.
employees on a semi-annual basis. dashboard and determined that training was performed
on a semi-annual basis.

21 Support metrics, including Key Performance Inspected the support tool KPI’s and bi-weekly meeting No deviations noted.
Indicators (KPI's), are generated in the support invitations and determined that Key Performance
application and discussed and reviewed in weekly Indicators were generated in the support application
meetings. and discussed and reviewed in a bi-weekly meetings.

CC2.3 / COSO Principle 15: The entity communicates with external parties regarding matters affecting the functioning of internal control.

# Controls specified by the Company Testing performed by the auditor Results of Testing
8 A description of the Riskified system and its Inspected Riskified system description on the company's No deviations noted.
boundaries is documented and communicated to internal portal and website and determined that a
Riskified employees within the internal portal and to description of the Riskified environment and its
external users through the Riskified website. boundaries were documented and communicated to
Riskified employees within the internal portal and to
external users through the Riskified website.

29
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
10 Riskified provides a dedicated support portal Inspected the support portal from the website and No deviations noted.
designed to assist customers with product usage and determined that Riskified provided a dedicated support
address any inquiries they may have. portal designed to assist customers with product usage
and address any inquiries they may have.

19 Support is available via support mail and the Inspected Riskified's customer support tool, customer No deviations noted.
customer support portal. Support is handled by support tool dashboards, and customer support tickets,
Riskified according to the internal service and determined that support was available via mail and
procedures. the customer support portal. Support was handled by
Riskified according to internal service procedures.

20 Service interruptions, maintenance and updates are Inspected Riskified's status page and customer emails No deviations noted.
communicated to customers through a dedicated and determined that service interruptions, maintenance
status page or an email for subscribers. and updates were communicated to customers through
a dedicated status page or an email for subscribers.

30
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

Risk Assessment
CC3.1 / COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
# Controls specified by the Company Testing performed by the auditor Results of Testing
14 Riskified manages a comprehensive risk assessment Inspected the Risk Management policy and risk No deviations noted.
process that identifies and evaluates changes to assessment documentation and determined that
business objectives, commitments and threats to system security were identified, evaluated
requirements, internal operations, and external and the risk from these threats was formally assessed.
factors that threaten the achievement of business The process was documented, maintained, and
objectives. The risk assessment is performed approved by management.
annually. As part of this process, threats to system
security are identified, evaluated, and the risk from
these threats is formally assessed. The process is
documented, maintained, and approved by
management.

15 Riskified continuously assesses the risks presented Inspected the vendor risk management tool and No deviations noted.
by vendors and business partners while maintaining dashboard and determined that Riskified continuously
the company's objectives. assessed the risks presented by vendors and business
partners while maintaining the company's objectives.

31
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

CC3.2 / COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be
managed.

# Controls specified by the Company Testing performed by the auditor Results of Testing
1 Riskified's Board meets on a quarterly basis. The Inspected a sample of quarterly Board meeting No deviations noted.
board meeting has a fixed agenda regarding (1) presentation decks and determined that the company's
Financial aspects details, (2) HR, (3) Pipeline of Board met on a quarterly basis.
merchants, (4) Support issues review, (5) Discussion
on new product features.

11 On at least a monthly basis, the security team meets Inspected the security team invitations and determined No deviations noted.
in order to discuss security, confidentiality and that the Riskified security team met on at least a
availability non-compliance issues, among others, monthly basis in order to discuss security,
and address them. confidentiality and availability non-compliance issues,
among others, and addressed them.

14 Riskified manages a comprehensive risk assessment Inspected the Risk Management policy and risk No deviations noted.
process that identifies and evaluates changes to assessment documentation and determined that
business objectives, commitments and threats to system security were identified, evaluated
requirements, internal operations, and external and the risk from these threats was formally assessed.
factors that threaten the achievement of business The process was documented, maintained, and
objectives. The risk assessment is performed approved by management.
annually. As part of this process, threats to system
security are identified, evaluated, and the risk from
these threats is formally assessed. The process is
documented, maintained, and approved by
management.

32
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
15 Riskified continuously assesses the risks presented Inspected the vendor risk management tool and No deviations noted.
by vendors and business partners while maintaining dashboard and determined that Riskified continuously
the company's objectives. assessed the risks presented by vendors and business
partners while maintaining the company's objectives.

CC3.3 / COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives.
# Controls specified by the Company Testing performed by the auditor Results of Testing
1 Riskified's Board meets on a quarterly basis. The Inspected a sample of quarterly Board meeting No deviations noted.
board meeting has a fixed agenda regarding (1) presentation decks and determined that the company's
Financial aspects details, (2) HR, (3) Pipeline of Board met on a quarterly basis.
merchants, (4) Support issues review, (5) Discussion
on new product features.

11 On at least a monthly basis, the security team meets Inspected the security team invitations and determined No deviations noted.
in order to discuss security, confidentiality and that the Riskified security team met on at least a
availability non-compliance issues, among others, monthly basis in order to discuss security,
and address them. confidentiality and availability non-compliance issues,
among others, and addressed them.

33
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
14 Riskified manages a comprehensive risk assessment Inspected the Risk Management policy and risk No deviations noted.
process that identifies and evaluates changes to assessment documentation and determined that
business objectives, commitments and threats to system security were identified, evaluated
requirements, internal operations, and external and the risk from these threats was formally assessed.
factors that threaten the achievement of business The process was documented, maintained, and
objectives. The risk assessment is performed approved by management.
annually. As part of this process, threats to system
security are identified, evaluated, and the risk from
these threats is formally assessed. The process is
documented, maintained, and approved by
management.

15 Riskified continuously assesses the risks presented Inspected the vendor risk management tool and No deviations noted.
by vendors and business partners while maintaining dashboard and determined that Riskified continuously
the company's objectives. assessed the risks presented by vendors and business
partners while maintaining the company's objectives.

34
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

CC3.4 / COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control.

# Controls specified by the Company Testing performed by the auditor Results of Testing

14 Riskified manages a comprehensive risk assessment Inspected the Risk Management policy and risk No deviations noted.
process that identifies and evaluates changes to assessment documentation and determined that
business objectives, commitments and threats to system security were identified, evaluated
requirements, internal operations, and external and the risk from these threats was formally assessed.
factors that threaten the achievement of business The process was documented, maintained, and
objectives. The risk assessment is performed approved by management.
annually. As part of this process, threats to system
security are identified, evaluated, and the risk from
these threats is formally assessed. The process is
documented, maintained, and approved by
management.

15 Riskified continuously assesses the risks presented Inspected the vendor risk management tool and No deviations noted.
by vendors and business partners while maintaining dashboard and determined that Riskified continuously
the company's objectives. assessed the risks presented by vendors and business
partners while maintaining the company's objectives.

35
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

Monitoring Activities
CC4.1 / COSO Principle 16: The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present
and functioning.

# Controls specified by the Company Testing performed by the auditor Results of Testing
18 Riskified uses a suite of monitoring tools to monitor Inspected monitoring tools and a sample of alerts and No deviations noted.
its service. Alerts are sent by an internal determined that alerts were sent based on predefined
communication tool based on pre-defined rules. The rules and notifications were reviewed and processed
notifications are reviewed and processed according according to their level of urgency.
to their level of urgency.

19 Support is available via support mail and the Inspected Riskified's customer support tool, customer No deviations noted.
customer support portal. Support is handled by support tool dashboards, and customer support tickets,
Riskified according to the internal service and determined that support was available via mail and
procedures. the customer support portal. Support was handled by
Riskified according to internal service procedures.

20 Service interruptions, maintenance and updates are Inspected Riskified's status page and customer emails No deviations noted.
communicated to customers through a dedicated and determined that service interruptions, maintenance
status page or an email for subscribers. and updates were communicated to customers through
a dedicated status page or an email for subscribers.

39 Vulnerability scanning is continuously performed on Inspected vulnerability scanning tool project test results No deviations noted.
the production environment using an external tool and identified issues and determined that vulnerability
in order to detect potential security breaches and scans were continuously performed to the production
remediate identified vulnerabilities. environment using an external tool.

36
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

CC4.2 / COSO Principle 17: The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action,
including senior management and the board of directors, as appropriate.

# Controls specified by the Company Testing performed by the auditor Results of Testing
18 Riskified uses a suite of monitoring tools to monitor Inspected monitoring tools and a sample of alerts and No deviations noted.
its service. Alerts are sent by an internal determined that alerts were sent based on predefined
communication tool based on pre-defined rules. The rules and notifications were reviewed and processed
notifications are reviewed and processed according according to their level of urgency.
to their level of urgency.

19 Support is available via support mail and the Inspected Riskified's customer support tool, customer No deviations noted.
customer support portal. Support is handled by support tool dashboards, and customer support tickets,
Riskified according to the internal service and determined that support was available via mail and
procedures. the customer support portal. Support was handled by
Riskified according to internal service procedures.

20 Service interruptions, maintenance and updates are Inspected Riskified's status page and customer emails No deviations noted.
communicated to customers through a dedicated and determined that service interruptions, maintenance
status page or an email for subscribers. and updates were communicated to customers through
a dedicated status page or an email for subscribers.

37
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

Control Activities
CC5.1 / COSO Principle 10: The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

# Controls specified by the Company Testing performed by the auditor Results of Testing
11 On at least a monthly basis, the security team meets Inspected the security team invitations and determined No deviations noted.
in order to discuss security, confidentiality and that the Riskified security team met on at least a
availability non-compliance issues, among others, monthly basis in order to discuss security,
and address them. confidentiality and availability non-compliance issues,
among others, and addressed them.

CC5.2 / COSO Principle 11: The entity also selects and develops general control activities over technology to support the achievement of objectives.

# Controls specified by the Company Testing performed by the auditor Results of Testing

11 On at least a monthly basis, the security team meets Inspected the security team invitations and determined No deviations noted.
in order to discuss security, confidentiality and that the Riskified security team met on at least a
availability non-compliance issues, among others, monthly basis in order to discuss security,
and address them. confidentiality and availability non-compliance issues,
among others, and addressed them.

38
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing

14 Riskified manages a comprehensive risk assessment Inspected the Risk Management policy and risk No deviations noted.
process that identifies and evaluates changes to assessment documentation and determined that
business objectives, commitments and threats to system security were identified, evaluated
requirements, internal operations, and external and the risk from these threats was formally assessed.
factors that threaten the achievement of business The process was documented, maintained, and
objectives. The risk assessment is performed approved by management.
annually. As part of this process, threats to system
security are identified, evaluated, and the risk from
these threats is formally assessed. The process is
documented, maintained, and approved by
management.

15 Riskified continuously assesses the risks presented Inspected the vendor risk management tool and No deviations noted.
by vendors and business partners while maintaining dashboard and determined that Riskified continuously
the company's objectives. assessed the risks presented by vendors and business
partners while maintaining the company's objectives.

39
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

CC5.3 / COSO Principle 12: The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action.

# Controls specified by the Company Testing performed by the auditor Results of Testing
2 Policies and procedures are documented, reviewed Inspected a sample of policies and determined that No deviations noted.
and approved on an annual basis by the policies and procedures were documented, approved
management team and available to Riskified's on at least an annual basis.
employees within Riskified's internal portal.
Inspected the internal portal and determined policies
were available to employees.

Logical and Physical Access Controls

CC6.1: The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet
the entity's objectives.

# Controls specified by the Company Testing performed by the auditor Results of Testing

22 Access to system resources is protected through a Inspected the system security groups, monitoring No deviations noted.
combination of firewalls, VPNs, native operating configurations, monitoring dashboards, firewall
system security, database management system configuration, and VPN configuration and determined
security, application controls, and intrusion that access to system resources was protected.
detection monitoring software.

40
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing

23 Users are identified through the use of a user Inspected the password policy and configuration of the No deviations noted.
ID/password combination using the SSO tool. Strong SSO tool and determined that users were identified
password configuration settings, where applicable, through the use of a user ID/password and strong
are enabled on the domain, application and password configuration settings, where applicable, were
database. Password requirements include: (1) a enabled on the domain, application and database.
minimum password length, (2) a limit on the number
of attempts to enter a password before the user ID
is suspended, (3) password complexity and (4)
restricting the use of common passwords.

24 Access to the production server is performed by Inspected the list of users and roles with access to the No deviations noted.
using a Remote access system and is restricted to Remote access system and the configuration and
authorized personnel. Every access requires determined that access to the production server wass
authentication through a dedicated Remote access performed by using Remote access system and was
system. restricted to authorized personnel. Every access
required authentication through a dedicated Remote
access system.

25 Administrative permissions to the SSO tool are Inspected the list of administrative users with access to No deviations noted.
granted by the system admin and are restricted to the SSO tool and the multi-factor authentication
authorized personnel. Accounts are configured to configuration and determined that administrative
require multi-factor authentication before they may permissions to the SSO tool were granted by the system
be used. admin and were restricted to authorized personnel.
Accounts were configured to require multi-factor
authentication before being used.

41
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing

26 Administrative access to the build tool is restricted Inspected the list of users with administrative No deviations noted.
to authorized personnel. permissions in the build tool and determined that
administrative access to the build tool was restricted to
authorized personnel.

27 Access to the source control tool is restricted to Inspected the list of users with access to the source No deviations noted.
authorized personnel. Accounts are configured to control tool, their permission, and the multi-factor
require multi-factor authentication before they may authentication policies, and determined that access to
be used. the source control tool was restricted authorized
personnel and required multi-factor authentication to
access.

30 Access to the AWS management interface is Inspected the AWS multi-factor authentication policies No deviations noted.
performed using two-factor authentication. and users and determined that access to the AWS
management interface was performed using two-factor
authentication.

31 Programmatic access to the AWS servers is Inspected the programmatic access to AWS process and No deviations noted.
temporary and performed using two-factor tool utilized to grant the access and determined that
authentication method and with a token for 12 programmatic access to AWS was temporary and
hours. performed using a two-factor authentication method
with a token that was valid for 12 hours.

32 Access to backup and database storage is restricted Inspected the list of users with their permissions and No deviations noted.
to authorized individuals. permissions policies to the backup and database storage
and determined that access to the backup and database
storage was restricted to authorized individuals.

42
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing

36 Device Trust has been implemented to verify that Inspected the Device Trust policy and access restrictions No deviations noted.
the device is known, secure, and uncompromised. for pre-authorized devices and determined that Device
Trust was implemented to verify that the device is
known, secure, and uncompromised.

49 Manual deployment to Production is performed via Inspected the list of users with access to production, No deviations noted.
a dedicated deployment tool. Access to the their permissions, and branch protection rules and
deployment tool is restricted to authorized determined that manual deployments to production
personnel. were performed via a dedicated deployment tool.
Access to the deployment tool was restricted to
authorized personnel.

CC6.2: Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the
entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized.

# Controls specified by the Company Testing performed by the auditor Results of Testing
28 Access and permissions to the different Inspected the user access review process and No deviations noted.
environments (servers, database, and application) documentation and determined that the access and
are reviewed and approved by Riskified permissions to the different environments were
management on an annual basis. reviewed and approved by Riskified management on an
annual basis.

43
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
35 The offboarding process for terminated employees Inspected a sample of completed offboarding No deviations noted.
includes timely access revocation from all documentation and the SSO tool and determined that
environments. the offboarding process for terminated employees
included timely access revocation from all
environments.

44
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

CC6.3: The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system
design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives.

# Controls specified by the Company Testing performed by the auditor Results of Testing
28 Access and permissions to the different Inspected the user access review process and No deviations noted.
environments (servers, database, and application) documentation and determined that the access and
are reviewed and approved by Riskified permissions to the different environments were
management on an annual basis. reviewed and approved by Riskified management on an
annual basis.

CC6.4: The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations)
to authorized personnel to meet the entity’s objectives.

# Controls specified by the Company Testing performed by the auditor Results of Testing
33 Physical access to the offices is restricted to Observed the office physical access video and inspected No deviations noted.
authorized personnel through the use of an physical access policy and determined that the physical
electronic identification card / mobile access access to the offices was restricted to authorized
control. personnel through the use of an electronic identification
card and mobile access control.

34 Visitors to the Riskified office are accompanied while Observed the physical access video and inspected No deviations noted.
on premises. physical access policies and determined that the visitors
to Riskified office were accompanied while on premises.

45
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

CC6.5: The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been
diminished and is no longer required to meet the entity’s objectives.

# Controls specified by the Company Testing performed by the auditor Results of Testing
33 Physical access to the offices is restricted to Observed the office physical access video and inspected No deviations noted.
authorized personnel through the use of an physical access policy and determined that the physical
electronic identification card / mobile access access to the offices was restricted to authorized
control. personnel through the use of an electronic identification
card and mobile access control.

34 Visitors to the Riskified office are accompanied while Observed the physical access video and inspected No deviations noted.
on premises. physical access policies and determined that the visitors
to Riskified office were accompanied while on premises.

CC6.6: The entity implements logical access security measures to protect against threats from sources outside its system boundaries.

# Controls specified by the Company Testing performed by the auditor Results of Testing
1 Riskified's Board meets on a quarterly basis. The Inspected a sample of quarterly Board meeting No deviations noted.
board meeting has a fixed agenda regarding (1) presentation decks and determined that the company's
Financial aspects details, (2) HR, (3) Pipeline of Board met on a quarterly basis.
merchants, (4) Support issues review, (5) Discussion
on new product features.

46
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
22 Access to system resources is protected through a Inspected the system security groups, monitoring No deviations noted.
combination of firewalls, VPNs, native operating configurations, monitoring dashboards, firewall
system security, database management system configuration, and VPN configuration and determined
security, application controls, and intrusion that access to system resources was protected.
detection monitoring software.

23 Users are identified through the use of a user Inspected the password policy and configuration of the No deviations noted.
ID/password combination using the SSO tool. Strong SSO tool and determined that users were identified
password configuration settings, where applicable, through the use of a user ID/password and strong
are enabled on the domain, application and password configuration settings, where applicable, were
database. Password requirements include: (1) a enabled on the domain, application and database.
minimum password length, (2) a limit on the number
of attempts to enter a password before the user ID
is suspended, (3) password complexity and (4)
restricting the use of common passwords.

24 Access to the production server is performed by Inspected the list of users and roles with access to the No deviations noted.
using a Remote access system and is restricted to Remote access system and the configuration and
authorized personnel. Every access requires determined that access to the production server wass
authentication through a dedicated Remote access performed by using Remote access system and was
system. restricted to authorized personnel. Every access
required authentication through a dedicated Remote
access system.

47
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
25 Administrative permissions to the SSO tool are Inspected the list of administrative users with access to No deviations noted.
granted by the system admin and are restricted to the SSO tool and the multi-factor authentication
authorized personnel. Accounts are configured to configuration and determined that administrative
require multi-factor authentication before they may permissions to the SSO tool were granted by the system
be used. admin and were restricted to authorized personnel.
Accounts were configured to require multi-factor
authentication before being used.

27 Access to the source control tool is restricted to Inspected the list of users with access to the source No deviations noted.
authorized personnel. Accounts are configured to control tool, their permission, and the multi-factor
require multi-factor authentication before they may authentication policies. Determined that access to the
be used. source control tool was restricted authorized personnel
and required multi-factor authentication to access.

30 Access to the AWS management interface is Inspected the AWS multi-factor authentication policies No deviations noted.
performed using two-factor authentication. and users and determined that access to the AWS
management interface was performed using two-factor
authentication.

31 Programmatic access to the AWS servers is Inspected the programmatic access to AWS process and No deviations noted.
temporary and performed using two-factor tool utilized to grant the access and determined that
authentication method and with a token for 12 programmatic access to AWS was temporary and
hours. performed using a two-factor authentication method
with a token that was valid for 12 hours.

48
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
32 Access to backup and database storage is restricted Inspected the list of users with their permissions and No deviations noted.
to authorized individuals. permissions policies to the backup and database storage
and determined that access to the backup and database
storage was restricted to authorized individuals.

36 Device Trust has been implemented to verify that Inspected the Device Trust policy and access restrictions No deviations noted.
the device is known, secure, and uncompromised. for pre-authorized devices and determined that Device
Trust was implemented to verify that the device is
known, secure, and uncompromised.

42 Penetration tests for public-facing services are Inspected the penetration tests, summary of findings, No deviations noted.
performed on an annual basis. High issues are and ticketing tool and determined that a penetration
investigated and resolved as part of the SDLC test for public facing services was performed on an
process. annual basis. High issues were investigated and resolved
as part of the SDLC process.

43 Riskified servers, OS and applications are scheduled Inspected the device management patch policies and No deviations noted.
to be automatically updated upon the release of the patch management dashboard for a sample of
latest version. New version updates are based on applications and determined that Riskified servers, OS
new vulnerabilities and are communicated to the and applications were scheduled to be automatically
security team leader. updated upon the release of the latest version. New
version updates were based on new vulnerabilities and
communicated to the security team leader.

49
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

CC6.7: The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission,
movement, or removal to meet the entity’s objectives.

# Controls specified by the Company Testing performed by the auditor Results of Testing
29 Encryption between Riskified customers and the Inspected the TLS security policies and determined that No deviations noted.
Riskified application is enabled using an encryption between Riskified customers and the
authenticated TLS tunnel. Riskified application was enabled using an
authenticated TLS tunnel.

CC6.8: The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives.
# Controls specified by the Company Testing performed by the auditor Results of Testing
37 An Endpoint DLP solution is installed to protect data. Inspected the Endpoint DLP solution settings and No deviations noted.
determined that an Endpoint DLP solution was installed
to protect data.

38 A tool is in place to monitor and prevent Inspected the AI monitoring tool configuration and No deviations noted.
unauthorized use of Artificial Intelligence (AI). determined that a tool was in place to monitor and
prevent unauthorized use of Artificial Intelligence (AI).

39 Vulnerability scanning is continuously performed on Inspected vulnerability scanning tool project test results No deviations noted.
the production environment using an external tool and identified issues and determined that vulnerability
in order to detect potential security breaches and scans were continuously performed to the production
remediate identified vulnerabilities. environment using an external tool.

40 A unified endpoint management agent is installed Inspected the endpoint management inventory for a No deviations noted.
on employees’ laptops in order to monitor and sample of employees’ in Riskified and determined that a
enforce Riskified policies. unified endpoint management agent was installed on
employees' laptops.

50
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
41 An EDR solution is installed on employees' laptops in Inspected the EDR solution management dashboards No deviations noted.
order to detect and prevent infection of and logs and determined that an EDR solution was
unauthorized or malicious software. installed on employees’ laptops to detect and prevent
infection of unauthorized or malicious software.

42 Penetration tests for public-facing services are Inspected the penetration tests, summary of findings, No deviations noted.
performed on an annual basis. High issues are and ticketing tool and determined that a penetration
investigated and resolved as part of the SDLC test for public facing services was performed on an
process. annual basis. High issues were investigated and resolved
as part of the SDLC process.

System Operations
CC7.1: To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities,
and (2) susceptibilities to newly discovered vulnerabilities.

# Controls specified by the Company Testing performed by the auditor Results of Testing
39 Vulnerability scanning is continuously performed on Inspected vulnerability scanning tool project test results No deviations noted.
the production environment using an external tool and identified issues and determined that vulnerability
in order to detect potential security breaches and scans were continuously performed to the production
remediate identified vulnerabilities. environment using an external tool.

42 Penetration tests for public-facing services are Inspected the penetration tests, summary of findings, No deviations noted.
performed on an annual basis. High issues are and ticketing tool and determined that a penetration
investigated and resolved as part of the SDLC test for public facing services was performed on an
process. annual basis. High issues were investigated and resolved
as part of the SDLC process.

51
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

CC7.2: The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting
the entity's ability to meet its objectives; anomalies are analyzed to determine whether they represent security events.

# Controls specified by the Company Testing performed by the auditor Results of Testing
18 Riskified uses a suite of monitoring tools to monitor Inspected monitoring tools and a sample of alerts and No deviations noted.
its service. Alerts are sent by an internal determined that alerts were sent based on predefined
communication tool based on pre-defined rules. The rules and notifications were reviewed and processed
notifications are reviewed and processed according according to their level of urgency.
to their level of urgency.

37 An Endpoint DLP solution is installed to protect data. Inspected the Endpoint DLP solution settings and No deviations noted.
determined that an Endpoint DLP solution was installed
to protect data.

38 A tool is in place to monitor and prevent Inspected the AI monitoring tool configuration and No deviations noted.
unauthorized use of Artificial Intelligence (AI). determined that a tool was in place to monitor and
prevent unauthorized use of Artificial Intelligence (AI).

39 Vulnerability scanning is continuously performed on Inspected vulnerability scanning tool project test results No deviations noted.
the production environment using an external tool and identified issues and determined that vulnerability
in order to detect potential security breaches and scans were continuously performed to the production
remediate identified vulnerabilities. environment using an external tool.

40 A unified endpoint management agent is installed Inspected the endpoint management inventory for a No deviations noted.
on employees’ laptops in order to monitor and sample of employees’ in Riskified and determined that a
enforce Riskified policies. unified endpoint management agent was installed on
employees' laptops.

52
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
41 An EDR solution is installed on employees’ laptops in Inspected the EDR solution management dashboards No deviations noted.
order to detect and prevent infection of and logs and determined that an EDR solution was
unauthorized or malicious software. installed on employees’ laptops to detect and prevent
infection of unauthorized or malicious software.

42 Penetration tests for public-facing services are Inspected the penetration tests, summary of findings, No deviations noted.
performed on an annual basis. High issues are and ticketing tool and determined that a penetration
investigated and resolved as part of the SDLC test for public facing services was performed on an
process. annual basis. High issues were investigated and resolved
as part of the SDLC process.

43 Riskified servers, OS and applications are scheduled Inspected the device management patch policies and No deviations noted.
to be automatically updated upon the release of the patch management dashboard for a sample of
latest version. New version updates are based on applications and determined that Riskified servers, OS
new vulnerabilities and are communicated to the and applications were scheduled to be automatically
security team leader. updated upon the release of the latest version. New
version updates were based on new vulnerabilities and
communicated to the security team leader.

53
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

CC7.3: The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes
actions to prevent or address such failures.

# Controls specified by the Company Testing performed by the auditor Results of Testing
19 Support is available via support mail and the Inspected Riskified's customer support tool, customer No deviations noted.
customer support portal. Support is handled by support tool dashboards, and customer support tickets,
Riskified according to the internal service and determined that support was available via mail and
procedures. the customer support portal. Support was handled by
Riskified according to internal service procedures.

CC7.4: The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security
incidents, as appropriate.

# Controls specified by the Company Testing performed by the auditor Results of Testing
9 An Information Security Policy is documented by Inspected Riskified's Information Security Policy and the No deviations noted.
Riskified management and reviewed and approved company's internal portal and determined that the
on an annual basis by the Head of Security. The policy was reviewed, approved and available to all
Information Security Policy is available to all Riskified employees.
Riskified employees.

20 Service interruptions, maintenance and updates are Inspected Riskified's status page and customer emails No deviations noted.
communicated to customers through a dedicated and determined that service interruptions, maintenance
status page or an email for subscribers. and updates were communicated to customers through
a dedicated status page or an email for subscribers.

54
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
55 Restore tests are performed on an annual basis. The Inspected the results of the restore tests and No deviations noted.
test includes a full restore to a separate database determined that restore tests were performed on an
server and bringing up the database to verify data annual basis and the Disaster Recovery (DR) test process
integrity and accessibility. The Disaster Recovery and results were documented and communicated to
(DR) test process and results are documented and key Riskified personnel.
communicated to key Riskified personnel.

CC7.5: The entity identifies, develops, and implements activities to recover from identified security incidents.

# Controls specified by the Company Testing performed by the auditor Results of Testing
9 An Information Security Policy is documented by Inspected Riskified's Information Security Policy and the No deviations noted.
Riskified management and reviewed and approved company's internal portal and determined that the
on an annual basis by the Head of Security. The policy was reviewed, approved and available to all
Information Security Policy is available to all Riskified employees.
Riskified employees.

20 Service interruptions, maintenance and updates are Inspected Riskified's status page and customer emails No deviations noted.
communicated to customers through a dedicated and determined that service interruptions, maintenance
status page or an email for subscribers. and updates were communicated to customers through
a dedicated status page or an email for subscribers.

55
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
55 Restore tests are performed on an annual basis. The Inspected the results of the restore tests and No deviations noted.
test includes a full restore to a separate database determined that restore tests were performed on an
server and bringing up the database to verify data annual basis and the Disaster Recovery (DR) test process
integrity and accessibility. The Disaster Recovery and results were documented and communicated to
(DR) test process and results are documented and key Riskified personnel.
communicated to key Riskified personnel.

Change Management
CC8.1: The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures
to meet its objectives.

# Controls specified by the Company Testing performed by the auditor Results of Testing
1 Riskified's Board meets on a quarterly basis. The Inspected a sample of quarterly Board meeting No deviations noted.
board meeting has a fixed agenda regarding (1) presentation decks and determined that the company's
Financial aspects details, (2) HR, (3) Pipeline of Board met on a quarterly basis.
merchants, (4) Support issues review, (5) Discussion
on new product features.

26 Administrative access to the build tool is restricted Inspected the list of users with administrative No deviations noted.
to authorized personnel. permissions in the build tool and determined that
administrative access to the build tool was restricted to
authorized personnel.

56
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
27 Access to the source control tool is restricted to Inspected the list of users with access to the source No deviations noted.
authorized personnel. Accounts are configured to control tool, their permission, and the multi-factor
require multi-factor authentication before they may authentication policies, and determined that access to
be used. the source control tool was restricted authorized
personnel and required multi-factor authentication to
access.

44 Design, acquisition, implementation, configuration, Inspected a sample of change management tickets and No deviations noted.
modification, and management of infrastructure and determined that changes were documented and
software are documented and approved by the approved by the management and tickets were
management team within the change management prioritized and labeled based on development phase
application. Change management tickets are and urgency.
prioritized and labeled based on development phase
and urgency.

45 Quarterly planning is performed to address security Inspected meeting invitations of planning meetings and No deviations noted.
requirements of the software development life determined that quarterly planning was performed to
cycle. address security requirements of the software
development life cycle.

46 Changes are connected to the source control tool in Inspected a sample of change tickets and determined No deviations noted.
order to link the request to the actual code change. that changes were connected to the source control tool
in order to link the request to the actual code change.

57
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
47 Code changes are reviewed along with the pull Inspected a sample of change tickets and code review No deviations noted.
request and performed by the team leader. The configuration and determined that code changes were
code review is documented on the source control mandatory, reviewed and documented within the pull
system. Code review is mandatory in order to request.
continue in the SDLC process and deploy a version to
the production environment.

48 A sprint planning meeting is performed bi-weekly Inspected sprint planning meeting invitations and No deviations noted.
between the product manager and the R&D in order determined that sprint planning meetings between the
to approve the versions that will be deployed to product manager and the R&D were performed bi-
production. weekly.

49 Manual deployment to production is performed via Inspected the list of users with access to production, No deviations noted.
a dedicated deployment tool. Access to the their permissions, and branch protection rules and
deployment tool is restricted to authorized determined that manual deployments to production
personnel. were performed via a dedicated deployment tool.
Access to the deployment tool was restricted to
authorized personnel.

52 Access to the production environment is limited to Inspected the list of users with access to the production No deviations noted.
authorized personnel. In a case of emergency environment, infrastructure access tool, audit logs and
change/troubleshooting, developers will be granted emergency access procedure and determined that
limited access through a bot for up to 12 hours. This access to the production environment was limited to
access required entering a valid ticket. Log events authorized users. In a case of emergency
related to production changes are kept. change/troubleshooting, developers received limited
access through a bot for up to 12 hours. This access
required entering a valid ticket. Log events related to
production changes were kept.

58
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
50 Code level tests and functional tests are performed Inspected a sample of change tickets and determined No deviations noted.
using a dedicated tool on a regular basis in order to that code level tests and functional tests were
identify issues within the application. performed using a dedicated tool on a regular basis.

51 A successful test status is mandatory in order to Inspect a sample of change tickets and determined that No deviations noted.
continue in the SDLC process and deploy a version to a successful test status was required to continue in the
the production environment. SDLC process.

52 Access to the Production environment is limited to Inspected the list of users with access to the production No deviations noted.
authorized personnel. In a case of emergency environment, infrastructure access tool, audit logs and
change/troubleshooting, developers will be granted emergency access procedure and determined that
limited access through a bot for up to 12 hours. This access to the production environment was limited to
access required entering a valid ticket. Log events authorized users. In a case of emergency
related to production changes are kept. change/troubleshooting, developers received limited
access through a bot for up to 12 hours. This access
required entering a valid ticket. Log events related to
production changes were kept.

59
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

Risk Mitigation
CC9.1: The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

# Controls specified by the Company Testing performed by the auditor Results of Testing
11 On at least a monthly basis, the security team meets Inspected the security team invitations and determined No deviations noted.
in order to discuss security, confidentiality and that the Riskified security team met on at least a
availability non-compliance issues, among others, monthly basis in order to discuss security,
and address them. confidentiality and availability non-compliance issues,
among others, and addressed them.

14 Riskified manages a comprehensive risk assessment Inspected the Risk Management policy and risk No deviations noted.
process that identifies and evaluates changes to assessment documentation and determined that
business objectives, commitments and threats to system security were identified, evaluated
requirements, internal operations, and external and the risk from these threats was formally assessed.
factors that threaten the achievement of business The process was documented, maintained, and
objectives. The risk assessment is performed approved by management.
annually. As part of this process, threats to system
security are identified, evaluated, and the risk from
these threats is formally assessed. The process is
documented, maintained, and approved by
management.

15 Riskified continuously assesses the risks presented Inspected the vendor risk management tool and No deviations noted.
by vendors and business partners while maintaining dashboard and determined that Riskified continuously
the company's objectives. assessed the risks presented by vendors and business
partners while maintaining the company's objectives.

60
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

CC9.2: The entity assesses and manages risks associated with vendors and business partners.

# Controls specified by the Company Testing performed by the auditor Results of Testing
1 Riskified's Board meets on a quarterly basis. The Inspected a sample of quarterly Board meeting No deviations noted.
board meeting has a fixed agenda regarding (1) presentation decks and determined that the company's
Financial aspects details, (2) HR, (3) Pipeline of Board met on a quarterly basis.
merchants, (4) Support issues review, (5) Discussion
on new product features.

14 Riskified manages a comprehensive risk assessment Inspected the Risk Management policy and risk No deviations noted.
process that identifies and evaluates changes to assessment documentation and determined that
business objectives, commitments and threats to system security were identified, evaluated
requirements, internal operations, and external and the risk from these threats was formally assessed.
factors that threaten the achievement of business The process was documented, maintained, and
objectives. The risk assessment is performed approved by management.
annually. As part of this process, threats to system
security are identified, evaluated, and the risk from
these threats is formally assessed. The process is
documented, maintained, and approved by
management.

61
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
15 Riskified continuously assesses the risks presented Inspected the vendor risk management tool and No deviations noted.
by vendors and business partners while maintaining dashboard and determined that Riskified continuously
the company's objectives. assessed the risks presented by vendors and business
partners while maintaining the company's objectives.

16 Risk mitigation activities include the development of Inspected the Risk Management policy. risk assessment No deviations noted.
planned policies, procedures, communications, and documentation, and calendar meeting invitations and
alternative processing solutions to respond to, determined that risk mitigation activities included
mitigate, and recover from security events that policies and procedures of monitoring processes, and
disrupt business operations. Those policies and information and communications to meet the
procedures include monitoring processes and company's objectives during response, mitigation, and
information and communications to meet the recovery efforts.
Company's objectives during response, mitigation,
and recovery efforts.

58 A confidentiality agreement is signed with Riskified's Inspected a sample of confidentiality agreements and No deviations noted.
infrastructure third-party providers to maintain the determined that a confidentiality agreement was signed
system confidentiality. with Riskified's infrastructure third-party providers to
maintain the system confidentiality.

17 Riskified obtains confidentiality commitments that Inspected the contract management repository, and No deviations noted.
are consistent with the Riskified confidentiality vendor management tool, and determined that Riskified
commitments and requirements from vendors and obtained confidentiality commitments that were
business partners who have access to confidential consistent with the company’s confidentiality
information. commitments and requirements from vendors and
business partners who had access to confidential
information.

62
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

Availability
A1.1: The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand
and to enable the implementation of additional capacity to help meet its objectives.

# Controls specified by the Company Testing performed by the auditor Results of Testing
53 Riskified application databases are backed up Inspected the backup configurations and data retention No deviations noted.
according to the backup policy on a daily basis. policies and determined that Riskified application
Backups are retained for at least 30 days. databases were backed up on a daily basis and the data
was retained for 30 days.

54 The Riskified production environment is located in Inspected the availability zone configuration and No deviations noted.
several availability zones and regions to maintain determined that the Riskified production environment
high availability standards. was located in several availability zones.

A1.2: The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up
processes, and recovery infrastructure to meet its objectives.

# Controls specified by the Company Testing performed by the auditor Results of Testing
53 Riskified application databases are backed up Inspected the backup configurations and data retention No deviations noted.
according to the backup policy on a daily basis. policies and determined that Riskified application
Backups are retained for at least 30 days. databases were backed up on a daily basis and the data
was retained for 30 days.

54 The Riskified production environment is located in Inspected the availability zone configuration and No deviations noted.
several availability zones and regions to maintain determined that the Riskified production environment
high availability standards. was located in several availability zones.

63
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

A1.3: The entity tests recovery plan procedures supporting system recovery to meet its objectives.

# Controls specified by the Company Testing performed by the auditor Results of Testing
53 Riskified application databases are backed up Inspected the backup configurations and data retention No deviations noted.
according to the backup policy on a daily basis. policies and determined that Riskified application
Backups are retained for at least 30 days. databases were backed up on a daily basis and the data
was retained for 30 days.

55 Restore tests are performed on an annual basis. The Inspected the results of the restore tests and No deviations noted.
test includes a full restore to a separate database determined that restore tests were performed on an
server and bringing up the database to verify data annual basis and the Disaster Recovery (DR) test process
integrity and accessibility. The Disaster Recovery and results were documented and communicated to
(DR) test process and results are documented and key Riskified personnel.
communicated to key Riskified personnel.

64
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

Confidentiality
C1.1: The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality.

# Controls specified by the Company Testing performed by the auditor Results of Testing
1 Riskified's Board meets on a quarterly basis. The Inspected a sample of quarterly Board meeting No deviations noted.
board meeting has a fixed agenda regarding (1) presentation decks and determined that the company's
Financial aspects details, (2) HR, (3) Pipeline of Board met on a quarterly basis.
merchants, (4) Support issues review, (5) Discussion
on new product features.

17 Riskified obtains confidentiality commitments that Inspected the contract management repository, and No deviations noted.
are consistent with the Riskified confidentiality vendor management tool, and determined that Riskified
commitments and requirements from vendors and obtained confidentiality commitments that were
business partners who have access to confidential consistent with the company’s confidentiality
information. commitments and requirements from vendors and
business partners who had access to confidential
information.

56 Merchants’ passwords and PII are encrypted within Inspected the database encryption status dashboards, No deviations noted.
the Riskified application database according to the the database configurations, and Information Security
Riskified security policy. Policy and determined that merchants passwords and
PII were encrypted according to the Riskified security
policy.

65
Section IV - Description of Criteria, Controls, Tests and Results of Tests

# Controls specified by the Company Testing performed by the auditor Results of Testing
59 Actions performed on the production environment, Inspected the monitoring dashboards, a sample of logs, No deviations noted.
including OS, machines, and applications are and members of the team that received the alerts and
monitored and automatically logged after every determined that actions performed on the production
access. The logs are continuously reviewed by a environment, including OS, machines, and applications
dedicated team and alerts are triggered upon the were monitored and automatically logged after every
identification of an anomaly. All logs are encrypted. access.

57 Merchants are restricted to their own web interface Inspected application configuration and determined No deviations noted.
environment (multi-tenant) and do not have access that Riskified has logical segregation built within the
to view data from other environments. application to separate one tenant's users from others.

66
 Section IV - Description of Criteria, Controls, Tests and Results of Tests

C1.2 The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.

# Controls specified by the Company Testing performed by the auditor Results of Testing
2 Policies and procedures are documented, reviewed, Inspected a sample of policies and determined that No deviations noted.
and approved on an annual basis by the policies and procedures were documented, approved
Management team and are available to Riskified's on at least an annual basis.
employees within Riskified's internal portal.
Inspected the internal portal and determined policies
were available to employees.

58 A confidentiality agreement is signed with Riskified's Inspected a sample of confidentiality agreements and No deviations noted.
infrastructure third-party providers to maintain the determined that a confidentiality agreement was signed
system confidentiality. with Riskified's infrastructure third-party providers to
maintain the system confidentiality.

57 Merchants are restricted to their own web interface Inspected application configuration and determined No deviations noted.
environment (multi-tenant) and do not have access that Riskified has logical segregation built within the
to view data from other environments. application to separate one tenant's users from others.

***************************

67