Matillion Limited

SOC 2 Type 2
Independent Service Auditor’s Report on Management’s
Description of a Service Organization’s System and the
Suitability of the Design and Operating Effectiveness of
Controls Relevant to Security

August 1, 2023 – July 31, 2024

200 Second Avenue South, Suite 478

St. Petersburg, FL 33701
 MATILLION LIMITED
TABLE OF CONTENTS

I. Independent Service Auditor’s Report _____________________________________________ 3

Independent Service Auditor’s Report ____________________________________________________ 4
II. Information Provided by Matillion Limited _________________________________________ 8
Assertion of Matillion Limited Service Organization Management _____________________________ 9
Description of Matillion’s Platform System _______________________________________________ 12
Company Overview _______________________________________________________________ 12
System Description _______________________________________________________________ 19
Relevant Aspects of the Control Environment, Risk Assessment, Monitoring, and Information and
Communication _____________________________________________________________________ 23
Control Environment ______________________________________________________________ 23
Risk Assessment and Management___________________________________________________ 29
Monitoring _____________________________________________________________________ 30
Information and Communication ____________________________________________________ 30
User Control Considerations ________________________________________________________ 31
III. Information Provided by Ascend Audit & Advisory __________________________________ 33
Common Control Criteria – Security Category _____________________________________________ 34
Control Environment ______________________________________________________________ 34
Information and Communication ____________________________________________________ 48
Risk Assessment _________________________________________________________________ 61
Monitoring Activities ______________________________________________________________ 76
Control Activities _________________________________________________________________ 81
Logical and Physical Access Controls__________________________________________________ 89
System Operations ______________________________________________________________ 106
Change Management ____________________________________________________________ 119
Risk Mitigation__________________________________________________________________ 125

Matillion Limited | SOC 2 Type 2 2

For the Period Ending July 31, 2024
I. Independent Service Auditor’s Report

Matillion Limited | SOC 2 Type 2 3

For the Period Ending July 31, 2024
 200 Second Avenue South, Suite 478
St. Petersburg, FL 33701
www.ascendaudit.com

INDEPENDENT SERVICE AUDITOR’S REPORT

The Management Company of Matillion Limited

Two, New Bailey Street, Stanley Street
Salford M3 5GS, United Kingdom

Scope

We have examined Matillion Limited’s (“Matillion”, or “the Company”) description of controls for its Matillion
Platform (Matillion Data Loader, Change Data Capture, Matillion ETL, Data Productivity Cloud) system and related
transactions throughout the period August 1, 2023 through July 31, 2024, based on the criteria for a description of a
service organization’s system in DC Section 200, 2018 Description Criteria for a Description of a Service Organization’s
System in a SOC 2 Report (With Revised Implementation Guidance – 2022)(AICPA, Description Criteria), and the
suitability of the design and operating effectiveness of controls stated in the description throughout the period
August 1, 2023 through July 31, 2024, to provide reasonable assurance that Matillion’s service commitments and
system requirements were achieved based on the trust service criterion for security set forth in TSP section 100,
2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (With Revised
Points of Focus — 2022), in AICPA Trust Services Criteria.

Subservice Organizations

Matillion utilizes subservice organizations for the following services and applications:

Subservice Organizations Services and Applications

Amazon Web Services (AWS) Infrastructure-as-a-Service and cloud computing services
Google Infrastructure-as-a-Service and enterprise applications
Microsoft – Azure including Dynamics 365 Cloud computing and enterprise applications
Salesforce Customer relationship management
Atlassian Source code and version control and software project management
Auth0 Authentication tools
Okta Conditional multifactor authentication, access for SaaS applications
Recurly Billing engine and related tools

The description indicates that complementary subservice organization controls that are suitably designed and
operating effectively are necessary, along with controls at Matillion, to achieve Matillion’s service commitments and
system requirements based on the applicable trust services criterion of security. The description presents Matillion’s
controls, the applicable trust services criteria of security and the types of complementary subservice organization
controls assumed in the design of Matillion’s controls. The description does not disclose the actual controls at the
subservice organizations.

Matillion Limited | SOC 2 Type 2 4

For the Period Ending July 31, 2024
Our examination did not include the services provided by the subservice organizations, and we have not evaluated
the suitability of the design or operating effectiveness of such complementary subservice organization controls. Our
examination did not extend to controls at the subservice organizations. These subservice organizational controls are
specifically included in trust services criterion:

CC6.4 – The entity restricts physical access to facilities and protected information assets (for example, data center
facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the entity’s
objectives.

Matillion Limited’s Responsibilities

Matillion is responsible for its service commitments and system requirements and for designing, implementing, and
operating effective controls within the system to provide reasonable assurance that Matillion’s service commitments
and system requirements were achieved. In Section II, Matillion has provided its assertion titled “Assertion of
Matillion Limited Service Organization Management” about the description and the suitability of design and
operating effectiveness of controls stated therein. Matillion is also responsible for preparing the description and
assertion, including the completeness, accuracy, and method of presentation of the description and assertion;
providing the services covered by the description; selecting the applicable trust services criteria and stating the
related controls in the description; and identifying the risks that threaten the achievement of the service
organization’s service commitments and system requirements.

Ascend Audit & Advisory’s Responsibilities

Our responsibility is to express an opinion on the description of the suitability of the design and operating
effectiveness of controls stated in the description based on our examination. Our examination was conducted in
accordance with attestation standards established by the AICPA. Those standards require that we plan and perform
our examination to obtain reasonable assurance about whether, in all material respects, the description is presented
in accordance with the description criteria and the controls stated therein were suitably designed and operating
effectively to provide reasonable assurance that the service organization’s service commitments and system
requirements were achieved based on the applicable trust services criteria. We believe that the evidence we
obtained is sufficient and appropriate to provide a reasonable basis for our opinion.

We are required to be independent and to meet our other ethical responsibilities in accordance with relevant ethical
requirements relating to the engagement.

An examination of the description of a service organization’s system and the suitability of the design and operating
effectiveness of controls involves the following:

 Obtaining an understanding of the system and the service organization’s service commitments and system
requirements
 Assessing the risks that the description is not presented in accordance with the description criteria and that
controls were not suitably designed or did not operate effectively
 Performing procedures to obtain evidence about whether the description is presented in accordance with
the description criteria
 Performing procedures to obtain evidence about whether controls stated in the description were suitably
designed to provide reasonable assurance that the service organization achieved its service commitments
and system requirements based on the applicable trust services criteria

Matillion Limited | SOC 2 Type 2 5

For the Period Ending July 31, 2024
  Testing the operating effectiveness of controls stated in the description to provide reasonable assurance that
the service organization achieved its service commitments as system requirements based on the applicable
trust services criteria
 Evaluating the overall presentation of the description

Our examination also included performing such other procedures as we considered necessary in the circumstances.

Inherent Limitations

The description is prepared to meet the common needs of a broad range of report users and may not, therefore,
include every aspect of the system that individual users may consider important to meet their informational needs.
There are inherent limitations in the effectiveness of any system of internal control, including the possibility of
human error and the circumvention of controls.

Because of their nature, controls may not always operate effectively to provide reasonable assurance that the service
organization’s service commitments and system requirements are achieved based on the applicable trust services
criteria. Also, the projection to the future of any conclusions about the suitability of the design and operating
effectiveness of controls is subject to the risk that controls may become inadequate because of changes in conditions
or that the degree of compliance with policies or procedures may deteriorate.

Description of Controls

The specific controls we tested, and the nature, timing, and results of our tests are presented in Section III of our
report.

Opinion

In our opinion, in all material respects,

a. the description presents Matillion’s system that was designed and implemented throughout the period
August 1, 2023 to July 31, 2024, in accordance with the description criteria.

b. the controls stated in the description were suitably designed throughout the period August 1, 2023 to July
31, 2024 and designed to provide reasonable assurance that Matillion’s service commitments and system
requirements would be achieved based on the applicable trust services criteria, if its controls operated
effectively throughout that period, and if the subservice organizations and user entities applied the
complementary controls assumed in the design of Matillion’s controls throughout that period.

c. the controls stated in the description operated effectively throughout the period August 1, 2023 to July 31,
2024, to provide reasonable assurance that Matillion’s service commitments and system requirements were
achieved based on the applicable trust services criteria if complementary subservice organization controls
and complementary user entity controls assumed in the design of Matillion’s controls operated effectively
throughout that period.

Matillion Limited | SOC 2 Type 2 6

For the Period Ending July 31, 2024
Restricted Use

This report, including the description of tests of controls and results thereof in Section III, is intended solely for the
information and use of Matillion, user entities of its Matillion Platform system during some or all of the period August
1, 2023 to July 31, 2024, business partners of Matillion subject to risks arising from interactions with the Matillion
Platform system, practitioners providing services to such user entities and business partners, prospective user
entities and business partners, and regulators who have sufficient knowledge and understanding of the following:

 The nature of the service provided by the Company

 How the Company’s system interacts with user entities, subservice organizations, or other parties

 Internal control and its limitations

 Complementary user entity controls and complementary subservice organization controls and how those
controls interact with the controls at the service organization to achieve the service organization’s service
commitments and system requirements

 User entity responsibilities and how they may affect the user entity's ability to effectively use the service
organization's services

 The applicable trust services criteria

 The risks that may threaten the achievement of the applicable trust services criteria and how controls
address those risks

This report is not intended to be and should not be used by anyone other than these specified parties.

Ascend Audit & Advisory

St. Petersburg, FL

August 20, 2024

Matillion Limited | SOC 2 Type 2 7

For the Period Ending July 31, 2024
II. Information Provided by Matillion Limited

Matillion Limited | SOC 2 Type 2 8

For the Period Ending July 31, 2024
ASSERTION OF MATILLION LIMITED SERVICE ORGANIZATION MANAGEMENT
We have prepared the description of the Matillion Platform system (“system” or “the system”) throughout the period
August 1, 2023 through July 31, 2024, (“the description”) based on the criteria for a description of a service
organization’s system in DC section 200, 2018 Description Criteria for a Description of a Service Organization System
in a SOC 2 Report (With Revised Implementation Guidance – 2022) (AICPA, Description Criteria). The description is
intended to provide report users with information about the system that may be useful when assessing the risks
arising from interactions with Matillion Service Organization’s system, particularly information about system controls
that Matillion has designed, implemented, and operated to provide reasonable assurance that its service
commitments and system requirements were achieved based on the trust services criterion relevant to security set
forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and
Privacy (With Revised Points of Focus — 2022)(AICPA Trust Services Criteria).

Matillion utilizes subservice organizations for the following services and applications:

Subservice Organizations Services and Applications

Amazon Web Services (AWS) Infrastructure-as-a-Service and cloud computing services
Google Infrastructure-as-a-Service and enterprise applications
Microsoft – Azure including Dynamics 365 Cloud computing and enterprise applications
Salesforce Customer relationship management
Atlassian Source code and version control and software project management
Auth0 Authentication tools
Okta Conditional multifactor authentication, access for SaaS applications
Recurly Billing engine and related tools

The description indicates that complementary subservice organization controls that are suitably designed and
operating effectively are necessary, along with controls at Matillion, to achieve Matillion’s service commitments and
system requirements based on the applicable trust services criterion of security. The description presents Matillion’s
controls, the applicable trust services criteria, and the types of complementary subservice organization controls
assumed in the design of Matillion’s controls. The description does not disclose the actual controls at the subservice
organization. The description indicates that complementary user entity controls that are suitably designed and
operating effectively are necessary, along with controls at Matillion, to achieve Matillion’s service commitments and
system requirements based on the applicable trust services criteria. The description presents Matillion’s controls, the
applicable trust services criteria, and the complementary user entity controls assumed in the design of Matillion’s
controls.

We confirm, to the best of our knowledge and belief, that:

a. The description presents Matillion’s system that was designed and implemented throughout the period of
August 1, 2023 to July 31, 2024, in accordance with the description criteria.

i. The description contains the following information:

(1) The types of services provided.

(2) The components of the system used to provide the services, which are the following:

 Infrastructure – The physical and hardware components of a system (facilities, equipment,

and networks).
Matillion Limited | SOC 2 Type 2 9
For the Period Ending July 31, 2024
  Software – The programs and operating software of a system (systems, applications, and
utilities).
 People – The personnel involved in the operation and use of a system (developers,
operators, users, and managers).
 Procedures – The automated and manual procedures involved in the operation of a system.
 Data – The information used and supported by a system (transaction streams, files,
databases, and tables).

(3) The boundaries or aspects of the system covered by the description.

(4) How the system captures and addresses significant events and conditions.

(5) The process used to prepare and deliver reports and other information to user entities and
other parties.

(6) If information is provided to, or received from, subservice organizations or other parties, how
such information is provided or received; the role of the subservice organization and other
parties; and the procedures performed to determine that such information and its processing,
maintenance, and storage are subject to appropriate controls.

(7) For each category being reported on, the applicable trust services criteria and the related
controls designed to meet those criteria, including, as applicable, complementary user-entity
controls contemplated in the design of the Company’s system.

(8) For subservice organizations presented using the carve-out method, the nature of the services
provided by the subservice organization; each of the applicable trust services criteria that are
intended to be met by controls at the subservice organization, alone or in combination with
controls at the Company, and the types of controls expected to be implemented at carved-out
subservice organizations to meet those criteria; and for privacy, the types of activities that the
subservice organization would need to perform to comply with privacy commitments.

(9) Any applicable trust services criteria that are not addressed by a control at the Company or a
subservice organization and the reasons, therefore.

(10) Other aspects of the Company’s control environment, risk assessment process, information
and communication systems, and monitoring of controls that are relevant to the services
provided and the applicable trust services criteria.

(11) Relevant details of changes to the Company’s system during the period covered by the
description.

ii. The description does not omit or distort information relevant to the Company’s system while
acknowledging that the description is prepared to meet the common needs of a broad range of users
and may not, therefore, include every aspect of the system that each individual user may consider
important to his or her own particular needs.

b. The controls stated in the description were suitably designed throughout the period August 1, 2023 to July
31, 2024, to provide reasonable assurance that Matillion’s service commitments and system requirements
would be achieved based on the applicable trust services criteria, if its controls operated effectively
throughout that period, and if the subservice organization and user entities applied the complementary
Matillion Limited | SOC 2 Type 2 10
For the Period Ending July 31, 2024
 controls assumed in the design of Matillion’s controls throughout that period.

c. The controls stated in the description operated effectively throughout the period August 1, 2023 to July 31,
2024, to provide reasonable assurance that Matillion’s service commitments and system requirements were
achieved based on the applicable trust services criteria if complementary subservice organization controls
and complementary user entity controls assumed in the design of Matillion’s controls operated effectively
throughout that period.

By: /S/ Graeme Park

Graeme Park
Chief Information Security Officer

August 20, 2024

Matillion Limited | SOC 2 Type 2 11

For the Period Ending July 31, 2024
DESCRIPTION OF MATILLION’S PLATFORM SYSTEM
Company Overview

Matillion is a global company, founded in Manchester. Matillion has a globally distributed workforce working
between dual headquarters in Denver, CO and Manchester (UK). Thousands of enterprises including Cisco, DocuSign,
Pacific Life, Slack, and TUI trust Matillion to move, transform and automate their data.

Products and Services Overview

Matillion has a suite of applications – Matillion Hub, Matillion Change Data Capture (CDC), Matillion Data Loader
(MDL) and Matillion ETL (METL). On June 27, 2023, Matillion launched Matillion Data Productivity Cloud which
provides a SaaS (software-as-a-service) and Hybrid-SaaS experience to customers, along with additional functionality
and connectivity. In March 2024, Matillion introduced AI capabilities into its products and AI initiatives throughout
the organization to enhance data engineering capabilities by leveraging the power of large language models (LLMs)
and retrieval augmented generation (RAG). Matillion is leveraging AI to solve data problems that its customers have
in relation to sentiment analysis, preparing draft answers to tickets, and extracting insights off of unstructured data
(e.g., PDF reports or call transcripts). Matillion uses AI for data and metadata discovery, and also to streamline data
literacy in the authoring process to provide documentation to the user describing the job/pipeline. AI integration
enhances customers' data engineering efforts with AI Prompt Engineering, transforming data processing ability
across OpenAI, Azure, and AWS platforms. Matillion components add valuable data context to pipelines, leveraging
Large Language Model (LLM) technology to generate responses to user prompts. Matillion integrates smoothly with
leading LLMs such as OpenAI Chat GPT, AWS Bedrock, Azure Open AI, and Snowflake Cortex offering flexible input
and output options in text or JSON formats while ensuring effortless storage in the client cloud data platform.

On June 4, 2024, Matillion announced the Company was bringing no-code Generative AI (GenAI) to Snowflake users
with new GenAI capabilities and integrations with Snowflake Cortex AI, Snowflake ML Functions, and support for
Snowpark Container Services. The newly launched GenAI components enable powerful out-of-the-box use cases,
including generating product descriptions, extracting key information from customer reviews, summarizing lengthy
reports, and translating content for global audiences.

Matillion Limited | SOC 2 Type 2 12

For the Period Ending July 31, 2024
Key benefits of AI Prompt Components and Retrieval Augmented Generation with Matillion:

Prompt Engineering and operationalize the use of Large Language Models inside of a data pipeline to
harness the power of Generative AI in data transformations with all existing Matillion connectivity and
transformation.

Address intelligent data integration tasks across various domains – one component, many use cases:

 Sentiment Analysis: Extract insights from unstructured data like reviews and social media
 Ticketing: Enhance workflows with AI-powered response drafting and issue prioritization
 Insights Extraction: Automatically analyze PDFs to identify key trends and patterns
 Data Analytics: Transform unstructured data into actionable insights for Customer 360, FP&A, and
Sales
 Business Workflows: Streamline tasks and improve decision-making by integrating AI across
operations

Vendor agnostic and flexible, the Prompt Component supports OpenAI ChatGPT, AWS Bedrock (many LLMs
supported), Azure OpenAI. Leverage the latest and most powerful LLMs in client data pipelines.

Matillion Data Productivity Cloud

Matillion Data Productivity Cloud provides fully SaaS and hybrid cloud SaaS options designed to empower customers
in managing their data effectively. With this platform, users create data pipelines that support data movement, data
transformation, and data orchestration. Furthermore, it offers robust admin and operational visibility to manage the
entire platform end to end. It is important to note that Matillion does not function as a data storage platform.
Customer data is not stored within Matillion's systems. Instead, the platform focuses on the orchestration and
management of data processes with pushdown architecture (pushdown ELT and AI) to ensure all customer data is
within the customer’s cloud data platform. Any configurations, user information, and metadata stored within the
system are encrypted both at rest and in transit, ensuring the highest level of data security. Matillion Data
Productivity Cloud represents Matillion's central solution platform, incorporating a range of applications and
Matillion Limited | SOC 2 Type 2 13
For the Period Ending July 31, 2024
components that deliver diverse data services and deployment options. Hosted within Matillion's secure cloud
environment, the platform seamlessly integrates with customer networks and virtual networks using standard secure
communication protocols. This integration enables efficient and secure data exchange between customer systems
and the Matillion platform. Matillion Data Productivity Cloud leverages the power of advanced data management
capabilities, enabling streamlined data processes, enhanced productivity, and timely data insights.

Matillion Data Productivity Cloud Components

Matillion Data Productivity Cloud comprises applications and services residing inside and outside Matillion’s VPC
(virtual private cloud), depending on each customer’s deployment, and communicating across networks via HTTPS
(API microservices). Matillion Data Productivity Cloud is a multi-tenant platform with both logical and physical
measures in place to ensure separation. When users log into the Hub they select an account from the list of accounts
they have access to. This generates a JWT (JSON Web Token) with a custom claim for the selected account ID.

The Agent is a key component of the Matillion Data Productivity Cloud. It is responsible for processing pipeline tasks,
which are individual units of work within a data integration workflow. These tasks handle data integration and
transformation operations by securely connecting to data sources and targets. By utilizing secure network protocols,
the Agent ensures that data is transferred between the Matillion platform and connected data sources in a secure
manner. It acts as a bridge, enabling the seamless movement of data while maintaining its integrity and
confidentiality.

The Agent can be configured in two ways:

1) In Matillion’s cloud network, fully managed by Matillion, the Agent:

a. Resides in Matillion’s VPC,

b. Initiates connectivity to Matillion’s control plane,
c. Preforms authentication to ensure access and tenant integrity, and
d. Logs Agent health and status information (no customer data in logs).

Matillion Limited | SOC 2 Type 2 14

For the Period Ending July 31, 2024
 2) Inside the customer’s cloud virtual network, the Agent:

a. Runs inside of customer’s VPC,

b. Initiates connectivity to Matillion’s control plane to request schedules and exchange data, and
c. Logs information to the customer’s storage container configured by the customer and in their
cloud platform.

Applications in Matillion Data Productivity Cloud

Hub – serves as the central place for administering and monitoring Matillion Data Productivity Cloud. This Web based
application offers a multi-tenant environment, allowing users to access and manage their specific environments and
data pipelines efficiently. One of the key features of Hub is its ability to aggregate metadata from customer
environments and data pipelines. This enables real-time visibility and observability into the performance of pipeline
runs, as well as any failures that may occur. Providing comprehensive insights into pipeline execution and status
empowers Hub users to quickly identify and address any issues, ensuring smooth data processing and minimizing
downtime. In addition to monitoring pipeline performance, Hub also provides information on credit consumption.
This allows users to track and manage their credit usage, ensuring optimal utilization of resources within Matillion
Data Productivity Cloud.

Furthermore, Hub offers visibility into the status of Matillion ETL instances. Users can easily monitor the health and
availability of their Matillion ETL instances, enabling proactive management and troubleshooting as needed. The
capabilities of Hub allow users to efficiently administer and monitor their data workflows within Matillion Data
Productivity Cloud. The centralized nature of Hub enhances operational efficiency, enabling users to gain valuable
insights, address issues promptly, and optimize the utilization of their Matillion resources. Hub does not collect or
store customer data, only the data described in the Control Plane section.

Hub Architecture

Matillion Limited | SOC 2 Type 2 15

For the Period Ending July 31, 2024
Designer – is a comprehensive and fully managed data pipeline builder. This SaaS Web based application empowers
users to create robust and efficient data integration workflows with ease.

As a multi-tenant platform, Designer allows multiple users and teams to work concurrently, leveraging the power of
collaborative data integration. With its intuitive interface, users can visually design and configure data pipelines,
including data extraction, transformation, and loading processes. The Designer application simplifies complex data
integration tasks, enabling users to efficiently handle diverse data sources and formats. Management, upgrades, and
performance of the Matillion control plane are meticulously handled by Matillion's Site Reliability Engineering (SRE)
team. This ensures that the control plane remains highly available, reliable, and performs optimally, all while being
transparent to valued customers. With Matillion taking care of the operational aspects, users can focus on designing
and implementing their data integration workflows without worrying about infrastructure management. Designer
offers a powerful and streamlined experience for building data integration pipelines. By leveraging its capabilities,
users can accelerate their data integration projects, streamline data processes, and unlock the true value of their
data assets.

Designer Deployment and Connectivity (Fully Managed)

Designer Deployment and Connectivity (Hybrid Cloud)

Matillion Limited | SOC 2 Type 2 16

For the Period Ending July 31, 2024
The Designer relies on Agents to connect to data sources and targets using the access credentials provided by the
customer, which are stored inside the Matillion Secrets Manager or using OAuth securely at pipeline runtime. The
Agent(s) connect to the Hub to retrieve pipelines and schedules, and to provide pipeline execution status for system
observability. Agents connect directly to sources and targets, limiting the “hops” of data in transit. Agents leverage
the encryption protocols employed by the sources and targets, as configured by users at design time.
Transformations are orchestrated inside the cloud data platform target after data is landed (ELT).

Designer pipelines can operate with two processing models: Matillion-hosted agents, which orchestrate data
pipelines from Matillion’s control plane, or with customer-hosted Agents in the data plane (inside customers’ VPC) to
ensure data jurisdiction and isolation requirements are met. These processing models are not mutually exclusive;
customers may choose to operate in both modes for different workloads.

A key feature of Designer is Data Sampling. Matillion Data Productivity Cloud includes a design-time sampling
capability. Users have the ability to see a sample of data in its post-processing state, should a given component be
executed. This is intended to ease the pipeline design process by allowing users to preview the results of pipelines
without executing them.

Data Loader Batch – is a versatile and user-friendly Software-as-a-Service (SaaS) application designed to facilitate the
rapid configuration and execution of batch data load and replication pipelines. With its multi-tenant architecture,
multiple customers can leverage the capabilities of Data Loader Batch simultaneously. One of the key benefits of
Data Loader Batch is that the management, upgrades, and performance tuning of the application are expertly
handled by Matillion's Site Reliability Engineering (SRE) team. This ensures the application remains highly available,
performs optimally, and incorporates the latest enhancements and updates. Users can enjoy the benefits of
continuous improvements and reliability without any disruption or additional management responsibilities. With
Data Loader Batch, users can simplify and streamline their batch data loading and replication tasks, saving time and
effort. By leveraging the power of this SaaS application, users can focus on the data itself and its utilization, while
Matillion's SRE team takes care of the operational aspects, ensuring a seamless and efficient experience. Data Loader
Batch is a reliable and efficient solution for managing data loading and replication pipelines, allowing users to
accelerate their data integration processes and derive maximum value from their data.

Data Loader Batch Deployment and Connectivity

Matillion Limited | SOC 2 Type 2 17

For the Period Ending July 31, 2024
Data Loader Batch pipelines operate with a fully-managed processing model from customer-dedicated virtual
resources inside Matillion’s control plane. The Loader connects to data sources and targets using the access
credentials provided by the customer, which are stored inside the Matillion Secrets Manager or using OAuth securely
at pipeline runtime. The service transmits data using a temporary, isolated runner in the Matillion VPC to pull data
from the source and then stages the data to a staging area inside the customer’s cloud data platform. The runner
service then loads the data into the target table in the target data platform; this connectivity is always encrypted via
JDBC TLS or HTTPS.

Data Loader Change Data Capture (CDC) – is a powerful and versatile Hybrid Software-as-a-Service (SaaS) application
offered by Matillion. It provides customers with a seamless and efficient solution to configure and enable change
data capture processes. With its multi-tenant architecture, multiple customers can leverage the capabilities of CDC
concurrently. The application simplifies the configuration and activation of change data capture, allowing users to
efficiently capture and track changes made to their data sources in near real-time. By identifying and capturing data
modifications, CDC enables users to stay up-to-date with the latest changes in their data, facilitating timely and
accurate data integration and replication processes. Matillion takes responsibility for the management, upgrades,
and performance of the CDC control plane through its dedicated Site Reliability Engineering (SRE) team. This ensures
that the control plane remains highly available, performs optimally, and incorporates the latest enhancements and
updates.

With Change Data Capture, customers leverage the captured changes for various use cases, such as data
synchronization, data integration, and real-time analytics. The application streamlines the process of capturing and
managing changes, providing users with the flexibility and agility needed to respond quickly to evolving data
requirements.

Data Loader Change Data Capture Deployment and Connectivity

CDC pipelines are processed by CDC Agents, which are configured from the CDC Web UI but reside in the customer’s
data plane.

Matillion Limited | SOC 2 Type 2 18

For the Period Ending July 31, 2024
System Description

Principal Services Provided

Matillion is the data pipeline platform that empowers data teams to build and manage pipelines faster for AI and
analytics – at scale. Matillion allows data engineers to take advantage of AI capabilities and code-optional workflows,
harness the processing power of their cloud data platform and cloud providers, and leverage generative AI to
enhance data that is used for operational and advanced analytics. Thousands of enterprises including Cisco,
DocuSign, Slack, and TUI trust Matillion for a wide range of use cases from insights and operational analytics, to data
science, machine learning, and AI. Matillion has dual headquarters in Denver (U.S.) and Manchester (UK).

Principal Service Commitments and System Requirements

Service commitments to user entities are documented and communicated in the End User License Agreement
(“EULA”) as well as in the description of the product (METL) and the service offering (Data Productivity Cloud)
provided online. Service commitments are generally standardized and include, but are not limited to:

 Confidentiality provisions regarding proprietary technical and business information of both Matillion and its
customers
 Define and manage the delivery of services including resources and scheduling
 Service usage level and performance from anonymized aggregate data

In achieving its service commitments and system requirements, Matillion has implemented various internal controls
to ensure security such as:

 Use of a strong authentication for client portal

 Role-based access controls and continuous review and monitoring of key applications and the network
 Security monitoring infrastructure including intrusion detection, centralized log management and alerting
 Incident response program designed to minimize the impact of incidents and protect resources

Matillion establishes operational requirements that support the achievement of service commitments, relevant laws
and regulations, and other system requirements. Such requirements are communicated in Matillion’s system policies
and procedures, system design documentation, and contracts with customers. Information security policies define an
organization-wide approach to how systems and data are protected. These include policies around how the service is
designed and developed, how the system is operated, how the internal business systems and networks are managed,
and how employees are hired and trained.

Components of the System

The System consists of five key components organized to achieve a specified objective. The five components are
categorized as follows:

 Infrastructure – physical hardware components of a system (facilities, equipment, and networks)

 Software – programs and operating software of a system (systems, applications, and utilities)
 People – personnel involved in the operation and use of a system (developers, operators, users and
managers)
 Processes and Procedures – automated and manual procedures involved in the operation of a system
 Data – information used and supported by a system (transaction streams, files, databases, and tables). Using
the above framework
Matillion Limited | SOC 2 Type 2 19
For the Period Ending July 31, 2024
Infrastructure

Matillion’s products and platforms are hosted in a range of different options. Authentication is via a Web portal and
leverages a third party authentication provider to manage users and groups with serverless code executed in
Matillion’s environment and user records stored within an AWS Aurora database. Users can utilize a limited version
of the METL product set that is architected using REST APIs to manage their data pipelines. Third party integrations
are built into MDL often using OAuth for authentication to data sources. A scheduler is implemented using serverless
technologies to execute defined jobs at a certain point in time. These jobs are run in containerized environments.

Within Hybrid deployment models and CDC, an Agent is located in the customer VPC that communicates back to the
Matillion Hub. In a fully managed model, the functionality provided by the agent is executed within the Matillion VPC
as a containerized execution. Infrastructure is hosted in either the EU or U.S.

Software

METL, MDL (and CDC), and DPC are applications developed and maintained by Matillion’s in house engineering team.
The engineering team enhances and maintains both applications to provide services for the Matillion’s customer
base. Matillion’s METL software is sold via a number of cloud platforms (marketplaces) and through the Hub service.
MDL is freely available online as a SaaS platform.

Matillion hosts a Web site to supplement their ability to communicate and exchange information with their
customers. Each page targets a specific audience and is designed to address their business needs depending upon the
version of the Matillion product they are using.

Enterprise applications utilized to support Matillion:

 AWS – cloud computing including EC2, Lambda, Aurora MySQL, VPC, Route 53, API Gateway, S3, CloudWatch
 Google Workspace – cloud computing and productivity and collaboration tools (Gmail, Calendar, Drive, etc.)
 Google Cloud Platform – cloud computing and product testing
 Atlassian – source code repository and version control software, software project management, and Intranet
for collaboration
 Statuspage – monitor system uptime and communicate outages on MDL
 CircleCI – software build, test, and deployment
 Auth0 – authentication to the MDL platform
 Okta – conditional access to Matillion SaaS applications
 Snyk – third party dependency analysis
 Slack – collaboration and internal communications
 Datadog – monitoring and analytics of the Matillion Platform
 Expel – security event detection and response activities
 Terraform Cloud – provision, change, and version resources on environments
 Hashicorp Vault – identity based security automation and encryption as a service
 Launch Darkly – deploy features into products in a controlled manner with rollback capabilities
 Netsuite – enterprise resource planning
 Sysdig – security and monitoring for container based environments
 StackHawk – API security testing
 Dispatch – establish and maintain quality gates for automated build pipelines
 PagerDuty / Rootly – manage information security incidents

Matillion Limited | SOC 2 Type 2 20

For the Period Ending July 31, 2024
People

Matillion has a staff of approximately 485-500 employees which is a globally distributed workforce working between
dual headquarters in Denver, CO and Manchester (UK). Employees meet once per year at the Manchester
headquarters for company planning, training, and collaboration.

Processes and Procedures

Matillion has a set of policies and procedures to govern Information Security. Changes to these policies and
procedures are performed annually and authorized by Senior Management. These procedures cover:

 Data classification
 Vulnerability and patch management
 Software development lifecycle
 Password and authentication
 Physical security
 Risk assessment and management
 System access and control
 Vendor management
 Acceptable use
 Security awareness training
 Incident response
 Social media
 Electronic monitoring
 Data backup and retention

Data

Data, as defined by Matillion, constitutes the following:

 Customer account Metadata

 Transaction data
 Output reports
 Input reports
 System files
 Error logs

The end user initiates transaction processing by operating their instance of Data Productivity Cloud/METL/, and this
causes Data Productivity Cloud/METL/ to ingest data from the source and copy it into the customer's target Cloud
Data Warehouse, often via customer owned cloud object storage for performance best practices. The customer may
optionally choose to subsequently transform the data, and this occurs entirely within the customer's target Cloud
Data Warehouse. During the ingestion and transformation of data, system files and error logs may be generated by
Data Productivity Cloud/METL/, and the end user may choose to share those files and logs with Matillion. If that is
done, the system files and error logs become associated with that customer's account metadata. The end user may
choose to view data samples at any time, and these appear inside their METL/Data Productivity Cloud user interface
in the form of Input Reports. Within Data Productivity Cloud, data transits the MDL platform when it is loaded into a
CDW, data flows are unique to a particular organization and can only be accessed by members of that organization.
Access to the Data Productivity Cloud Web interface is conducted over HTTPS for the purpose of viewing and
reporting.
Matillion Limited | SOC 2 Type 2 21
For the Period Ending July 31, 2024
Disclosures

Informed by Management there were no security incidents (affecting the entity’s ability to maintain service
commitments) reported during the period under review.

Matillion Limited | SOC 2 Type 2 22

For the Period Ending July 31, 2024
RELEVANT ASPECTS OF THE CONTROL ENVIRONMENT, RISK ASSESSMENT, MONITORING, AND
INFORMATION AND COMMUNICATION
Control Environment

Matillion’s organizational structure provides an overall framework for planning, directing and controlling enterprise-
wide operations. It relates to controls over the execution of transactions, services and operations and assigns
authority and responsibility to provide for applicable staffing, segregation of duties, efficiency of operation and
concentration of knowledge and skills.

Control environment elements include the following, and the extent to which each element is addressed at Matillion
is described below:

 Management Philosophy, Controls, and Operating Style

 Integrity and Ethical Values
 Security Management
 Physical Security and Environmental
 Organizational Structure
 Assignment of Authority and Responsibility
 Standard Operating Controls
 Audit
 Risk Assessment
 Monitoring

Management Philosophy, Controls, and Operating Style

Matillion’s control environment reflects the philosophy of Senior Management concerning the importance of security
of product, customer and corporate information. Matillion’s Security Working Group works through asynchronous
monthly updates and provides a yearly written report to the Executive Leadership Team. In designing its controls,
Matillion has taken into consideration the relevance of controls to meet the relevant trust criteria.

Management is responsible for directing and controlling operations; establishing, communicating, and monitoring
control policies and procedures; and setting the tone for the organization. Importance is placed on accuracy and
integrity, maintaining written and updated procedures, security and privacy, and establishing and maintaining sound
internal controls over all functional aspects of operations.

Management’s philosophy and operating style affect the way the entity is managed, including the kinds of business
risks accepted. Matillion places a great deal of importance on working to ensure that the integrity of processing is a
primary focus and that controls are maximized to mitigate risk in the daily operations. Management and specific
teams are structured to ensure the highest level of integrity and efficiency in customer support and transaction
processing.

Formal job descriptions and regular departmental meetings and staff interactions ensure communication of
organizational values, ethics, and behavior standards. Personnel operate under company policies and procedures,
including confidentiality agreements and security policies. Periodic training is conducted to communicate regulations
and the importance of privacy and security. Management is committed to being aware of regulatory and economic
changes that impact lines of business and monitoring customer base for trends, changes, and anomalies.

Matillion Limited | SOC 2 Type 2 23

For the Period Ending July 31, 2024
Competence should reflect the knowledge and skills needed to accomplish tasks that define an individual’s job.
Through consideration of an entity’s objectives and the strategies and plans for achievement of those objectives,
Management must determine how well these tasks need to be accomplished. Management identified the
competence levels for particular jobs and translated those levels into requisite knowledge and skills.

Integrity and Ethical Values

Maintaining a climate that demands integrity and ethical values is critical to the establishment and maintenance of
an effectively controlled organization. The effectiveness of internal controls cannot rise above the integrity and
ethical values of the people who create, administer, and monitor them. Matillion has programs and policies designed
to promote and ensure the integrity and ethical values in its environment.

Matillion desires to maintain a safe, pleasant, and cooperative working environment and expects employees to have
high standards of performance, integrity, productivity, and professionalism. Matillion developed professional
conduct policies that set forth policies of importance to all employees relating to ethics, values, and conduct. All
employees are expected to know and adhere to these standards, as well as to generally accepted norms of conduct
and courtesy at all times. While managers are responsible for understanding, communicating, and enforcing
company policies, this does not override or diminish an employee’s individual responsibility to be aware of and
adhere to these policies. Violations of these policies or other forms of misconduct may lead to disciplinary or
corrective action up to and including dismissal.

Standards of Conduct

The Company implemented standards of conduct to guide all employee and contractor behavior. Management
monitors behavior closely, and exceptions to these standards lead to immediate corrective action as defined by
Human Resources (HR) policies and procedures. Additionally, all employees must sign confidentiality agreements
prior to employment. Any employee found to have violated the Company’s ethics policy may be subject to
disciplinary action, up to and including termination of employment.

Matillion has documented the code of business conduct and ethical standards in the employee handbook which is
reviewed at least on an annual basis and updated if required. A copy of the Handbook is made available on the
Matillion intranet site. Matillion employees are required to read and accept the code of business conduct and ethical
standards included in the Employee Handbook as part of their onboarding process and anytime there are any major
updates to the document.

Commitment to Competence

The Company has formal job descriptions that define roles and responsibilities and the experience and background
required to perform jobs in a professional and competent fashion. The Company determines the knowledge and skills
needed to perform job duties and responsibilities and hires for that skill set and job requirement. Management
monitors and formally evaluates employee and contractor performance on a periodic basis to determine that
performance meets or exceeds Matillion standards.

Security Management

Matillion has a dedicated information security team consisting of a CISO, Director of Cloud Security Ops, Sec-Ops
Manager, and GRC Sr Analyst/Manager who are responsible for management of information risk and security
throughout the organization. A Cloud Security Engineer is responsible for securing Matillion’s cloud network and a
Lead Application Security Engineer is responsible for the secure development of all commercial product related code.

Matillion Limited | SOC 2 Type 2 24

For the Period Ending July 31, 2024
The Company maintains security credentials which are required to annually sign and acknowledge their review of the
information security policies. They are responsible for developing, maintaining, and enforcing Matillion’s information
security management system. The information security policy is reviewed annually by the CISO and is approved by
the executive leadership team.

As the information security team maintains security, it monitors, for example, known incidents and patches as well as
results from recent vulnerability assessments and addresses necessary changes to the policies and procedures. Such
changes can include a reclassification of data, a reassessment of risk, changes in incident response plans, and a
verification of responsibilities for authorizing and monitoring accesses. Changes are reviewed and communicated
during weekly IT maintenance meetings or through system alerts.

Matillion maintains employee training programs to promote awareness of information security requirements as
defined in the Security & Privacy Awareness Policy. All employees are required to be trained on information security
on an annual basis and within 30 days of hire. All employees are subject to Matillion’s policies and procedures
regarding system access and policy violations may result in disciplinary action. Employees are instructed to report
potential security incidents to the help desk.

Physical Security and Environmental Controls

Matillion’s offices are located in a range of serviced office providers. These offices are subject to registration upon
entry and are protected by both CCTV and swipe access for all offices. The METL product is self-hosted and is subject
to customers’ physical controls. Data Productivity Cloud/MDL is hosted in AWS cloud infrastructure or hybrid
environment depending upon deployment models. Hence, Matillion relies on AWS’s physical security and
environmental controls for the physical security of the infrastructure hosting the Data Productivity Cloud/MDL and its
data. Matillion has implemented monitoring controls to request, receive and review the SOC 2 Type II report from
AWS on an annual basis to determine adequacy of controls implemented by AWS.

Organizational Structure

An entity’s organizational structure provides the framework within which its activities for achieving entity-wide
objectives are planned, executed, controlled, and monitored. Significant aspects of establishing a relevant
organizational structure include defining key areas of authority and responsibility and establishing appropriate lines
of reporting. Significant cross training between management positions and between staff positions exists to help
ensure smooth operations and maintenance of controls during staff or management absence.

Assignment of Authority and Responsibility

The extent to which individuals recognize that they are held accountable influences the control environment. This
holds true for everyone who has ultimate responsibility for activities within an entity, including the internal control
system. This includes assignment of authority and responsibility for operating activities, and establishment of
reporting relationships and authorization protocols. Matillion’s Management encourages individuals and teams to
use initiative in addressing issues and resolving problems. Policies describing appropriate business practices,
knowledge and experience of key personnel, and available resources are provided to employees in order to assist
them in carrying out their duties.

The Company is led by a team of senior executives that assigns authority and responsibility to key management
personnel with the skills and experience necessary to carry out their assignments. Such assignments commonly relate
to achieving corporate objectives, oversight of operating functions, and any compliance with applicable regulatory

Matillion Limited | SOC 2 Type 2 25

For the Period Ending July 31, 2024
requirements. Open dialogue and individual initiative are encouraged as fundamental parts of the Company’s goal to
deliver client service.

Roles and Responsibilities

The following organizational chart depicts Matillion’s corporate structure.

Executive Management – This team comprises the department heads across the organization headed by the CEO. It
is responsible for setting and executing on corporate strategy. It uses a range of business intelligence tooling and
metrics to measure performance at an overall corporate level.

Product and Engineering – This team builds the applications and their connectors. The team comprises of software
engineers, automation engineers, and test engineers. Prior to release of a product, the documentation team also
ensures supporting documentation is up to date to support customers. This team interfaces with customers and the
market to ensure customer requirements are packaged into user stories for the Engineering team to work upon. They
also ensure the products are built to have a strong UX/UI.

Product Owners – are responsible for liaising with customers and watching the market to define the product
development and associated stores to the engineering team.

Software Engineers – are responsible for creating, modifying and updating the codebase that drives the
Company’s core applications of METL and MDL. They work using SCRUM techniques across a modern
technology stack and defined by Matillion’s SDLC.

Automation and Test Engineers – are responsible for testing the finished products and ensuring that release
candidates meet the requirements defined in a particular set of specifications.

Documentation – is responsible for writing the supporting documentation that assists Matillion’s customer in
deploying and utilizing its products.

Sales, Marketing, and Customer Success – this ‘go to market’ function is responsible for conducting marketing
activities in order to create awareness of the brand and products, acquire and retain customers, and manage
customers’ success with Matillion.

Sales – is responsible for generating awareness with new customer prospects.

Solutions Architects – are responsible for delivering technical know-how and expertise to ensure customers
realize the full value of Matillion.

Matillion Limited | SOC 2 Type 2 26

For the Period Ending July 31, 2024
 Sales Engineering – is responsible for technical engineering support to sales motions.

Account Executives – are responsible for selling to and securing new customers, along with retaining the
customer base and key accounts.

Marketing – is responsible for generating demand and awareness of the organization and products.

Customer Success – is responsible for ensuring customers are managed and supported effectively through
the lifecycle of the customer.

Legal and Commercial – is for providing legal guidance and advice to the organization.

Finance and Operations – are responsible for running the financial accounts of Matillion, reporting on the general
health of the business and providing internal IT and Security services to the business.

Financial Planning – is responsible for budgeting and forecasting, financial analytics and reporting, and
assistance for strategic planning.

Accounting – is responsible for all financial transactions within the business both inbound and outbound.

Insights – is responsible for providing internally focused business intelligence services to Matillion.

Security (i.e., Office of CISO) – is responsible for overseeing the risk and cyber security functions which
includes application security, security operations and GRC, along with advising the board of directors and
Senior Management on the security risk management posture and initiatives.

IT – is responsible for service desk and systems administration.

Standard Operating Controls

Matillion Management sends guidance to employees regarding expected levels of integrity, ethical behavior, and
competence. Such practices relate to hiring, orientation, training, evaluation, counseling, promotion, compensation,
and remedial actions.

Matillion has hiring practices that are designed to help ensure that new employees are qualified for their job
responsibilities. All applicants pass through an interview process that assesses their qualifications related to the
expected responsibility level of the individual. As part of the onboarding process, requisite background checks and/or
employment checks are performed as defined in Matillion's hiring procedures. New employees are required to sign
an employment agreement upon hire as acknowledgment not to disclose proprietary or confidential information.

Change Management

Matillion has a formalized change management process in place, which requires identification and recording of
significant changes, assessment of risk and potential effect of such changes, approval of proposed changes, and
testing of changes to verify operational functionality. Matillion has a formalized security and systems development
methodology that includes project planning, design, testing, implementation, maintenance, and disposal or
decommissioning.

Proposed changes are evaluated to determine if they present a security or operational risk and what mitigating
actions, including employee and user entity notifications, must be performed. Changes to infrastructure and software
Matillion Limited | SOC 2 Type 2 27
For the Period Ending July 31, 2024
are developed and tested in a separate development or test environment before implementation. Additionally,
developers do not have the ability to migrate changes into production environments. Emergency changes follow the
formalized change management process, but at an accelerated timeline. Change approvals are sought after any
emergency.

Application Development

The Matillion Data Productivity Cloud platform undergoes a meticulous process for updates and version control,
ensuring the stability and reliability of the platform. Each release goes through three distinct environments, each
with specific quality assurance measures applied. The first environment is a development environment where new
features and enhancements are implemented and tested. Here, the development team ensures that the changes
meet the required specifications and standards.

Once the development phase is complete, the release moves to a testing environment. In this environment,
comprehensive testing procedures are conducted to validate the functionality and performance of the new release.
This includes various types of testing, such as functional testing, integration testing, and regression testing, to identify
and address any issues or conflicts.

After successful testing, the release progresses to a staging environment. Here, it undergoes further verification and
validation to ensure that it is ready for deployment to the production environment. This includes performance
testing, security checks, and user acceptance testing, among others. Promotions to the production environment are
performed by a limited number of authorized Site Reliability Engineers, adhering to the principle of least privilege.
This strict access control ensures that only qualified personnel can perform deployments to the live production
environment.

To maintain a high level of security and accountability, all access to these environments is logged and monitored
using Matillion's security monitoring and alerting system. This allows for comprehensive tracking and analysis of all
activities within the environments, enhancing the platform's overall security posture. Following this rigorous update
and version control process ensures the Matillion Data Productivity Cloud platform remains stable, reliable, and
secure, providing customers with a robust and trustworthy solution for their data integration needs.

Incident Management

Security incidents and other IT related problems are reported to the help desk. Issues are tracked using a help desk
ticket and monitored until resolved.

Backups

Matillion uses cloud native backup of its data files and software. Access to backup devices, scheduling utilities,
systems, and media is restricted to authorized personnel.

System Account Management

Matillion has implemented role based security to limit and control access within all products. Employees are granted
logical and physical access to in-scope systems based on documented approvals by appropriate management
personnel. The ability to create or modify user access accounts and user access privileges is limited to authorized
personnel. User access is reviewed quarterly to verify whether individuals’ access is necessary for their job functions
and to identify the existence of inappropriate accounts.

Matillion Limited | SOC 2 Type 2 28

For the Period Ending July 31, 2024
The PeopleOps (i.e., HR) department provides IT personnel with a termination ticket when any terminations are
processed. The IT team reconciles the termination report with current access privileges to determine if access has
been appropriately removed or disabled. Dormant accounts are reviewed and disabled on a quarterly basis.
Administrative access to core services such as Google Workspace (formerly G Suite), Directory services and Cloud
based Infrastructure providers is restricted to authorized employees.

Unique user identification numbers, names, and passwords are required to authenticate all users to METL and MDL
environments. Password parameters consist of the following:

 Passwords contain a minimum of 8 characters and have varying complexity requirements.

 Passwords are not set to expire based on current National Cyber Security Centre (NCSC) guidance.
 Log-on sessions are terminated after failed log-on attempts.
 Password reuse is prohibited.
 MFA is configured in addition to passwords in all places where possible.

Configuration and Vulnerability Monitoring

Matillion conducts monthly vulnerability assessments to identify potential system vulnerabilities. Patches are applied
regularly in accordance with Matillion’s patch management process.

Matillion maintains centralized admin access to all machines. Device access policies are utilized to ensure compliance
goals and block access based on the health of end point devices. Matillion issued desktops and/or laptops are
protected against malicious attacks using an anti-virus/anti-malware software which is configured to receive
automatic updates and to provide real-time protection.

Audit

Matillion Management performs periodic audits of procedures and holds scheduled compliance meetings with staff
to review current and new procedures.

Risk Assessment and Management

Matillion has implemented a Risk Management Program which includes periodic risk assessments, creation of a risk
register, and implementation of risk mitigation steps. Matillion regularly reviews the risks that may threaten the
achievement of the criteria for the security principle set forth in TSP section 100, Trust Services Principles and Criteria
for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and
Criteria). A formal risk assessment is maintained and reviewed at least annually by the Risk Committee. As part of the
risk assessment, Management assesses the environment, complexity, nature and scope of its operations. Matillion
has established an Executive Management Committee comprising of Senior Management. This Committee meets at
least on an annual basis to review and approve updates to policies and procedures, Risk Management Program, and
Security Dashboard (security incidents, assessment results, and status of remediation items).

Senior Management, as part of its annual information security policy review, considers developments in technology
and the impact of applicable laws and regulations on Matillion’s policies. Changes in security threats and risks are
reviewed by Matillion, and updates to existing control activities and information security policies are performed as
necessary.

Matillion Limited | SOC 2 Type 2 29

For the Period Ending July 31, 2024
Monitoring

Matillion’s Management monitors the quality of the internal control performance as a normal part of its activities. As
a component of the ongoing monitoring, Management generates and reviews a series of management reports, that
contain various data points that enable management to measure the results of various processes.

In addition to the daily oversight, monthly vulnerability assessments, monitoring and alerting, Management provides
further security monitoring through internal audits, which include information security assessments.

As an additional measurement, Matillion regularly performs monitoring activities to assess the control activities being
performed by subservice organizations utilized to maintain and operate the Matillion system. These monitoring
activities vary based on the service provided by the subservice organization but include a range of assessing their
independent attestation report, and/or through its daily operational activities through the direct management or
interaction with the subservice organization.

Information and Communication

Matillion uses a variety of methods for communication to ensure that significant events and issues are conveyed in a
timely manner and that staff understand their role and responsibility over service and controls. These methods
include the following: new hire training; ongoing training; policy and process updates; weekly departmental
meetings summarizing events and changes; use of email to communicate time sensitive information; and the
documentation and storage of historical data in internal repositories for business and support activities. The
Company maintains systems that manage the flow of information and facilitate communication with its customers.

Information Flow from Senior Management to Operations Staff

Matillion has implemented various methods of communication to help ensure that employees understand their
individual roles and responsibilities over processing and controls and communicates significant events in a timely
manner. Employee manuals are provided upon hire that communicate all policies and procedures concerning
employee conduct. Security of the physical premises and logical security of systems are reinforced by training and
through awareness programs. The communication system between Senior Management and operations staff
includes the use of the office email system, written memos when appropriate, and weekly meetings. Managers hold
departmental meetings with personnel to discuss new Company policies and procedures and other business issues.

Recurring staff and training meetings are utilized to inform staff of new policy and technology updates.
Communication is encouraged at all levels to promote the operating efficiency of Matillion.

Communication

Matillion uses a variety of methods for communication to ensure that significant events and issues are conveyed in a
timely manner and that staff understand their role and responsibility over service and controls. These methods
include the following: new hire training, ongoing training, policy and process updates, recurring departmental
meetings summarizing events and changes, use of email to communicate time sensitive information, and the
documentation and storage of historical data in internal repositories for business and support activities. The
Company maintains systems that manage the flow of information and facilitate communication with its customers.

Matillion Limited | SOC 2 Type 2 30

For the Period Ending July 31, 2024
Subservice Organizations

Matillion contracts with Amazon Web Services (AWS) for infrastructure-as-a-service and cloud computing. AWS
maintains a current SOC 1 Type 2 and SOC 2 Type 2 report.

Matillion contracts with Google LLC for infrastructure-as-a-service and enterprise applications. Google maintains a
current SOC 2 Type 2 report.

Matillion contracts with Microsoft Corporation – Azure including Dynamics 365 for cloud computing and enterprise
applications. Microsoft maintains a current SOC 2 Type 2 report.

Matillion contracts with Salesforce, Inc. for customer relationship management. Salesforce maintains a current SOC 2
Type 2 report.

Matillion contracts with Atlassian Corporation PLC for source code repository, version control, and software project
management. Atlassian maintains a current SOC 2 Type 2 report.

Matillion contracts with Okta, Inc. (including Auth0) for authentication tools, conditional multifactor authentication,
and access to SaaS applications. Okta maintains a current SOC 2 Type 2 report.

Matillion contracts with Recurly, Inc. for the entity’s billing engine and related tools. Recurly maintains a current SOC
2 Type 2 report.

These subservice organizational controls are specifically included in trust services criteria:

CC6.4 – The entity restricts physical access to facilities and protected information assets (for example, data
center facilities, backup media storage, and other sensitive locations) to authorized personnel to meet the
entity’s objectives.

User Control Considerations

The Company’s applications are designed with the assumption that certain controls would be implemented by user
organizations. In certain situations, the application of specific controls at the user organization is necessary to
achieve control objectives included in this report.

This section describes additional controls that should be in operation at user organizations to complement the
controls at the Company. User auditors should consider whether or not the following controls are implemented at
user organizations:

 Customers are responsible for reviewing contracts with Matillion and ensuring authorized personnel execute
contracts for services.
 Customers are responsible for providing and maintaining an information technology infrastructure that has
embedded logical and physical environmental controls to protect against unauthorized access. This should
include the end user workstation environment used to access MDL as well as the environment where
Matillion ETL is installed.
 Customers are responsible for ensuring only authorized users are granted access to the MDL portal and its
functionalities.
 Customers are responsible for treating MDL access accounts’ sign-in names and password information as
secure and private and in accordance with industry best practices.

Matillion Limited | SOC 2 Type 2 31

For the Period Ending July 31, 2024
  Customer are responsible for deploying updates to ETL available from Matillion.
 Customers are responsible for implementing adequate network security controls including perimeter firewall,
routing rules, encrypted communication, etc. in their environment where Matillion ETL has been deployed.
 Customers are responsible for reporting to Matillion the incidents specific to their MDL accounts.
 Customers are responsible for developing, maintaining, and testing their own business continuity plan (BCP)
or for contracting with Matillion for its BCP services.
 Customers are responsible for the security and integrity of their transmission facilities, operating facilities,
and equipment that are used to access Matillion secured software.
 Customers are responsible for the transmission and reception of all data and transactions initiated through
their Web sites.
 Customers are responsible for discharging all duties to remain in compliance with their agreements with
Matillion.

The list of user organization control considerations presented above and those presented with certain specified
control objectives do not represent a comprehensive set of all the controls that should be employed by user
organizations. Other controls may be required at user organizations. Providing data center colocation and managed
services for customers by Matillion covers only a portion of the overall internal control structure of each customer.
The Company products and services were not designed to be the only control component in the internal control
environment. Additional control procedures require implementation at the customer level. It is not feasible for all of
the control objectives relating to providing data center colocation and managed services to be fully achieved by
Matillion. Therefore, each customer’s system of internal controls must be evaluated in conjunction with the internal
control structure described in this report.

Matillion Limited | SOC 2 Type 2 32

For the Period Ending July 31, 2024
III. Information Provided by Ascend Audit &
Advisory

Matillion Limited | SOC 2 Type 2 33

For the Period Ending July 31, 2024
COMMON CONTROL CRITERIA – SECURITY CATEGORY

TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
REF #
Control Environment

CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC1.1 COSO Principle 1: The entity Sets the Tone at the Top—The board of Inspected board of directors meeting No exceptions
demonstrates a commitment to directors and Management, at all levels, minutes, Management communications to noted.
integrity and ethical values. demonstrate through their directives, personnel regarding employee and corporate
actions, and behavior the importance of governance objectives and updates, the most
integrity and ethical values to support the current employee handbook including the
functioning of the system of internal ethical conduct policy, and the most current
control. employee confidentiality and non-
competition agreement to determine the
board of directors and Management, at all
levels, demonstrated the importance of
integrity and ethical values to support the
functioning of the system of internal control.

Establishes Standards of Conduct—The Inspected Management communications to No exceptions

expectations of the board of directors and personnel regarding employee and corporate noted.
Senior Management concerning integrity governance objectives and updates, the most
and ethical values are defined in the current employee handbook including the
entity's standards of conduct and ethical conduct policy, the most current
understood at all levels of the entity and employee confidentiality and non-
by outsourced service providers and competition agreement, the entity's mutual
business partners. nondisclosure agreement, and executed
vendor and client agreements to determine
standards of conduct were communicated at
all levels of the entity and to outsourced
service providers and business partners.

Matillion Limited | SOC 2 Type 2 34

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Environment (Continued)
REF #
CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC1.1 COSO Principle 1: The entity Evaluates Adherence to Standards of For the selection of active and eligible No exceptions
(Cont.) demonstrates a commitment to Conduct—Processes are in place to employees, inspected online confirmations of noted.
integrity and ethical values. evaluate the performance of individuals completed employee performance reviews to
and teams against the entity's expected determine processes were in place to
standards of conduct. evaluate the performance of individuals
against the entity's expected standards of
conduct.

Addresses Deviations in a Timely Inspected the entity’s most current No exceptions

Manner—Deviations from the entity's progressive disciplinary policy and noted.
expected standards of conduct are procedures, along with a documented formal
identified and remedied in a timely and disciplinary meeting, to determine deviations
consistent manner. from the entity's expected standards of
conduct were identified and remedied in a
timely and consistent manner.

Additional point of focus specifically related to all engagements using the trust services criteria:

Considers Contractors and Vendor Inspected the entity’s most current No exceptions
Employees in Demonstrating Its contractor management policy and noted.
Commitment—Management and the procedures to determine Management and
board of directors consider the use of the board of directors, at all levels,
contractors and vendor employees in its considered the use of contractors and vendor
processes for establishing standards of employees in its processes for establishing
conduct, evaluating adherence to those standards of conduct, evaluating adherence
standards, and addressing deviations in a to those standards, and addressing deviations
timely manner. in a timely manner.

Matillion Limited | SOC 2 Type 2 35

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Environment (Continued)
REF #
CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC1.2 COSO Principle 2: The board of Establishes Oversight Responsibilities— Inspected board of directors meeting No exceptions
directors demonstrates The board of directors identifies and minutes, along with the most current board noted.
independence from Management accepts its oversight responsibilities in of directors members listing and associated
and exercises oversight of the relation to established requirements and biographies, to determine the board of
development and performance of expectations. directors identified its oversight
internal control. responsibilities in relation to established
requirements and expectations.

Applies Relevant Expertise—The board of Inspected board of directors meeting No exceptions

directors defines, maintains, and minutes, along with the most current board noted.
periodically evaluates the skills and of directors members listing and associated
expertise needed among its members to biographies, to determine the board of
enable them to ask probing questions of directors defined and evaluated its members
Senior Management and take with respect to enabling oversight of Senior
commensurate action. Management and took commensurate action.

Operates Independently—The board of Inspected the most current board of directors No exceptions
directors has sufficient members who are members listing and associated biographies noted.
independent from Management and to determine the board of directors had
objective in evaluations and decision sufficient members who were independent
making. from Management and objective in
evaluations and decision making.

Matillion Limited | SOC 2 Type 2 36

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Environment (Continued)
REF #
CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional point of focus specifically related to all engagements using the trust services criteria:

CC1.2 COSO Principle 2: The board of Supplements Board Expertise—The board Inspected board of directors meeting No exceptions
(Cont.) directors demonstrates of directors supplements its expertise minutes, along with the most current board noted.
independence from Management relevant to security, as needed, through of directors members listing and associated
and exercises oversight of the the use of a subcommittee or consultants. biographies, to determine the board of
development and performance of directors supplemented its expertise, as
internal control. needed, through the use of outside
consultation.

Matillion Limited | SOC 2 Type 2 37

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Environment (Continued)
REF #
CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC1.3 COSO Principle 3: Management Considers All Structures of the Entity— Inspected board of directors meeting No exceptions
establishes, with board oversight, Management and the board of directors minutes, Management communications to noted.
structures, reporting lines, and consider the multiple structures used personnel regarding employee and corporate
appropriate authorities and (including operating units, legal entities, governance, financial, business, operational,
responsibilities in the pursuit of geographic distribution, and outsourced IT, and cyber security objectives and updates;
objectives. service providers) to support the most current organizational charts, and the
achievement of objectives. entity's risk management program (i.e.,
ongoing risk assessments, risk ratings, and
risk mitigation activities) to determine
Management and the board of directors
considered the multiple structures used to
support the achievement of objectives.

Establishes Reporting Lines— Inspected the entity’s most current No exceptions

Management designs and evaluates lines organizational charts to determine noted.
of reporting for each entity structure to Management designed and evaluated lines of
enable execution of authorities and reporting to enable execution of authorities
responsibilities and flow of information to and responsibilities and flow of information
manage the activities of the entity. to manage the activities of the entity.

Matillion Limited | SOC 2 Type 2 38

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Environment (Continued)
REF #
CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC1.3 COSO Principle 3: Management Defines, Assigns, and Limits Authorities Inspected board of directors meeting No exceptions
(Cont.) establishes, with board oversight, and Responsibilities—Management and minutes, Management communications to noted.
structures, reporting lines, and the board of directors delegate authority, personnel regarding employee and corporate
appropriate authorities and define responsibilities, and use governance, financial, business, operational,
responsibilities in the pursuit of appropriate processes and technology to IT, and cyber security objectives and updates;
objectives. assign responsibility and segregate duties and most current organizational charts to
as necessary at the various levels of the determine Management and the board of
organization. directors assigned responsibility and
segregated duties as necessary at the various
levels of the organization.

Additional points of focus specifically related to all engagements using the trust services criteria:

Addresses Specific Requirements When Inspected board meeting minutes, No exceptions

Defining Authorities and Management communications to personnel noted.
Responsibilities—Management and the regarding operational, IT, and cyber security
board of directors consider requirements objectives and updates; the most current
relevant to security when defining organizational charts, and the entity's risk
authorities and responsibilities. management program to determine
Management and the board of directors
considered requirements relevant to security
when defining authorities and
responsibilities.

Matillion Limited | SOC 2 Type 2 39

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Environment (Continued)
REF #
CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus specifically related to all engagements using the trust services criteria (continued):

CC1.3 COSO Principle 3: Management Considers Interactions with External Inspected board meeting minutes, No exceptions
(Cont.) establishes, with board oversight, Parties When Establishing Structures, Management communications to personnel noted.
structures, reporting lines, and Reporting Lines, Authorities, and regarding financial, business, operational, IT,
appropriate authorities and Responsibilities—Management and the and cyber security objectives and updates;
responsibilities in the pursuit of board of directors consider the need for executed vendor and client agreements, the
objectives. the entity to interact with and monitor entity's risk management program, and the
the activities of external parties when most current SOC reports of the entity’s
establishing structures, reporting lines, subservice organizations to determine
authorities, and responsibilities. Management and the board of directors
considered the need for the entity to interact
with and monitor the activities of external
parties when establishing structures,
reporting lines, authorities, and
responsibilities.

Matillion Limited | SOC 2 Type 2 40

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Environment (Continued)
REF #
CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC1.4 COSO Principle 4: The entity Establishes Policies and Practices— Inspected the most current employee No exceptions
demonstrates a commitment to Policies and practices reflect expectations handbook, documented talent acquisition noted.
attract, develop, and retain of competence necessary to support the and new hire onboarding and orientation
competent individuals in alignment achievement of objectives. procedures, the entity’s online repository of
with objectives. company policies and procedures, and
completed compliance and departmental
training recordkeeping to determine policies
and practices reflected expectations of
competence necessary to support objectives.

Evaluates Competence and Addresses Inspected board meeting minutes, No exceptions

Shortcomings—The board of directors and Management communications to personnel noted.
Management evaluate competence across regarding employee and corporate
the entity and in outsourced service governance objectives and updates, online
providers in relation to established confirmations of completed employee
policies and practices and act as necessary performance reviews, a documented formal
to address shortcomings. disciplinary meeting, executed vendor
agreements, and the entity's risk
management program to determine the
board of directors and Management
evaluated competence across the entity and
had policies and practices in place to address
shortcomings.

Matillion Limited | SOC 2 Type 2 41

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Environment (Continued)
REF #
CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC1.4 COSO Principle 4: The entity Attracts, Develops, and Retains Inspected documented talent acquisition and No exceptions
(Cont.) demonstrates a commitment to Individuals—The entity provides the new hire onboarding and orientation noted.
attract, develop, and retain mentoring and training needed to attract, procedures, the most current employee
competent individuals in alignment develop, and retain sufficient and handbook, the entity’s online repository of
with objectives. competent personnel and outsourced company policies and procedures, and
service providers to support the completed compliance and departmental
achievement of objectives. training recordkeeping to determine the
entity provided the mentoring and training
needed to attract, develop, and retain
sufficient and competent personnel to
support the achievement of objectives.

Plans and Prepares for Succession—Senior Inspected board meeting minutes, No exceptions
Management and the board of directors Management communications to personnel noted.
develop contingency plans for regarding employee and corporate
assignments of responsibility important governance, financial, business, operational,
for internal control. IT, and cyber security objectives and updates;
and the most current business continuity plan
to determine Management developed
contingency plans for assignments of
responsibility for internal control.

Matillion Limited | SOC 2 Type 2 42

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Environment (Continued)
REF #
CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus specifically related to all engagements using the trust services criteria:

CC1.4 COSO Principle 4: The entity Considers the Background of Individuals— For the selection of new employees, No exceptions
(Cont.) demonstrates a commitment to The entity considers the background of inspected completed background check noted.
attract, develop, and retain potential and existing personnel, confirmations to determine the entity
competent individuals in alignment contractors, and vendor employees when considered the background of potential
with objectives. determining whether to employ and personnel when determining whether to
retain the individuals. employ the individuals.

Considers the Technical Competency of Inspected documented talent acquisition and No exceptions
Individuals—The entity considers the new hire onboarding and orientation noted.
technical competency of potential and procedures, along with completed
existing personnel, contractors, and compliance and departmental training
vendor employees when determining recordkeeping; and observed via walkthrough
whether to employ and retain the procedures, the entity’s system monitoring,
individuals. infrastructure-as-a-service (IaaS) and cloud
and cyber security, threat detection /
prevention, endpoint protection, and backup
and restore software consoles and system
administration procedures to determine the
entity considered the technical competency
of individuals with respect to employment
and career advancement.

Matillion Limited | SOC 2 Type 2 43

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Environment (Continued)
REF #
CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus specifically related to all engagements using the trust services criteria (continued):

CC1.4 COSO Principle 4: The entity Provides Training to Maintain Technical Inspected documented new hire onboarding No exceptions
(Cont.) demonstrates a commitment to Competencies—The entity provides and orientation procedures, the most current noted.
attract, develop, and retain training programs, including continuing employee handbook, the entity’s online
competent individuals in alignment education and training, to ensure skill sets repository of company policies and
with objectives. and technical competency of existing procedures, and completed compliance and
personnel, contractors, and vendor departmental training recordkeeping to
employees are developed and determine the entity provided training
maintained. programs to ensure the skill sets and
technical competency of personnel were
developed and maintained.

Matillion Limited | SOC 2 Type 2 44

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Environment (Continued)
REF #
CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC1.5 COSO Principle 5: The entity holds Enforces Accountability Through Inspected board of directors meeting No exceptions
individuals accountable for their Structures, Authorities, and minutes, along with Management noted.
internal control responsibilities in Responsibilities—Management and the communications to personnel regarding
the pursuit of objectives. board of directors establish the employee and corporate governance,
mechanisms to communicate and hold financial, business, operational, IT, and cyber
individuals accountable for performance security objectives and updates; and for the
of internal control responsibilities across selection of new employees, inspected signed
the entity and implement corrective acknowledgements of the employee
action as necessary. handbook including the conduct policy, along
with executed employment agreements, to
determine Management and the board of
directors established mechanisms to
communicate accountability for performance
of internal control responsibilities across the
entity.

Establishes Performance Measures, Inspected board of directors meeting No exceptions

Incentives, and Rewards—Management minutes, online confirmations of completed noted.
and the board of directors establish employee performance reviews, and the
performance measures, incentives, and entity’s employee performance policy and
other rewards appropriate for procedures to determine Management and
responsibilities at all levels of the entity, the board of directors established
reflecting appropriate dimensions of performance measures, incentives, and other
performance and expected standards of rewards appropriate for responsibilities at all
conduct, and considering the achievement levels of the entity including short- and
of both short-term and longer-term longer-term objectives.
objectives.

Matillion Limited | SOC 2 Type 2 45

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Environment (Continued)
REF #
CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC1.5 COSO Principle 5: The entity holds Evaluates Performance Measures, Inspected Management communications to No exceptions
(Cont.) individuals accountable for their Incentives, and Rewards for personnel regarding employee governance noted.
internal control responsibilities in Ongoing Relevance—Management aligns objectives and updates, online confirmations
the pursuit of objectives. incentives and rewards with the of completed employee performance
fulfillment of internal control reviews, and the entity’s employee
responsibilities in the achievement of performance policy and procedures to
objectives. determine Management aligned incentives
and rewards with the fulfillment of internal
control responsibilities in the achievement of
objectives.

Considers Excessive Pressures— Inspected board of directors meeting No exceptions

Management and the board of directors minutes, Management communications to noted.
evaluate and adjust pressures associated personnel regarding employee governance
with the achievement of objectives as objectives and updates, online confirmations
they assign responsibilities, develop of completed employee performance
performance measures, and evaluate reviews, and the entity’s employee
performance. performance policy and procedures to
determine Management and the board of
directors evaluated and adjusted pressures
associated with the achievement of
objectives as they assigned responsibilities,
developed performance measures, and
evaluated performance.

Matillion Limited | SOC 2 Type 2 46

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Environment (Continued)
REF #
CC1.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC1.5 COSO Principle 5: The entity holds Evaluates Performance and Rewards or Inspected Management communications to No exceptions
(Cont.) individuals accountable for their Disciplines Individuals—Management and personnel regarding employee governance noted.
internal control responsibilities in the board of directors evaluate objectives and updates, online confirmations
the pursuit of objectives. performance of internal control of completed employee performance
responsibilities, including adherence to reviews, the entity’s employee performance
standards of conduct and expected levels policy and procedures, the most current
of competence, and provide rewards or progressive disciplinary policy and
exercise disciplinary action, as procedures, and a documented formal
appropriate. disciplinary meeting to determine
Management evaluated performance of
internal control responsibilities, including
adherence to standards of conduct and
expected levels of competence and exercised
disciplinary action, when appropriate.

Matillion Limited | SOC 2 Type 2 47

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Information and Communication
REF #

CC2.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC2.1 COSO Principle 13: The entity Identifies Information Requirements—A Inspected the most current employee No exceptions
obtains or generates and uses process is in place to identify the handbook, documented new hire onboarding noted.
relevant, quality information to information required and expected to and orientation procedures, the entity’s
support the functioning of internal support the functioning of the other online repository of company policies and
control. components of internal control and the procedures, completed compliance and
achievement of the entity's objectives. departmental training recordkeeping, and the
entity's risk management program (i.e.,
ongoing risk assessments, risk ratings, and
risk mitigation activities) to determine
processes were in place to identify
information required and expected to
support the system’s functioning of internal
control and the achievement of the entity's
objectives.

Captures Internal and External Sources of Observed via walkthrough procedures, the No exceptions
Data—Information systems capture entity’s production application monitoring noted.
internal and external sources of data. software consoles and performance
indicators to determine information systems
captured internal and external sources of
data.

Matillion Limited | SOC 2 Type 2 48

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Information and Communication (Continued)
REF #

CC2.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC2.1 COSO Principle 13: The entity Processes Relevant Data Into Observed via walkthrough procedures, the No exceptions
(Cont.) obtains or generates and uses Information—Information systems entity’s production application monitoring noted.
relevant, quality information to process and transform relevant data into software consoles, performance indicators,
support the functioning of internal information. and system generated event and error
control. logging and notifications to determine
information systems processed and
transformed relevant data into information.

Maintains Quality Throughout Observed via walkthrough procedures, the No exceptions

Processing—Information systems produce entity’s production application monitoring noted.
information that is timely, current, software consoles, performance indicators,
accurate, complete, accessible, protected, system generated event and error logging
verifiable, and retained. Information is and notifications, and the entity’s error
reviewed to assess its relevance in handling, logging, and monitoring procedures
supporting the internal control to determine information systems
components. maintained quality throughout processing
and information was reviewed to assess its
relevance in supporting the internal control
components.

Matillion Limited | SOC 2 Type 2 49

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Information and Communication (Continued)
REF #

CC2.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus specifically related to all engagements using the trust services criteria:

CC2.1 COSO Principle 13: The entity Documents Data Flow—The entity Inspected the entity’s most current platform No exceptions
(Cont.) obtains or generates and uses documents and uses internal and external logical data flow diagram, along with the noted.
relevant, quality information to information and data flows to support the most current software development lifecycle
support the functioning of internal design and operation of controls. policy and procedures, to determine the
control. entity documented and used internal and
external information and data flows to
support the design and operation of controls.

Manages Assets—The entity identifies, Inspected the most current IT asset inventory No exceptions
documents, and maintains records of register to determine the entity maintained noted.
system components such as records of system components and
infrastructure, software, and other information assets.
information assets. Information assets
include physical endpoint devices and
systems, virtual systems, data and data
flows, external information systems, and
organizational roles.

Classifies Information—The entity Inspected the most current IT asset inventory No exceptions
classifies information by its relevant register, the most current data classification noted.
characteristics (for example, personally and handling policy and procedures, and the
identifiable information, confidential entity’s risk management program to
customer information, and intellectual determine the entity classified information to
property) to support identification of support identification of threats to the
threats to the information and the design information and the design and operation of
and operation of controls. controls.

Matillion Limited | SOC 2 Type 2 50

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Information and Communication (Continued)
REF #

CC2.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus specifically related to all engagements using the trust services criteria (continued):

CC2.1 COSO Principle 13: The entity Uses Information That Is Complete and Observed via walkthrough procedures, the No exceptions
(Cont.) obtains or generates and uses Accurate—The entity uses information entity’s production application monitoring noted.
relevant, quality information to and reports that are complete, accurate, software consoles, performance indicators,
support the functioning of internal current, and valid in the operation of and system generated event and error
control. controls. logging and notifications to determine the
entity used information that was complete,
accurate, current, and valid in the operation
of controls.

Manages the Location of Assets—The Inspected the most current IT asset inventory No exceptions
entity identifies, documents, and register to determine the entity maintained noted.
maintains records of physical location and records of physical location and custody of
custody of information assets, particularly information assets and accounted for
for those stored outside the physical information assets stored outside the entity’s
security control of the entity (for example, environment.
software and data stored on vendor
devices or employee mobile phones under Informed by Management the entity did not
a bring-your- own-device policy). maintain assets outside the entity’s
environment during the period under review.

Matillion Limited | SOC 2 Type 2 51

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Information and Communication (Continued)
REF #

CC2.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC2.2 COSO Principle 14: The entity Communicates Internal Control Inspected the most current employee No exceptions
internally communicates Information—A process is in place to handbook, documented new hire onboarding noted.
information, including objectives communicate required information to and orientation procedures, the entity’s
and responsibilities for internal enable all personnel to understand and online repository of company policies and
control, necessary to support the carry out their internal control procedures, completed compliance and
functioning of internal control. responsibilities. departmental training recordkeeping, and the
entity's risk management program to
determine a process was in place to
communicate required information to enable
personnel to understand and carry out their
internal control responsibilities.

Communicates with the Board of Inspected board meeting minutes to No exceptions

Directors—Communication exists determine communications existed between noted.
between Management and the board of Management and the board of directors so all
directors so that both have information had information needed to fulfill their roles
needed to fulfill their roles with respect to and meet the entity’s objectives.
the entity’s objectives.

Provides Separate Communication Lines— Inspected the entity’s whistleblower No exceptions

Separate communication channels, such reporting and communication mechanism to noted.
as whistle-blower hotlines, are in place determine a separate communication
and serve as fail-safe mechanisms to channel existed as a fail-safe mechanism to
enable anonymous or confidential enable anonymous and confidential
communication when normal channels communication.
are inoperative or ineffective.

Matillion Limited | SOC 2 Type 2 52

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Information and Communication (Continued)
REF #

CC2.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC2.2 COSO Principle 14: The entity Selects Relevant Method of Inspected Management communications to No exceptions
(Cont.) internally communicates Communication—The method of personnel regarding employee and corporate noted.
information, including objectives communication considers the timing, governance, financial, business, operational,
and responsibilities for internal audience, and nature of the information. IT, and cyber security objectives and updates;
control, necessary to support the online repository of company policies and
functioning of internal control. procedures, the entity’s internal messaging
platform and communication channels, and
company and product updates
communicated to personnel to determine
communications considered the timing,
audience, and the nature of the information.

Additional points of focus specifically related to all engagements using the trust services criteria:

Communicates Responsibilities—Entity Inspected the most current employee No exceptions

personnel with responsibility for handbook, documented new hire onboarding noted.
designing, developing, implementing, and orientation procedures, online
operating, maintaining, or monitoring confirmations of completed employee
system controls receive communications performance reviews, the entity’s online
about their responsibilities, including repository of company policies and
changes in their responsibilities, and have procedures, completed compliance and
the information necessary to carry out departmental training recordkeeping, and the
those responsibilities. entity's risk management program to
determine personnel received
communications about their responsibilities
and had information to carry out those
responsibilities.

Matillion Limited | SOC 2 Type 2 53

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Information and Communication (Continued)
REF #

CC2.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus specifically related to all engagements using the trust services criteria (continued):

CC2.2 COSO Principle 14: The entity Communicates Information on Reporting Inspected the entity’s whistleblower No exceptions
(Cont.) internally communicates Failures, Incidents, Concerns, and Other reporting and communication mechanism, noted.
information, including objectives Matters—Entity personnel are provided along with the most current incident
and responsibilities for internal with information on how to report response policy and procedures, to
control, necessary to support the systems failures, incidents, concerns, and determine personnel were provided with
functioning of internal control. other complaints to personnel. information on how to report systems
failures, incidents, concerns, and other
complaints.

Communicates Objectives and Changes to Inspected Management communications to No exceptions

Objectives—The entity communicates its personnel regarding employee and corporate noted.
objectives and changes to those governance, financial, business, operational,
objectives to personnel in a timely IT, and cyber security objectives and updates;
manner. the entity's risk management program,
completed compliance and departmental
training recordkeeping, online repository of
company policies and procedures, the
entity’s internal messaging platform and
communication channels, and company and
product updates communicated to personnel
to determine objectives were communicated
in a timely manner.

Matillion Limited | SOC 2 Type 2 54

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Information and Communication (Continued)
REF #

CC2.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus specifically related to all engagements using the trust services criteria (continued):

CC2.2 COSO Principle 14: The entity Communicates Information to Improve For the selection of active employees, No exceptions
(Cont.) internally communicates Security Knowledge and Awareness—The inspected security awareness training course noted.
information, including objectives entity communicates information to completion reporting to determine the entity
and responsibilities for internal improve security knowledge and communicated information to improve
control, necessary to support the awareness and to model appropriate security knowledge and awareness through a
functioning of internal control. security behaviors to personnel through a security awareness training program.
security awareness training program.

Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level:

Communicates Information About System Inspected Management communications to No exceptions

Operation and Boundaries—The entity personnel regarding employee and corporate noted.
prepares and communicates information governance, financial, business, operational,
about the design and operation of the IT, and cyber security objectives and updates;
system and its boundaries to authorized the entity's risk management program,
personnel to enable them to understand completed compliance and departmental
their role in the system and the results of training recordkeeping, online repository of
system operation. company policies and procedures, the
entity’s internal messaging platform and
communication channels, and company and
product updates communicated to personnel
to determine the entity prepared and
communicated information about the design
and operation of the system to authorized
personnel.

Matillion Limited | SOC 2 Type 2 55

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Information and Communication (Continued)
REF #

CC2.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level (continued):

CC2.2 COSO Principle 14: The entity Communicates System Objectives—The Inspected Management communications to No exceptions
(Cont.) internally communicates entity communicates its objectives to personnel regarding employee and corporate noted.
information, including objectives personnel to enable them to carry out governance, financial, business, operational,
and responsibilities for internal their responsibilities. IT, and cyber security objectives and updates;
control, necessary to support the the entity's risk management program,
functioning of internal control. completed compliance and departmental
training recordkeeping, online repository of
company policies and procedures, the
entity’s internal messaging platform and
communication channels, and company and
product updates communicated to personnel
to determine the entity communicated
objectives to personnel.

Communicates System Changes—System Inspected Management communications to No exceptions

changes that affect responsibilities or the personnel regarding employee and corporate noted.
achievement of the entity's objectives are governance, financial, business, operational,
communicated in a timely manner. IT, and cyber security objectives and updates;
the entity's risk management program,
completed compliance and departmental
training recordkeeping, online repository of
company policies and procedures, the
entity’s internal messaging platform and
communication channels, and company and
product updates communicated to personnel
to determine system changes that affected
responsibilities were communicated in a
timely manner.

Matillion Limited | SOC 2 Type 2 56

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Information and Communication (Continued)
REF #

CC2.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC2.3 COSO Principle 15: The entity Communicates to External Parties— Inspected the online description of services, No exceptions
communicates with external parties Processes are in place to communicate support and knowledge base user interfaces, noted.
regarding matters affecting the relevant and timely information to term and conditions and service agreements,
functioning of internal control. external parties, including shareholders, release notes, and user community
partners, owners, regulators, customers, interactions to determine processes were in
financial analysts, and other external place to communicate relevant and timely
parties. information to external stakeholders.

Enables Inbound Communications—Open Inspected the online support and knowledge No exceptions
communication channels allow input from base user interfaces and user community noted.
customers, consumers, suppliers, external interactions to determine communication
auditors, regulators, financial analysts, channels allowed input from external entities
and others, providing Management and for providing Management with relevant
the board of directors with relevant information.
information.

Communicates with the Board of Inspected board meeting minutes, along with No exceptions
Directors—Relevant information resulting the entity's risk management program, to noted.
from assessments conducted by external determine relevant information from
parties is communicated to the board of assessments by external entities was
directors and the Management Team. communicated to the board of directors and
Management.

Matillion Limited | SOC 2 Type 2 57

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Information and Communication (Continued)
REF #

CC2.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC2.3 COSO Principle 15: The entity Provides Separate Communication Lines— Inspected the online support and knowledge No exceptions
(Cont.) communicates with external parties Separate communication channels, such base user interfaces and user community noted.
regarding matters affecting the as whistle-blower hotlines, are in place interactions, to determine separate
functioning of internal control. and serve as fail-safe mechanisms to communication channels were in place to
enable anonymous or confidential enable anonymous and confidential
communication when normal channels communication.
are inoperative or ineffective.

Selects Relevant Method of Inspected the online description of services, No exceptions

Communication—The method of support and knowledge base user interfaces, noted.
communication considers the timing, term and conditions and service agreements,
audience, and nature of the release notes, and user community
communication and legal, regulatory, and interactions to determine communications
fiduciary requirements and expectations. considered the timing, audience, and nature
of the communication and legal, regulatory,
and fiduciary requirements and expectations.

Matillion Limited | SOC 2 Type 2 58

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Information and Communication (Continued)
REF #

CC2.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level:

CC2.3 COSO Principle 15: The entity Communicates Information About System Inspected executed vendor and client No exceptions
(Cont.) communicates with external parties Operation and Boundaries—The entity agreements; and inspected the online noted.
regarding matters affecting the prepares and communicates information description of services, support and
functioning of internal control. about the design and operation of the knowledge base user interfaces, term and
system and its boundaries to authorized conditions and service agreements, release
external users to permit users to notes, and user community interactions to
understand their role in the system and determine the entity prepared and
the results of system operation. communicated information about the design
and operation of the system and its
boundaries to authorized external users.

Communicates System Objectives—The Inspected executed vendor and client No exceptions

entity communicates its system objectives agreements; and inspected the online noted.
to appropriate external users. description of services, support and
knowledge base user interfaces, term and
conditions and service agreements, release
notes, and user community interactions to
determine system objectives were
communicated to appropriate external users.

Matillion Limited | SOC 2 Type 2 59

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Information and Communication (Continued)
REF #

CC2.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus that apply only when an engagement using the trust services criteria is performed at the system level (continued):

CC2.3 COSO Principle 15: The entity Communicates System Responsibilities— Inspected executed vendor and client No exceptions
(Cont.) communicates with external parties External users with responsibility for agreements; and inspected the online noted.
regarding matters affecting the designing, developing, implementing, description of services, support and
functioning of internal control. operating, maintaining, and monitoring knowledge base user interfaces, term and
system controls receive communications conditions and service agreements, release
about their responsibilities and have the notes, and user community interactions to
information necessary to carry out those determine external users received
responsibilities. communications about their responsibilities
and were provided information to carry out
those responsibilities.

Communicates Information on Reporting Inspected executed vendor and client No exceptions

System Failures, Incidents, Concerns, and agreements; and inspected the online noted.
Other Matters—External users are description of services, support and
provided with information on how to knowledge base user interfaces, term and
report systems failures, incidents, conditions and service agreements, release
concerns, and other complaints to notes, and user community interactions to
appropriate personnel. determine external users were provided
information on how to report failures, issues,
and concerns to appropriate personnel.

Matillion Limited | SOC 2 Type 2 60

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC3.1 COSO Principle 6: The entity Reflects Management's Choices— Inspected Management communications to No exceptions
specifies objectives with sufficient Operations objectives reflect personnel regarding operational and cyber noted.
clarity to enable the identification Management's choices about structure, security objectives and updates, along with
and assessment of risks relating to industry considerations, and performance the entity's risk management program (i.e.,
objectives. of the entity. ongoing risk assessments, risk ratings, and
risk mitigation activities), to determine
operations objectives reflected
Management’s structure and performance
posture.

Considers Tolerances for Risk— Inspected Management communications to No exceptions

Management considers the acceptable personnel regarding operational and cyber noted.
levels of variation relative to the security objectives and updates, along with
achievement of operations objectives. the entity's risk management program to
determine Management considered
acceptable levels of variation relative to the
achievement of operational objectives.

Includes Operations and Financial Inspected board of directors meeting No exceptions

Performance Goals—The organization minutes, along with Management noted.
reflects the desired level of operations communications to personnel regarding
and financial performance for the entity financial, business, operational, and cyber
within operations objectives. security objectives and updates, to determine
the organization reflected operational and
financial performance within operations
objectives.

Matillion Limited | SOC 2 Type 2 61

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC3.1 COSO Principle 6: The entity Forms a Basis for Committing of Inspected board of directors meeting No exceptions
(Cont.) specifies objectives with sufficient Resources—Management uses operations minutes, Management communications to noted.
clarity to enable the identification objectives as a basis for allocating personnel regarding financial, business,
and assessment of risks relating to resources needed to attain desired operational, and cyber security objectives
objectives. operations and financial performance. and updates; and the entity's risk
management program to determine
Management used a formal process for
meeting operational and business objectives.

Complies with Externally Established Inspected executed vendor and client No exceptions
Frameworks—Management establishes agreements, the most current employee noted.
objectives consistent with laws and handbook, the most current Payment Card
regulations or standards and frameworks Industry Data Security Standard (PCI DSS)
of recognized external organizations. attestation of compliance, and the most
current ISO 27001 certification to determine
Management established objectives
consistent with laws and regulations,
standards, and frameworks of recognized
external organizations.

Matillion Limited | SOC 2 Type 2 62

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC3.1 COSO Principle 6: The entity Considers the Required Level of Inspected executed vendor and client No exceptions
(Cont.) specifies objectives with sufficient Precision—Management reflects the agreements, the most current PCI DSS noted.
clarity to enable the identification required level of precision and accuracy attestation of compliance, and the most
and assessment of risks relating to suitable for user needs and based on current ISO 27001 certification to determine
objectives. criteria established by third parties in Management reflected the required level of
nonfinancial reporting. precision and accuracy suitable for user
needs and was based on criteria established
by third parties in nonfinancial reporting.

Reflects Entity Activities—External Observed via walkthrough procedures, the No exceptions

reporting reflects the underlying entity’s production application monitoring noted.
transactions and events within a range of software consoles, performance indicators,
acceptable limits. and system generated event and error
logging and notifications; and inspected the
entity’s online release notes, the most
current PCI DSS attestation of compliance,
and the most current ISO 27001 certification
to determine external reporting reflected
underlying transactions and events within
acceptable limits.

Matillion Limited | SOC 2 Type 2 63

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC3.1 COSO Principle 6: The entity Reflects Management's Choices—Internal Inspected board of directors meeting No exceptions
(Cont.) specifies objectives with sufficient reporting provides Management with minutes, Management communications to noted.
clarity to enable the identification accurate and complete information personnel regarding employee and corporate
and assessment of risks relating to regarding Management's choices and governance, financial, business, operational,
objectives. information needed in managing the IT, and cyber security objectives and updates;
entity. the entity's risk management program,
completed compliance and departmental
training recordkeeping, and completed
vulnerability assessments including closed
remediation tickets to determine internal
reporting provided Management with
accurate and complete information needed in
managing the entity.

Considers the Required Level of Inspected board of directors meeting No exceptions

Precision—Management reflects the minutes, Management communications to noted.
required level of precision and accuracy personnel regarding financial, business,
suitable for user needs in nonfinancial operational, IT, and cyber security objectives
reporting objectives and materiality and updates; the entity's risk management
within financial reporting objectives. program, and completed vulnerability
assessments including closed remediation
tickets to determine Management reflected
the required level of precision and accuracy
suitable for nonfinancial reporting objectives
and materiality within financial reporting
objectives.

Matillion Limited | SOC 2 Type 2 64

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC3.1 COSO Principle 6: The entity Reflects Entity Activities—Internal Inspected board of directors meeting No exceptions
(Cont.) specifies objectives with sufficient reporting reflects the underlying minutes, Management communications to noted.
clarity to enable the identification transactions and events within a range of personnel regarding employee and corporate
and assessment of risks relating to acceptable limits. governance, financial, business, operational,
objectives. IT, and cyber security objectives and updates;
the entity's risk management program,
completed compliance and departmental
training recordkeeping, and completed
vulnerability assessments including closed
remediation tickets to determine internal
reporting reflected the underlying
transactions and events within a range of
acceptable limits.

Reflects External Laws and Regulations— Inspected the most current employee No exceptions
Laws and regulations establish minimum handbook including the ethical conduct noted.
standards of conduct, which the entity policy, along with the most current employee
integrates into compliance objectives. confidentiality and non-competition
agreement; and for the selection of new
employees, inspected signed
acknowledgements of the employee
handbook including the conduct policy to
determine the entity established minimum
standards of conduct in its compliance
objectives.

Matillion Limited | SOC 2 Type 2 65

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC3.1 COSO Principle 6: The entity Considers Tolerances for Risk— Inspected board of directors meeting No exceptions
(Cont.) specifies objectives with sufficient Management considers the acceptable minutes, Management communications to noted.
clarity to enable the identification levels of variation relative to the personnel regarding operational, IT, and
and assessment of risks relating to achievement of operations objectives. cyber security objectives and updates; and
objectives. the entity's risk management program to
determine Management considered
acceptable levels of variation for the
achievement of operations objectives.

Additional point of focus specifically related to all engagements using the trust services criteria:

Establishes Sub-Objectives for Risk Inspected board of directors meeting No exceptions

Assessment—Management identifies sub- minutes, Management communications to noted.
objectives for use in risk assessment personnel regarding operational, IT, and
related to security to support the cyber security objectives and updates; and
achievement of the entity’s objectives. the entity's risk management program to
determine Management identified sub-
objectives for use in risk assessment related
to security to support the achievement of the
entity’s objectives.

Matillion Limited | SOC 2 Type 2 66

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC3.2 COSO Principle 7: The entity Includes Entity, Subsidiary, Division, Inspected Management communications to No exceptions
identifies risks to the achievement Operating Unit, and Functional Levels— personnel regarding employee and corporate noted.
of its objectives across the entity The entity identifies and assesses risk at governance, financial, business, operational,
and analyzes risks as a basis for the entity, subsidiary, division, operating IT, and cyber security objectives and updates;
determining how the risks should unit, and functional levels relevant to the along with the entity's risk management
be managed. achievement of objectives. program, to determine the entity identified
and assessed risks throughout the
organization with respect to the achievement
of objectives.

Analyzes Internal and External Factors— Inspected Management communications to No exceptions

Risk identification considers both internal personnel regarding employee and corporate noted.
and external factors and their impact on governance, financial, business, operational,
the achievement of objectives. IT, and cyber security objectives and updates;
along with the entity's risk management
program, to determine Management
considered both internal and external factors
and their impact on the achievement of
objectives.

Involves Appropriate Levels of Inspected Management communications to No exceptions

Management—The entity puts into place personnel regarding employee and corporate noted.
effective risk assessment mechanisms governance, financial, business, operational,
that involve appropriate levels of IT, and cyber security objectives and updates;
Management. along with the entity's risk management
program, to determine the entity had
effective risk assessment mechanisms that
involved appropriate levels of Management.

Matillion Limited | SOC 2 Type 2 67

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC3.2 COSO Principle 7: The entity Estimates Significance of Risks Inspected the entity's risk management No exceptions
(Cont.) identifies risks to the achievement Identified—Identified risks are analyzed program to determine identified risks were noted.
of its objectives across the entity through a process that includes analyzed which included estimating the
and analyzes risks as a basis for estimating the potential significance of potential significance of the risks.
determining how the risks should the risk.
be managed.
Determines How to Respond to Risks— Inspected the entity's risk management No exceptions
Risk assessment includes considering how program, along with completed vulnerability noted.
the risk should be managed and whether assessments including closed remediation
to accept, avoid, reduce, or share the risk. tickets, to determine Management
considered how to manage risks with respect
to mitigation strategies.

Additional points of focus specifically related to all engagements using the trust services criteria:

Identifies Threats to Objectives—The Inspected the entity's risk management No exceptions

entity identifies threats to the program, the most current physical and noted.
achievement of its objectives from environmental security policy and
intentional (including malicious) and procedures, and the most current SOC
unintentional acts and environmental reports of the entity’s subservice
events. organizations to determine the entity
identified threats to the achievement of
objectives from intentional and unintentional
acts and environmental events.

Matillion Limited | SOC 2 Type 2 68

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus specifically related to all engagements using the trust services criteria (continued):

CC3.2 COSO Principle 7: The entity Identifies Vulnerability of System Inspected the entity's risk management No exceptions
(Cont.) identifies risks to the achievement Components—The entity identifies the program, online support knowledge base and noted.
of its objectives across the entity vulnerabilities of system components, release notes, and completed vulnerability
and analyzes risks as a basis for including system processes, assessments including closed remediation
determining how the risks should infrastructure, software, and other tickets to determine the entity identified
be managed. information assets. vulnerabilities of system components, system
processing, infrastructure, and software.

Analyzes Threats and Vulnerabilities from Inspected executed vendor and client No exceptions
Vendors, Business Partners, and Other agreements, the entity's risk management noted.
Parties—The entity's risk assessment program, and the most current SOC reports
process includes the analysis of potential of the entity’s subservice organizations to
threats and vulnerabilities arising from determine the entity’s risk assessment
vendors providing goods and services, as process included analysis of potential threats
well as threats and vulnerabilities arising from vendors, contractors, and business
from business partners, customers, and partners with respect to third party access to
others with access to the entity's the entity’s information systems.
information systems.

Matillion Limited | SOC 2 Type 2 69

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus specifically related to all engagements using the trust services criteria (continued):

CC3.2 COSO Principle 7: The entity Assesses the Significance of the Risks— Inspected the entity's risk management No exceptions
(Cont.) identifies risks to the achievement The entity assesses the significance of the program and conducted corroborative inquiry noted.
of its objectives across the entity identified risks, including (1) determining of governance, risk, and compliance (GRC)
and analyzes risks as a basis for the criticality of system components, Management to determine the entity
determining how the risks should including information assets, in achieving assessed the significance of the identified
be managed. the objectives; (2) assessing the risks including criticality of the system
susceptibility of the identified components achieving objectives,
vulnerabilities to the identified threats (3) vulnerabilities to identified threats, likelihood
assessing the likelihood of the identified of identified risks, magnitude of effects of
risks (4) assessing the magnitude of the potential risks, risk mitigation strategies, and
effect of potential risks to the appropriateness of residual risk.
achievement of the objectives; (5)
considering the potential effects of
unidentified threats and vulnerabilities on
the assessed risks; (6) developing risk
mitigation strategies to address the
assessed risks; and (7) evaluating the
appropriateness of residual risk (including
whether to accept, reduce, or share such
risks).

Matillion Limited | SOC 2 Type 2 70

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC3.3 COSO Principle 8: The entity Considers Various Types of Fraud—The Inspected the most current employee No exceptions
considers the potential for fraud in assessment of fraud considers fraudulent handbook and acceptable use policies, the noted.
assessing risks to the achievement reporting, possible loss of assets, and entity's risk management program, and the
of objectives. corruption resulting from the various most current IT asset inventory register to
ways that fraud and misconduct can determine fraud was considered as part of
occur. risk management objectives.

Assesses Incentives and Pressures—The Inspected the most current employee No exceptions
assessment of fraud risks considers handbook and acceptable use policies, the noted.
incentives and pressures. entity's risk management program, and the
most current IT asset inventory register to
determine aspects of fraud were identified as
risk objectives.

Assesses Opportunities—The assessment Inspected the entity’s IT procurement No exceptions

of fraud risk considers opportunities for process and enterprise software application, noted.
unauthorized acquisition, use, or disposal most current employee handbook and
of assets, altering the entity’s reporting acceptable use policies, the entity's risk
records, or committing other management program, and the most current
inappropriate acts. asset management policy and procedures to
determine fraudulent opportunities for
unauthorized acquisition, use, and disposal of
assets were considered with respect to
altering reporting and other inappropriate
acts.

Matillion Limited | SOC 2 Type 2 71

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC3.3 COSO Principle 8: The entity Assesses Attitudes and Rationalizations— Inspected Management communications to No exceptions
(Cont.) considers the potential for fraud in The assessment of fraud risk considers personnel regarding employee and corporate noted.
assessing risks to the achievement how Management and other personnel governance objectives and updates, the most
of objectives. might engage in or justify inappropriate current employee handbook and acceptable
actions. use policies, and the entity's risk
management program to determine the
assessment of fraud risk considered how
Management and other personnel might
engage in inappropriate actions.

Additional point of focus specifically related to all engagements using the trust services criteria:

Considers the Risks Related to the Use of Inspected the entity’s IT procurement No exceptions
IT and Access to Information—The process and enterprise software application, noted.
assessment of fraud risks includes the most current employee handbook and
consideration of threats and acceptable use policies, the entity's risk
vulnerabilities that arise specifically from management program, and the most current
the use of IT and access to information. information security and asset management
policies and procedures to determine an
assessment of fraud risk included
consideration of threats and vulnerabilities
from the use of IT and access to information.

Matillion Limited | SOC 2 Type 2 72

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC3.4 COSO Principle 9: The entity Assesses Changes in the External Inspected the entity's risk management No exceptions
identifies and assesses changes that Environment—The risk identification program, along with the most current noted.
could significantly impact the process considers changes to the physical and environmental security policy
system of internal control. regulatory, economic, and physical and procedures, to determine the risk
environment in which the entity operates. assessment considered changes to external
factors and the entity’s physical environment.

Assesses Changes in the Business Model— Inspected board meeting minutes, No exceptions
The entity considers the potential impacts Management communications to personnel noted.
of new business lines, dramatically altered regarding financial, business, and operational
compositions of existing business lines, objectives and updates to determine the
acquired or divested business operations entity considered potential impacts to the
on the system of internal control, rapid business with respect to lines of business and
growth, changing reliance on foreign business operations.
geographies, and new technologies.

Assesses Changes in Leadership—The Inspected board meeting minutes, along with No exceptions
entity considers changes in Management Management meeting minutes regarding noted.
and respective attitudes and philosophies organizational structure reviewed, to
on the system of internal control. determine the entity considered material
changes in Management and respective
attitudes and philosophies on the system of
internal control.

Matillion Limited | SOC 2 Type 2 73

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus specifically related to all engagements using the trust services criteria:

CC3.4 COSO Principle 9: The entity Assesses Changes in Systems and Inspected board meeting minutes, No exceptions
(Cont.) identifies and assesses changes that Technology—The risk identification Management communications to personnel noted.
could significantly impact the process considers changes arising from regarding operational, IT, and cyber security
system of internal control. changes in the entity’s systems and objectives and updates; along with the
changes in the technology environment. entity's risk management program to
determine the risk assessment process
considered changes with respect to the
entity’s systems and changes to the
technology environment.

Assesses Changes in Vendor and Business Inspected board meeting minutes, No exceptions
Partner Relationships—The risk Management communications to personnel noted.
identification process considers changes regarding business, operational, IT, and cyber
in vendor and business partner security objectives and updates; executed
relationships. vendor and client agreements, the entity's
risk management program, and the most
current SOC reports of the entity’s subservice
organizations to determine the risk
assessment process considered changes in
vendor and business partner relationships.

Matillion Limited | SOC 2 Type 2 74

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Assessment (Continued)
REF #

CC3.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional points of focus specifically related to all engagements using the trust services criteria (continued):

CC3.4 COSO Principle 9: The entity Assesses Changes in Threats and Inspected Management communications to No exceptions
(Cont.) identifies and assesses changes that Vulnerabilities—The risk identification personnel regarding operational, IT, and noted.
could significantly impact the process assesses changes in (1) internal cyber security objectives and updates; the
system of internal control. and external threats to and vulnerabilities entity's risk management program, and
of the components of the entity’s systems completed vulnerability assessments
and (2) the likelihood and magnitude of including closed remediation tickets to
the resultant risks to the achievement of determine the risk identification process
the entity’s objectives. assessed changes in internal and external
threats and vulnerabilities of system
components and the likelihood and
magnitude of risks to the achievement of
objectives.

Matillion Limited | SOC 2 Type 2 75

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Monitoring Activities
REF #

CC4.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC4.1 COSO Principle 16: The entity Considers a Mix of Ongoing and Separate Inspected board of directors meeting No exceptions
selects, develops, and performs Evaluations—Management includes a minutes, Management communications to noted.
ongoing and/or separate balance of ongoing and separate personnel regarding employee and corporate
evaluations to ascertain whether evaluations. governance, financial, business, operational,
the components of internal control IT, and cyber security objectives and updates;
are present and functioning. the entity's risk management program (i.e.,
ongoing risk assessments, risk ratings, and
risk mitigation activities), completed
vulnerability assessments including closed
remediation tickets, the most current PCI DSS
attestation of compliance, and the most
current ISO 27001 certification to determine
Management included a balance of ongoing
and separate evaluations.

Considers Rate of Change—Management Inspected board of directors meeting No exceptions

considers the rate of change in business minutes, Management communications to noted.
and business processes when selecting personnel regarding business and operational
and developing ongoing and separate objectives and updates, and completed
evaluations. compliance and departmental training
recordkeeping to determine Management
considered the rate of change in business
processes.

Matillion Limited | SOC 2 Type 2 76

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Monitoring Activities (Continued)
REF #

CC4.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC4.1 COSO Principle 16: The entity Establishes Baseline Understanding—The Inspected board of directors meeting No exceptions
(Cont.) selects, develops, and performs design and current state of an internal minutes, Management communications to noted.
ongoing and/or separate control system are used to establish a personnel regarding employee and corporate
evaluations to ascertain whether baseline for ongoing and separate governance, financial, business, operational,
the components of internal control evaluations. IT, and cyber security objectives and updates;
are present and functioning. the entity's risk management program,
completed vulnerability assessments
including closed remediation tickets, the
most current PCI DSS attestation of
compliance, and the most current ISO 27001
certification to determine the design and
current state of the internal control system
was used to establish a baseline for system
evaluations.

Uses Knowledgeable Personnel— Observed via walkthrough procedures, the No exceptions

Evaluators performing ongoing and entity’s system monitoring, IaaS and cloud noted.
separate evaluations have sufficient and cyber security, threat detection /
knowledge to understand what is being prevention, endpoint protection, and backup
evaluated. and restore software consoles and system
administration procedures to determine
system evaluators had sufficient knowledge
to understand what was being evaluated.

Matillion Limited | SOC 2 Type 2 77

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Monitoring Activities (Continued)
REF #

CC4.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC4.1 COSO Principle 16: The entity Integrates with Business Processes— Inspected Management communications to No exceptions
(Cont.) selects, develops, and performs Ongoing evaluations are built into the personnel regarding employee and corporate noted.
ongoing and/or separate business processes and adjust to changing governance, financial, business, operational,
evaluations to ascertain whether conditions. IT, and cyber security objectives and updates;
the components of internal control along with the entity's risk management
are present and functioning. program, to determine ongoing evaluations
were built into processes with respect to
adjustments to changing conditions.

Adjusts Scope and Frequency— Inspected Management communications to No exceptions

Management varies the scope and personnel regarding employee and corporate noted.
frequency of separate evaluations governance, financial, business, operational,
depending on risk. IT, and cyber security objectives and updates;
along with the entity's risk management
program, to determine Management
monitored the scope and frequency of
separate evaluations depending on risk.

Objectively Evaluates—Separate Inspected completed vulnerability No exceptions

evaluations are performed periodically to assessments including closed remediation noted.
provide objective feedback. tickets, the most current PCI DSS attestation
of compliance, and the most current ISO
27001 certification to determine separate
evaluations were performed periodically for
objective feedback.

Matillion Limited | SOC 2 Type 2 78

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Monitoring Activities (Continued)
REF #

CC4.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus
Additional point of focus specifically related to all engagements using the trust services criteria:

CC4.1 COSO Principle 16: The entity Considers Different Types of Ongoing and Inspected the entity’s risk management No exceptions
(Cont.) selects, develops, and performs Separate Evaluations—Management uses program, completed vulnerability noted.
ongoing and/or separate a variety of different types of ongoing and assessments including closed remediation
evaluations to ascertain whether separate evaluations, including tickets, the most current PCI DSS attestation
the components of internal control penetration testing, independent of compliance, the most current ISO 27001
are present and functioning. certification made against established certification, and completed penetration
specifications (for example, ISO testing reports for production applications to
certifications), and internal audit determine Management used various types
assessments. of ongoing and separate evaluations and
internal audit assessments.

Matillion Limited | SOC 2 Type 2 79

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Monitoring Activities (Continued)
REF #

CC4.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC4.2 COSO Principle 17: The entity Assesses Results—Management and the Inspected board meeting minutes, No exceptions
evaluates and communicates board of directors, as appropriate, assess Management communications to personnel noted.
internal control deficiencies in a results of ongoing and separate regarding employee and corporate
timely manner to those parties evaluations. governance, financial, business, operational,
responsible for taking corrective IT, and cyber security objectives and updates;
action, including senior and the entity's risk management program to
management and the board of determine Management assessed results of
directors, as appropriate. ongoing and separate evaluations.

Communicates Deficiencies—Deficiencies Inspected completed vulnerability No exceptions

are communicated to parties responsible assessments including closed remediation noted.
for taking corrective action and to Senior tickets, along with the lifecycle of completed
Management and the board of directors, infrastructure change requests in the
as appropriate. ticketing and project management software,
to determine deficiencies were
communicated to parties responsible for
taking corrective action and to Senior
Management.

Monitors Corrective Action— Inspected completed vulnerability No exceptions

Management tracks whether deficiencies assessments including closed remediation noted.
are remedied on a timely basis. tickets, along with the lifecycle of completed
infrastructure change requests in the
ticketing and project management software,
to determine Management tracked
deficiencies remediation on a timely basis.

Matillion Limited | SOC 2 Type 2 80

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Control Activities
REF #

CC5.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC5.1 COSO Principle 10: The entity Integrates with Risk Assessment—Control Inspected the entity's risk management No exceptions
selects and develops control activities help ensure that risk responses program (i.e., ongoing risk assessments, risk noted.
activities that contribute to the that address and mitigate risks are carried ratings, and risk mitigation activities),
mitigation of risks to the out. completed vulnerability assessments
achievement of objectives to including closed remediation tickets, and
acceptable levels. business continuity and disaster recovery
procedures and associated results to
determine control activities helped ensure
risk mitigation was carried out.

Considers Entity-Specific Factors— Inspected Management communications to No exceptions

Management considers how the personnel regarding operational, IT, and noted.
environment, complexity, nature, and cyber security objectives and updates; the
scope of its operations, as well as the entity's risk management program, and
specific characteristics of its organization, business continuity and disaster recovery
affect the selection and development of procedures and associated results to
control activities. determine Management considered entity-
specific factors for the selection and
development of control activities.

Matillion Limited | SOC 2 Type 2 81

For the Period Ending July 31, 2024
 ` TRUST SERVICES CRITERIA AND POINTS OF FOCUS
TSC
REF # Control Activities (Continued)

CC5.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC5.1 COSO Principle 10: The entity Determines Relevant Business Inspected board of directors meeting No exceptions
(Cont.) selects and develops control Processes—Management determines minutes, Management communications to noted.
activities that contribute to the which relevant business processes require personnel regarding business, operational, IT,
mitigation of risks to the control activities. and cyber security objectives and updates;
achievement of objectives to the entity's risk management program, and
acceptable levels. business continuity and disaster recovery
procedures and associated results
to determine Management identified
relevant business processes that required
control activities.

Evaluates a Mix of Control Activity Inspected board of directors meeting No exceptions

Types—Control activities include a range minutes, Management communications to noted.
and variety of controls and may include a personnel regarding employee and corporate
balance of approaches to mitigate risks, governance, financial, business, operational,
considering both manual and automated IT, and cyber security objectives and updates;
controls, and preventive and detective the entity's risk management program, and
controls. completed vulnerability assessments
including closed remediation tickets; and
observed via walkthrough procedures, the
entity’s production application monitoring
software consoles and performance
indicators to determine Management
evaluated a mix of control activity types with
respect to risk mitigation.

Matillion Limited | SOC 2 Type 2 82

For the Period Ending July 31, 2024
 ` TRUST SERVICES CRITERIA AND POINTS OF FOCUS
TSC
REF # Control Activities (Continued)

CC5.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC5.1 COSO Principle 10: The entity Considers at What Level Activities Are Inspected board meeting minutes, No exceptions
(Cont.) selects and develops control Applied—Management considers control Management communications to personnel noted.
activities that contribute to the activities at various levels in the entity. regarding employee and corporate
mitigation of risks to the governance, financial, business, operational,
achievement of objectives to IT, and cyber security objectives and updates;
acceptable levels. executed vendor and client agreements, and
the entity's risk management program to
determine Management considered control
activities at various levels in the entity.

Addresses Segregation of Duties— For the selection of new employees, No exceptions

Management segregates incompatible inspected completed new employee access noted.
duties, and where such segregation is not provisioning requests and associated
practical, Management selects and accounts provisioned to determine
develops alternative control activities. Management segregated incompatible duties
with respect to control activities.

Matillion Limited | SOC 2 Type 2 83

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS
TSC
REF # Control Activities (Continued)

CC5.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC5.2 COSO Principle 11: The entity also Determines Dependency Between the Use Inspected board meeting minutes, executed No exceptions
selects and develops general of Technology in Business Processes and vendor and client agreements, Management noted.
control activities over technology to Technology General Controls— communications to personnel regarding
support the achievement of Management understands and financial, business, operational, IT, and cyber
objectives. determines the dependency and linkage security objectives and updates; and the
between business processes, automated entity's risk management program to
control activities, and technology general determine Management considered
controls. dependencies and linkage between business
processes and various control activities.

Establishes Relevant Technology Observed via walkthrough procedures, the No exceptions

Infrastructure Control Activities— entity’s system monitoring, IaaS and cloud noted.
Management selects and develops control and cyber security, threat detection /
activities over the technology prevention, endpoint protection, and backup
infrastructure, which are designed and and restore software consoles and system
implemented to help ensure the administration procedures; along with the
completeness, accuracy, and availability entity’s production application monitoring
of technology processing. software consoles and performance
indicators; and inspected business continuity
and disaster recovery procedures and
associated results to determine Management
developed and implemented control
activities to help ensure complete, accurate,
and available technology processing.

Matillion Limited | SOC 2 Type 2 84

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS
TSC
REF # Control Activities (Continued)

CC5.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC5.2 COSO Principle 11: The entity also Establishes Relevant Security Inspected completed logical access rights No exceptions
(Cont.) selects and develops general Management Process Controls Activities— reviews for the entity’s identity and access noted.
control activities over technology to Management selects and develops control management (IAM) system and enterprise
support the achievement of activities that are designed and applications to determine Management
objectives. implemented to restrict technology access implemented control activities to restrict
rights to authorized users commensurate access rights with respect to appropriateness
with their job responsibilities and to of user job functions and protected assets
protect the entity’s assets from external from external threats.
threats.

Establishes Relevant Technology Inspected Management communications to No exceptions

Acquisition, Development, and personnel regarding operational, IT, and noted.
Maintenance Process Control Activities— cyber security objectives and updates; the
Management selects and develops control entity's risk management program, online
activities over the acquisition, release notes, and lifecycle of completed
development, and maintenance of infrastructure change requests in the
technology and its infrastructure to ticketing and project management software
achieve Management’s objectives. to determine Management implemented
control activities with respect to the
development and maintenance of technology
and infrastructure.

Matillion Limited | SOC 2 Type 2 85

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS
TSC
REF # Control Activities (Continued)

CC5.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC5.3 COSO Principle 12: The entity Establishes Policies and Procedures to Inspected board meeting minutes, executed No exceptions
deploys control activities through Support Deployment of Management‘s vendor and client agreements, Management noted.
policies that establish what is Directives—Management establishes communications to personnel regarding
expected and in procedures that control activities that are built into financial, business, operational, IT, and cyber
put policies into action. business processes and employees’ day- security objectives and updates; the entity's
to-day activities through policies risk management program, completed
establishing what is expected and relevant vulnerability assessments including closed
procedures specifying actions. remediation tickets, lifecycle of completed
infrastructure change requests in the
ticketing and project management software,
and business continuity and disaster recovery
procedures and associated results to
determine Management established control
activities that were built into business
processes establishing what was expected
and procedures specifying actions.

Establishes Responsibility and Inspected Management communications to No exceptions

Accountability for Executing Policies and personnel regarding employee and corporate noted.
Procedures—Management establishes governance, financial, business, operational,
responsibility and accountability for IT, and cyber security objectives and updates;
control activities with Management (or along with the entity's risk management
other designated personnel) of the program, to determine Management
business unit or function in which the established responsibility and accountability
relevant risks reside. for control activities of the business function
in which associated risks resided.

Matillion Limited | SOC 2 Type 2 86

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS
TSC
REF # Control Activities (Continued)

CC5.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC5.3 COSO Principle 12: The entity Performs in a Timely Manner— Inspected the entity's risk management No exceptions
(Cont.) deploys control activities through Responsible personnel perform control program, completed vulnerability noted.
policies that establish what is activities in a timely manner as defined by assessments including closed remediation
expected and in procedures that the policies and procedures. tickets, and the lifecycle of completed
put policies into action. infrastructure change requests in the
ticketing and project management software
to determine responsible personnel
performed control activities in a timely
manner per policy and procedures.

Takes Corrective Action—Responsible Inspected the entity's risk management No exceptions

personnel investigate and act on matters program, completed vulnerability noted.
identified as a result of executing control assessments including closed remediation
activities. tickets, business continuity and disaster
recovery procedures and associated results,
and the lifecycle of completed infrastructure
change requests in the ticketing and project
management software to determine
personnel took action on matters identified
as a result of executing control activities.

Matillion Limited | SOC 2 Type 2 87

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS
TSC
REF # Control Activities (Continued)

CC5.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC5.3 COSO Principle 12: The entity Performs Using Competent Personnel— Observed via walkthrough procedures, the No exceptions
(Cont.) deploys control activities through Competent personnel with sufficient entity’s system monitoring, IaaS and cloud noted.
policies that establish what is authority perform control activities with and cyber security, threat detection /
expected and in procedures that diligence and continuing focus. prevention, endpoint protection, and backup
put policies into action. and restore software consoles and system
administration procedures to determine
appropriate personnel performed control
activities per control activity objectives.

Reassesses Policies and Procedures— Inspected Management communications to No exceptions

Management periodically reviews control personnel regarding employee and corporate noted.
activities to determine their continued governance, financial, business, operational,
relevance and refreshes them when IT, and cyber security objectives and updates;
necessary. along with the entity's risk management
program, to determine Management
periodically reviewed control activities for
continued relevance or adjustments.

Matillion Limited | SOC 2 Type 2 88

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.1 The entity implements logical Identifies and Manages the Inventory of Inspected the most current IT asset inventory No exceptions
access security software, Information Assets—The entity identifies, register, the most current data classification noted.
infrastructure, and architectures inventories, classifies, and manages and handling policy and procedures, and the
over protected information assets information assets. entity’s risk management program (i.e.,
to protect them from security ongoing risk assessments, risk ratings, and
events to meet the entity's risk mitigation activities) to determine the
objectives. entity identified, inventoried, classified, and
managed information assets.

Assesses New Architectures—The entity Not applicable – new architecture No testing

identifies new system architectures and assessments. Informed by Management performed.
assesses their security prior to there were no identified new system
implementation into the system architectures required or assessed during the
environment. period under review.

Restricts Logical Access—Logical access to Observed via walkthrough procedures, No exceptions

information assets, including hardware, system generated lists of authorized system noted.
data (at-rest, during processing, or in administrators, users, and security groups of
transmission), software, administrative the entity’s IAM system, enterprise
authorities, mobile devices, output, and applications, and remote access software;
offline system components is restricted along with configured inbound and outbound
through the use of access control access rules of the entity’s virtual private
software and rule sets. cloud (VPC), to determine logical access to
information assets was restricted through the
use of access control software and rule sets.

Matillion Limited | SOC 2 Type 2 89

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.1 The entity implements logical Identifies and Authenticates Users— Observed via walkthrough procedures, No exceptions
(Cont.) access security software, Persons, infrastructure, and software are system generated lists of authorized system noted.
infrastructure, and architectures identified and authenticated prior to administrators, users, and security groups of
over protected information assets accessing information assets, whether the entity’s IAM system, IaaS, enterprise
to protect them from security locally or remotely. applications, and remote access software to
events to meet the entity's determine personnel and the systems were
objectives. identified and authenticated prior to
accessing information assets.

Considers Network Segmentation— Observed via walkthrough procedures, No exceptions

Network segmentation permits unrelated configured inbound and outbound access noted.
portions of the entity's information rules and subnets of the entity’s VPC; and
system to be isolated from each other. inspected the entity’s most current network
topology diagram to determine the network
was segmented for critical system isolation.

Manages Points of Access—Points of Observed via walkthrough procedures, No exceptions

access by outside entities and the types of system generated lists of authorized system noted.
data that flow through the points of administrators, users, and security groups of
access are identified, inventoried, and the entity’s IAM system, enterprise
managed. The types of individuals and applications, and remote access software;
systems using each point of access are along with configured inbound and outbound
identified, documented, and managed. access rules of the entity’s VPC; and
inspected completed logical access rights
reviews for the entity’s IAM system and
enterprise applications to determine points
of access and the types of users were
identified, logged, and managed.

Matillion Limited | SOC 2 Type 2 90

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.1 The entity implements logical Restricts Access to Information Assets— Observed via walkthrough procedures, No exceptions
(Cont.) access security software, Combinations of data classification, system generated lists of authorized system noted.
infrastructure, and architectures separate data structures, port restrictions, administrators, users, and security groups of
over protected information assets access protocol restrictions, user the entity’s IAM system, enterprise
to protect them from security identification, and digital certificates are applications, and remote access software;
events to meet the entity's used to establish access control rules for along with configured inbound and outbound
objectives. information assets. access rules of the entity’s VPC, to determine
the entity utilized a combination of access
controls that restricted access to information
assets.

Manages Identification and Observed via walkthrough procedures, No exceptions

Authentication—Identification and system generated lists of authorized system noted.
authentication requirements are administrators, users, security groups, and
established, documented, and managed authentication mechanisms (i.e., password
for individuals and systems accessing policy and multi-factor authentication) of the
entity information, infrastructure, and entity’s IAM system, enterprise applications,
software. and remote access software; and inspected
completed logical access rights reviews for
the entity’s IAM system and enterprise
applications to determine identification and
authentication requirements were
established and managed for personnel and
systems.

Matillion Limited | SOC 2 Type 2 91

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.1 The entity implements logical Manages Credentials for Infrastructure For the selection of new employees, No exceptions
(Cont.) access security software, and Software—New internal and external inspected completed new employee access noted.
infrastructure, and architectures infrastructure and software users are provisioning requests and associated
over protected information assets registered, authorized, and documented accounts provisioned to determine new users
to protect them from security prior to being granted access credentials were registered, authorized, and
events to meet the entity's and implemented on the network or documented prior to network access
objectives. access point. Credentials are removed and provisioning.
access is disabled when access is no
longer required, or the infrastructure and For the selection of terminated employees, No exceptions
software are no longer in use. inspected terminated employee access noted.
deprovisioning requests and associated
accounts deprovisioned to determine
credentials were required to be removed and
access disabled when no longer required.

Uses Encryption to Protect Data—The Inspected the production database storage No exceptions
entity uses encryption to supplement configuration with encryption enabled, along noted.
other measures used to protect data-at- with encryption enabled settings of the
rest when such protections are deemed entity’s endpoint protection systems, to
appropriate based on assessed risk. determine the entity utilized encryption to
protect data-at-rest.

Protects Cryptographic Keys—The entity Inspected the key management service No exceptions
protects cryptographic keys during software console for the entity’s managed noted.
generation, storage, use, and destruction. keys to determine cryptographic keys were
Cryptographic modules, algorithms, key protected and appropriate.
lengths, and architectures are appropriate
based on the entity’s risk mitigation
strategy.

Matillion Limited | SOC 2 Type 2 92

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.2 Prior to issuing system credentials Creates Access Credentials to Protected For the selection of new employees, No exceptions
and granting system access, the Information Assets—The entity creates inspected completed new employee access noted.
entity registers and authorizes new credentials for accessing protected provisioning requests and associated
internal and external users whose information assets based on an accounts provisioned to determine access
access is administered by the entity. authorization from the system's asset credentials were created based on an
For those users whose access is owner or authorized custodian. authorization from associated stakeholders.
administered by the entity, user Authorization is required for the creation
system credentials are removed of all types of credentials of individuals
when user access is no longer (for example, employees, contractors,
authorized. vendors, and business partner personnel),
systems, and software.

Reviews Validity of Access Credentials— Inspected completed logical access rights No exceptions
The entity reviews access credentials on a reviews for the entity’s IAM system and noted.
periodic basis for validity (for example, enterprise applications to determine the
employees, contractors, vendors, and entity reviewed access credentials on a
business partner personnel) and periodic basis for appropriateness.
inappropriate system or service accounts.

Prevents the Use of Credentials When No For the selection of terminated employees, No exceptions
Longer Valid—Processes are in place to inspected terminated employee access noted.
disable, destroy, or otherwise prevent the deprovisioning requests and associated
use of access credentials when no longer accounts deprovisioned to determine
valid processes were in place to disable or
otherwise prevent the use of access
credentials when no longer valid.

Matillion Limited | SOC 2 Type 2 93

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.3 The entity authorizes, modifies, or Creates or Modifies Access to Protected For the selection of new employees, No exceptions
removes access to data, software, Information Assets—Processes are in inspected completed new employee access noted.
functions, and other protected place to create or modify access to provisioning requests and associated
information assets based on roles, protected information assets based on accounts provisioned to determine processes
responsibilities, or the system authorization from the asset’s owner. were in place to create access to protected
design and changes, giving information assets based on authorization
consideration to the concepts of from asset owners.
least privilege and segregation of
duties, to meet the entity’s Removes Access to Protected Information For the selection of terminated employees, No exceptions
objectives. Assets—Processes are in place to remove inspected terminated employee access noted.
access to protected information assets deprovisioning requests and associated
when an individual no longer requires accounts deprovisioned to determine
access. processes were in place to remove access to
protected information assets when an
individual no longer required access.

Uses Access Control Structures—The Observed via walkthrough procedures, No exceptions

entity uses access control structures, such system generated lists of authorized system noted.
as role-based access controls, to restrict administrators, users, and security groups of
access to protected information assets, the entity’s IAM system, enterprise
limit privileges, and support segregation applications, and remote access software to
of incompatible functions. determine access control structures were
utilized to restrict access to protected
information assets, limit privileges, and
support segregation of incompatible
functions.

Matillion Limited | SOC 2 Type 2 94

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.3 The entity authorizes, modifies, or Reviews Access Roles and Rules—The Inspected completed logical access rights No exceptions
(Cont.) removes access to data, software, appropriateness of access roles and reviews for the entity’s IAM system and noted.
functions, and other protected access rules is reviewed on a periodic enterprise applications to determine
information assets based on roles, basis for unnecessary and inappropriate appropriateness of access roles and access
responsibilities, or the system individuals (for example, employees, rules were reviewed on a periodic basis and
design and changes, giving contractors, vendors, business partner access roles and rules were modified, as
consideration to the concepts of personnel) and in- appropriate system or appropriate.
least privilege and segregation of service accounts. Access roles and rules
duties, to meet the entity’s are modified, as appropriate.
objectives.

Matillion Limited | SOC 2 Type 2 95

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.4 The entity restricts physical access Creates or Modifies Physical Access— For the selection of new employees No exceptions
to facilities and protected Processes are in place to create or modify provisioned with office space access, noted.
information assets (for example, physical access to facilities such as data inspected enabled accounts in the entity’s
data center facilities, backup media centers, office spaces, and work areas, physical access control system to determine
storage, and other sensitive based on authorization from the system's processes were in place to create physical
locations) to authorized personnel asset owner. access to the entity’s corporate office based
to meet the entity’s objectives. on authorization from system asset owners.

Carve out. Processes to create and modify

physical access to outsourced providers’
facilities were managed and maintained by
the entity’s subservice organizations in
accordance with completed SOC reporting.

Removes Physical Access—Processes are For the selection of terminated employees, No exceptions
in place to remove access to physical inspected terminated employee physical noted.
resources when an individual no longer access deprovisioning requests and
requires access. associated accounts deprovisioned to
determine processes were in place to remove
access to the entity’s corporate office when
an individual no longer required access.

Carve out. Processes to remove physical

access to outsourced providers’ facilities
were managed and maintained by the
entity’s subservice organizations in
accordance with completed SOC reporting.

Matillion Limited | SOC 2 Type 2 96

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.4 The entity restricts physical access Recovers Physical Devices—Processes are For the selection of terminated employees, No exceptions
(Cont.) to facilities and protected in place to recover entity devices (for inspected confirmations of entity devices noted.
information assets (for example, example, badges, laptops, and mobile recovered or decommissioned in the entity
data center facilities, backup media devices) when an employee, contractor, asset management system to determine
storage, and other sensitive vendor, or business partner no longer processes were in place to recover entity
locations) to authorized personnel requires access. devices when an employee no longer
to meet the entity’s objectives. required access.

Reviews Physical Access—Processes are in Inspected the entity’s most current physical No exceptions
place to periodically review physical access rights review report to determine noted.
access to ensure consistency with job processes were in place to periodically review
responsibilities. physical access to office space for
appropriateness.

Carve out. Processes to periodically review

physical access to outsourced providers’
facilities were managed and maintained by
the entity’s subservice organizations in
accordance with completed SOC reporting.

Matillion Limited | SOC 2 Type 2 97

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.5 The entity discontinues logical and Removes Data and Software for Inspected the most current asset No exceptions
physical protections over physical Disposal—Procedures are in place to management policy and procedures to noted.
assets only after the ability to read remove, delete, or otherwise render data determine procedures were in place to
or recover data and software from and software inaccessible from physical remove, delete, or otherwise render data and
those assets has been diminished assets and other devices owned by the software inaccessible from equipment when
and is no longer required to meet entity, its vendors, and employees when data and software were no longer required
the entity’s objectives. the data and software are no longer and equipment no longer under control of
required on the asset or the asset will no the entity.
longer be under the control of the entity.

Matillion Limited | SOC 2 Type 2 98

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.6 The entity implements logical Restricts Access—The types of activities Observed via walkthrough procedures, No exceptions
access security measures to protect that can occur through a communication configured security groups and inbound and noted.
against threats from sources channel (for example, FTP site, router outbound access rules of the entity’s VPC;
outside its system boundaries. port) are restricted. and inspected the ingress and authentication
mechanism for inbound traffic to the entity’s
production platform to determine types of
activities through communication channels
were restricted.

Protects Identification and Authentication Inspected the entity’s IAM system, No exceptions
Credentials—Identification and configuration and settings, and authorized noted.
authentication credentials are protected users; along with the entity’s remote access
during transmission outside its system software and system configuration to
boundaries. determine identification and authentication
credentials were protected.

Requires Additional Authentication or Inspected the multi-factor authentication No exceptions

Credentials—Additional authentication mechanism in the entity’s IAM system, along noted.
information or credentials are required with the multi-factor authentication user
when accessing the system from outside interface and authentication mechanism for
its boundaries. the entity’s remote access software, to
determine additional authentication
credentials were required when accessing the
system from outside its boundaries.

Matillion Limited | SOC 2 Type 2 99

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.6 The entity implements logical Implements Boundary Protection Observed via walkthrough procedures, the No exceptions
(Cont.) access security measures to protect Systems—Boundary protection systems entity’s system monitoring, IaaS and cloud noted.
against threats from sources (for example, firewalls, demilitarized and cyber security, threat detection /
outside its system boundaries. zones, and intrusion detection systems) prevention, and endpoint protection
are implemented to protect external software consoles and system administration
access points from attempts and procedures, along with associated system
unauthorized access and are monitored to generated event logging and notifications, to
detect such attempts. determine boundary protection systems were
implemented to protect external access
points from unauthorized access and access
attempts were monitored.

Matillion Limited | SOC 2 Type 2 100

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.7 The entity restricts the Restricts the Ability to Perform Inspected the data loss prevention policies No exceptions
transmission, movement, and Transmission—Data loss prevention enabled in the entity’s cyber security console noted.
removal of information to processes and technologies are used to to determine data loss prevention processes
authorized internal and external restrict ability to authorize and execute and technologies were utilized to restrict the
users and processes, and protects it transmission, movement, and removal of ability to authorize and execute transmission,
during transmission, movement, or information. movement, and removal of information.
removal to meet the entity’s
objectives. Uses Encryption Technologies or Secure Inspected the advanced setting of the entity’s No exceptions
Communication Channels to Protect remote access software, along with the most noted.
Data—Encryption technologies or secured current Secure Socket Layer (SSL) certificate
communication channels are used to for the entity’s Web server, to determine
protect transmission of data and other encryption technologies were utilized to
communications beyond connectivity protect transmission of data.
access points.

Protects Removable Media—Encryption Inspected the removable media policy as No exceptions

technologies and physical asset contained in the most current data noted.
protections are used for removable media classification policy and procedures, along
(such as USB drives and backup tapes), as with the USB policies configured in the
appropriate. entity’s endpoint protection software, to
determine encryption technologies and
physical protections were required and
utilized for removable media.

Matillion Limited | SOC 2 Type 2 101

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.7 The entity restricts the Protects Endpoint Devices—Processes are Inspected the entity’s endpoint protection No exceptions
(Cont.) transmission, movement, and in place to protect endpoint devices (such software management console, policies noted.
removal of information to as laptops, smart phones, tablets, and enabled, and endpoints protected to
authorized internal and external sensors). determine processes were in place to protect
users and processes, and protects it endpoint devices.
during transmission, movement, or
removal to meet the entity’s
objectives.

Matillion Limited | SOC 2 Type 2 102

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.8 The entity implements controls to Restricts Installation and Modification of Observed via walkthrough procedures, No exceptions
prevent or detect and act upon the Application and Software—The ability system generated lists of authorized system noted.
introduction of unauthorized or to install and modify applications and administrators and security groups of the
malicious software to meet the software is restricted to authorized entity’s IAM system and enterprise
entity’s objectives. individuals. Utility software capable of applications; and inspected the most current
bypassing normal operating or security acceptable use policies to determine the
procedures is limited to use by authorized ability to install and modify applications and
individuals and is monitored regularly. software was restricted to authorized
personnel.

Detects Unauthorized Changes to Observed via walkthrough procedures, the No exceptions

Software and Configuration Parameters— entity’s system monitoring, IaaS and cloud noted.
Processes are in place to detect changes and cyber security, threat detection /
to software and configuration parameters prevention, and endpoint protection
that may be indicative of unauthorized or software consoles and system administration
malicious software. procedures, along with associated system
generated event logging and notifications, to
determine processes were in place to detect
changes to software and configuration
parameters that could be indicative of
unauthorized or malicious software.

Matillion Limited | SOC 2 Type 2 103

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.8 The entity implements controls to Uses a Defined Change Control Process— Inspected the most current change No exceptions
(Cont.) prevent or detect and act upon the A management-defined change control management and software development noted.
introduction of unauthorized or process is used for the implementation of lifecycle (SDLC) policies and procedures,
malicious software to meet the software. along with the lifecycle of completed
entity’s objectives. infrastructure change requests in the
ticketing and project management software;
and observed via walkthrough procedures,
the lifecycle of completed application
development code builds and releases in the
ticketing and project management software
to determine defined change control
processes were utilized for software
implementations.

Uses Anti-virus and Anti-malware Observed via walkthrough procedures, the No exceptions
Software—Anti-virus and anti-malware entity’s cyber security (i.e., advanced anti- noted.
software is implemented and maintained virus and anti-malware), threat detection /
to provide for the interception or prevention, endpoint protection
detection and remediation of malware. management consoles, policies enabled, and
endpoints protected; along with associated
system generated event logging and
notifications, to determine anti-virus and
anti-malware software was implemented and
maintained.

Matillion Limited | SOC 2 Type 2 104

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Logical and Physical Access Controls (Continued)
REF #

CC6.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC6.8 The entity implements controls to Scans Information Assets from Outside Observed via walkthrough procedures, the No exceptions
(Cont.) prevent or detect and act upon the the Entity for Malware and Other entity’s cyber security, threat detection / noted.
introduction of unauthorized or Unauthorized Software—Procedures are prevention, endpoint protection
malicious software to meet the in place to scan information assets that management consoles, policies enabled, and
entity’s objectives. have been transferred or returned to the endpoints protected; along with associated
entity’s custody for malware and other system generated event logging and
unauthorized software and to remove any notifications, to determine procedures were
items detected prior to its in place to scan information assets for
implementation on the network. malware and unauthorized software and to
remove items detected prior to
implementation on the network.

Matillion Limited | SOC 2 Type 2 105

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
System Operations
REF #

CC7.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC7.1 To meet its objectives, the entity Uses Defined Configuration Standards— Inspected the most current change No exceptions
uses detection and monitoring Management has defined configuration management, SDLC, and network security noted.
procedures to identify (1) changes standards. policies and procedures; and observed via
to configurations that result in the walkthrough procedures, the entity’s source
introduction of new vulnerabilities, code repository and version control software
and (2) susceptibilities to newly to determine Management had defined
discovered vulnerabilities. configuration standards.

Monitors Infrastructure and Software— Observed via walkthrough procedures, the No exceptions
The entity monitors infrastructure and entity’s system monitoring, IaaS and cloud noted.
software for noncompliance with the and cyber security, threat detection /
standards, which could threaten the prevention, and endpoint protection
achievement of the entity's objectives. software consoles and system administration
procedures, along with associated system
generated event logging and notifications, to
determine the entity monitored
infrastructure and software for
noncompliance with standards.

Implements Change-Detection Observed via walkthrough procedures, the No exceptions

Mechanisms—The IT system includes a entity’s cloud security software consoles noted.
change-detection mechanism (for including the file integrity monitoring setting
example, file integrity monitoring tools) to enabled to determine the IT system had
alert personnel to unauthorized change-detection mechanisms to alert
modifications of critical system files, personnel to unauthorized modifications of
configuration files, or content files. critical files of the system.

Matillion Limited | SOC 2 Type 2 106

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
System Operations (Continued)
REF #

CC7.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC7.1 To meet its objectives, the entity Detects Unknown or Unauthorized Observed via walkthrough procedures, the No exceptions
(Cont.) uses detection and monitoring Components—Procedures are in place to entity’s system monitoring, IaaS and cloud noted.
procedures to identify (1) changes detect the introduction of unknown or and cyber security, threat detection /
to configurations that result in the unauthorized components. prevention, and endpoint protection
introduction of new vulnerabilities, software consoles and system administration
and (2) susceptibilities to newly procedures, along with associated system
discovered vulnerabilities. generated event logging and notifications, to
determine procedures were in place to
detect the introduction of unauthorized
components.

Conducts Vulnerability Scans—The entity Inspected completed vulnerability No exceptions

conducts vulnerability scans designed to assessments including closed remediation noted.
identify potential vulnerabilities or tickets to determine the entity conducted
misconfigurations on a periodic basis and vulnerability scans to identify potential
after any significant change in the vulnerabilities and took action to remediate
environment and takes action to deficiencies on a timely basis.
remediate identified deficiencies on a
timely basis.

Matillion Limited | SOC 2 Type 2 107

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
System Operations (Continued)
REF #

CC7.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC7.2 The entity monitors system Implements Detection Policies, Inspected the most current incident response No exceptions
components and the operation of Procedures, and Tools—Detection policies policy and procedures to determine noted.
those components for anomalies and procedures are defined and detection policies and procedures were
that are indicative of malicious acts, implemented, and detection tools are defined for security event detection.
natural disasters, and errors implemented on infrastructure and
affecting the entity's ability to meet software to identify anomalies in the Observed via walkthrough procedures, the No exceptions
its objectives; anomalies are operation or unusual activity on systems. entity’s system monitoring, IaaS and cloud noted.
analyzed to determine whether Procedures may include (1) a defined and cyber security, threat detection /
they represent security events. governance process for security event prevention, and endpoint protection
detection and management that includes software consoles and system administration
provision of resources; (2) use of procedures, along with associated system
intelligence sources to identify newly generated event logging and notifications, to
discovered threats and vulnerabilities; determine the entity utilized detection tools
and (3) logging of unusual system on infrastructure and software to identify
activities. anomalies in the operation or unusual activity
on systems.

Matillion Limited | SOC 2 Type 2 108

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
System Operations (Continued)
REF #

CC7.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC7.2 The entity monitors system Designs Detection Measures—Detection Observed via walkthrough procedures, the No exceptions
(Cont.) components and the operation of measures are designed to identify entity’s system monitoring, IaaS and cloud noted.
those components for anomalies anomalies that could result from actual or and cyber security, threat detection /
that are indicative of malicious acts, attempted (1) compromise of physical prevention, and endpoint protection
natural disasters, and errors barriers; (2) unauthorized actions of software consoles and system administration
affecting the entity's ability to meet authorized personnel; (3) use of procedures, along with associated system
its objectives; anomalies are compromised identification and generated event logging and notifications, to
analyzed to determine whether authentication credentials; (4) determine detection measures were
they represent security events. unauthorized access from outside the designed to identify anomalies that could
system boundaries; (5) compromise of result in security threats.
authorized external parties; and (6)
implementation or connection of
unauthorized hardware and software.

Implements Filters to Analyze Observed via walkthrough procedures, the No exceptions

Anomalies—Management has entity’s system monitoring, IaaS and cloud noted.
implemented procedures to filter, and cyber security, threat detection /
summarize, and analyze anomalies to prevention, and endpoint protection
identify security events. software consoles and system administration
procedures, along with associated system
generated event logging and notifications;
and inspected completed vulnerability
assessments including closed remediation
tickets, and completed security event change
requests in the ticketing and project
management software to determine
Management implemented procedures to
process anomalies to identify security events.

Matillion Limited | SOC 2 Type 2 109

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
System Operations (Continued)
REF #

CC7.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC7.2 The entity monitors system Monitors Detection Tools for Effective Observed via walkthrough procedures, the No exceptions
(Cont.) components and the operation of Operation—Management has entity’s system monitoring, IaaS and cloud noted.
those components for anomalies implemented processes to monitor the and cyber security, threat detection /
that are indicative of malicious acts, effectiveness of detection tools. prevention, and endpoint protection
natural disasters, and errors software consoles and system administration
affecting the entity's ability to meet procedures, along with associated system
its objectives; anomalies are generated event logging and notifications;
analyzed to determine whether and inspected Management communications
they represent security events. to personnel regarding operational, IT, and
cyber security objectives and updates; along
with the entity's risk management program
(i.e., ongoing risk assessments, risk ratings,
and risk mitigation activities) to determine
Management implemented processes to
monitor the effectiveness of detection tools.

Matillion Limited | SOC 2 Type 2 110

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
System Operations (Continued)
REF #

CC7.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC7.3 The entity evaluates security events Responds to Security Incidents— Inspected the most current incident response No exceptions
to determine whether they could or Procedures are in place for responding to policy and procedures to determine noted.
have resulted in a failure of the security incidents and evaluating the procedures were in place for responding to
entity to meet its objectives effectiveness of those policies and security incidents and evaluating the
(security incidents) and, if so, takes procedures on a periodic basis. effectiveness of policies and procedures on a
actions to prevent or address such periodic basis.
failures.
Informed by Management there were no
security incidents (affecting the entity’s
ability to maintain service commitments)
reported during the period under review.

Communicates and Reviews Detected Inspected completed vulnerability No exceptions

Security Events—Detected security events assessments including closed remediation noted.
are communicated to and reviewed by the tickets, along with completed security event
individuals responsible for the change requests in the ticketing and project
management of the security program and management software, to determine
actions are taken, if necessary. detected security events were communicated
and reviewed by Management and actions
were taken when necessary.

Matillion Limited | SOC 2 Type 2 111

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
System Operations (Continued)
REF #

CC7.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC7.3 The entity evaluates security events Develops and Implements Procedures to Inspected the most current incident response No exceptions
(Cont.) to determine whether they could or Analyze Security Incidents—Procedures policy and procedures; and observed via noted.
have resulted in a failure of the are in place to analyze security incidents walkthrough procedures, the entity’s IaaS
entity to meet its objectives and determine system impact. and cloud and cyber security, threat
(security incidents) and, if so, takes detection / prevention, and endpoint
actions to prevent or address such protection software consoles and system
failures. administration procedures, along with
associated system generated event logging
and notifications, to determine procedures
were in place to analyze security incidents
and identify system impact.

Matillion Limited | SOC 2 Type 2 112

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
System Operations (Continued)
REF #

CC7.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC7.4 The entity responds to identified Assigns Roles and Responsibilities—Roles Inspected the most current incident response No exceptions
security incidents by executing a and responsibilities for the design, policy and procedures to determine roles and noted.
defined incident response program implementation, maintenance, and responsibilities for the program were
to understand, contain, remediate, execution of the incident response assigned.
and communicate security program are assigned, including the use of
incidents, as appropriate. external resources when necessary.

Contains and Responds to Security Inspected the most current incident response No exceptions
Incidents—Procedures are in place to policy and procedures to determine noted.
respond to and contain security incidents procedures were in place to contain security
that actively threaten entity objectives. incidents.

Informed by Management there were no

security incidents (affecting the entity’s
ability to maintain service commitments)
reported during the period under review.

Mitigates Ongoing Security Incidents— Inspected the most current incident response No exceptions
Procedures are in place to mitigate the policy and procedures to determine noted.
effects of ongoing security incidents. procedures were in place to mitigate the
effects of ongoing security incidents.

Resolves Security Incidents—Procedures Inspected the most current incident response No exceptions
are in place to resolve security incidents policy and procedures to determine noted.
through closure of vulnerabilities, removal procedures were in place to resolve security
of unauthorized access, and other incidents through closure of vulnerabilities
remediation actions. and other remediation actions.

Matillion Limited | SOC 2 Type 2 113

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
System Operations (Continued)
REF #

CC7.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC7.4 The entity responds to identified Restores Operations—Procedures are in Inspected business continuity and disaster No exceptions
(Cont.) security incidents by executing a place to restore data and business recovery procedures and associated results; noted.
defined incident response program operations to an interim state that and observed via walkthrough procedures,
to understand, contain, remediate, permits the achievement of entity automated daily database snapshot logs and
and communicate security objectives. restore process, and automated code base
incidents, as appropriate. backups in the entity’s IaaS management
consoles to determine procedures were in
place to restore data and business
operations.

Develops and Implements Communication Inspected the most current incident response No exceptions
of Security Incidents—Protocols for policy and procedures to determine protocols noted.
communicating, in a timely manner, for communicating security incidents and
information regarding security incidents actions to be taken were developed and
and actions taken to affected parties are would be implemented in a timely manner.
developed and implemented to support
the achievement of the entity's
objectives.

Matillion Limited | SOC 2 Type 2 114

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
System Operations (Continued)
REF #

CC7.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC7.4 The entity responds to identified Obtains Understanding of Nature of Inspected the most current incident response No exceptions
(Cont.) security incidents by executing a Incident and Determines Containment policy and procedures to determine the noted.
defined incident response program Strategy—An understanding of the nature nature and severity of security incidents
to understand, contain, remediate, (for example, the method by which the would be evaluated for appropriate
and communicate security incident occurred and the affected system containment strategies.
incidents, as appropriate. resources) and severity of the security
incident is obtained to determine the
appropriate containment strategy,
including (1) a determination of the
appropriate response time frame, and (2)
the determination and execution of the
containment approach.

Remediates Identified Vulnerabilities— Informed by Management there were no No testing

Identified vulnerabilities are remediated security incidents (affecting the entity’s performed.
through the development and execution ability to maintain service commitments)
of remediation activities. reported during the period under review.

Communicates Remediation Activities— Informed by Management there were no No testing

Remediation activities are documented security incidents (affecting the entity’s performed.
and communicated in accordance with ability to maintain service commitments)
the incident response program. reported during the period under review.

Evaluates the Effectiveness of Incident Inspected the most current incident response No exceptions
Response—The design of incident policy and procedures to determine the noted.
response activities is evaluated for design of the incident response activities was
effectiveness on a periodic basis. evaluated for effectiveness on a periodic
basis.

Matillion Limited | SOC 2 Type 2 115

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
System Operations (Continued)
REF #

CC7.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC7.4 The entity responds to identified Periodically Evaluates Incidents— Informed by Management there were no No testing
(Cont.) security incidents by executing a Periodically, Management reviews security incidents (affecting the entity’s performed.
defined incident response program incidents related to security and identifies ability to maintain service commitments)
to understand, contain, remediate, the need for system changes based on reported during the period under review.
and communicate security incident patterns and root causes.
incidents, as appropriate.

Matillion Limited | SOC 2 Type 2 116

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
System Operations (Continued)
REF #

CC7.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC7.5 The entity identifies, develops, and Restores the Affected Environment—The Inspected business continuity and disaster No exceptions
implements activities to recover activities restore the affected recovery procedures and associated results; noted.
from identified security incidents. environment to functional operation by and observed via walkthrough procedures,
rebuilding systems, updating software, automated daily database snapshot logs and
installing patches, and changing restore process, automated code base
configurations, as needed. backups in the entity’s IaaS management
consoles, and the entity’s patch management
process and completed patch update tickets
to determine activities were in place to
rebuild systems, update software, as well as
install patches and change configurations as
needed.

Communicates Information About the Inspected the most current incident response No exceptions
Incident—Communications about the policy and procedures to determine noted.
nature of the incident, recovery actions procedures were in place for communications
taken, and activities required for the of incident details to Management and
prevention of future security incidents are associated stakeholders.
made to Management and others as
appropriate (internal and external). Informed by Management there were no
security incidents (affecting the entity’s
ability to maintain service commitments)
reported during the period under review.

Determines Root Cause of the Incident— Informed by Management there were no No testing
The root cause of the incident is security incidents (affecting the entity’s performed.
determined. ability to maintain service commitments)
reported during the period under review.

Matillion Limited | SOC 2 Type 2 117

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
System Operations (Continued)
REF #

CC7.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC7.5 The entity identifies, develops, and Implements Changes to Prevent and Informed by Management there were no No testing
(Cont.) implements activities to recover Detect Recurrences—Additional security incidents (affecting the entity’s performed.
from identified security incidents. architecture or changes to preventive and ability to maintain service commitments)
detective controls, or both, are reported during the period under review.
implemented to prevent and detect
recurrences on a timely basis.

Improves Response and Recovery Inspected the most current incident response No exceptions
Procedures—Lessons learned are policy and procedures, business continuity noted.
analyzed, and the incident response plan and disaster recovery procedures and
and recovery procedures are improved. associated results, and conducted
corroborative inquiry of IT Management to
determine lessons learned were analyzed
with respect to incident response plan and
process improvement.

Implements Incident Recovery Plan Inspected the most current business No exceptions
Testing—Incident recovery plan testing is continuity plan, along with business noted.
performed on a periodic basis. The testing continuity and disaster recovery procedures
includes (1) development of testing and associated results, to determine incident
scenarios based on threat likelihood and recovery plan testing was performed on a
magnitude; (2) consideration of relevant periodic basis.
system components from across the
entity that can impair availability; (3)
scenarios that consider the potential for
the lack of availability of key personnel;
and (4) revision of continuity plans and
systems based on test results.

Matillion Limited | SOC 2 Type 2 118

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Change Management
REF #

CC8.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC8.1 The entity authorizes, designs, Manages Changes Throughout the System Inspected the most current change No exceptions
develops or acquires, configures, Lifecycle—A process for managing system management and SDLC policies and noted.
documents, tests, approves, and changes throughout the lifecycle of the procedures, along with the lifecycle of
implements changes to system and its components completed infrastructure change requests in
infrastructure, data, software, and (infrastructure, data, software, and the ticketing and project management
procedures to meet its objectives. manual and automated procedures) is software; and observed via walkthrough
used to support the achievement of entity procedures, the lifecycle of completed
objectives. application development code builds and
releases in the ticketing and project
management software to determine a
process for managing system changes
throughout the lifecycle of the system and its
components was used to support the
achievement of entity objectives.

Authorizes Changes—A process is in place Inspected the most current change No exceptions
to authorize system and architecture management and SDLC policies and noted.
changes prior to design, development, or procedures, along with the lifecycle of
acquisition and configuration. completed infrastructure change requests in
the ticketing and project management
software; and observed via walkthrough
procedures, the lifecycle of completed
application development code builds and
releases in the ticketing and project
management software to determine a
process was in place to authorize system
changes prior to design, development, and
configuration.

Matillion Limited | SOC 2 Type 2 119

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Change Management (Continued)
REF #

CC8.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC8.1 The entity authorizes, designs, Designs and Develops Changes—A Observed via walkthrough procedures, the No exceptions
(Cont.) develops or acquires, configures, process is in place to design and develop lifecycle of completed application noted.
documents, tests, approves, and system changes in a secure manner to development code builds and releases in the
implements changes to support the achievement of entity ticketing and project management software
infrastructure, data, software, and objectives. to determine a process was in place to design
procedures to meet its objectives. and develop system changes in a secure
manner.

Documents Changes—A process is in Inspected the lifecycle of completed No exceptions

place to document system changes to infrastructure change requests in the noted.
support ongoing maintenance of the ticketing and project management software;
system and to support internal and and observed via walkthrough procedures,
external users in performing their the lifecycle of completed application
responsibilities. development code builds and releases in the
ticketing and project management software
to determine a process was in place to
document system changes to support
ongoing maintenance of the system and
users in performing their responsibilities.

Tracks System Changes—A process is in Inspected the lifecycle of completed No exceptions

place to track system changes prior to infrastructure change requests in the noted.
implementation. ticketing and project management software;
and observed via walkthrough procedures,
the lifecycle of completed application
development code builds and releases in the
ticketing and project management software
to determine a process was in place to track
system changes prior to implementation.

Matillion Limited | SOC 2 Type 2 120

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Change Management (Continued)
REF #

CC8.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC8.1 The entity authorizes, designs, Configures Software—A process is in place Observed via walkthrough procedures, the No exceptions
(Cont.) develops or acquires, configures, to select, implement, maintain, and lifecycle of completed application noted.
documents, tests, approves, and monitor configuration parameters used to development code builds and releases in the
implements changes to control the functionality of developed and ticketing and project management software,
infrastructure, data, software, and acquired software. along with the entity’s source code repository
procedures to meet its objectives. and version control software, to determine a
process was in place to select, implement,
maintain, and monitor configuration
parameters used to control functionality of
software.

Tests System Changes—A process is in Observed via walkthrough procedures, the No exceptions
place to test internally developed and lifecycle of completed application noted.
acquired system changes prior to development code builds in the ticketing and
implementation into the production project management software and conducted
environment. Examples of testing may corroborative inquiry of Application
include unit, integration, regression, static Development Management to determine a
and dynamic application source code, process was in place to test system changes
quality assurance, or automated testing prior to implementation into the production
(whether point in time or continuous). environment.

Matillion Limited | SOC 2 Type 2 121

For the Period Ending July 31, 2024
 9 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Change Management (Continued)
REF #

CC8.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC8.1 The entity authorizes, designs, Approves System Changes—A process is Inspected the lifecycle of completed No exceptions
(Cont.) develops or acquires, configures, in place to approve system changes prior infrastructure change requests in the noted.
documents, tests, approves, and to implementation. ticketing and project management software;
implements changes to and observed via walkthrough procedures,
infrastructure, data, software, and the lifecycle of completed application
procedures to meet its objectives. development code builds and releases in the
ticketing and project management software
to determine a process was in place to
approve system changes prior to
implementation.

Deploys System Changes—A process is in Observed via walkthrough procedures, the No exceptions
place to implement system changes with lifecycle of completed application noted.
consideration of segregation of development code builds in the ticketing and
responsibilities (for example, restricting project management software, the entity’s
unilateral code development or testing release management process, and conducted
and implementation by a single user) to corroborative inquiry of Development
prevent or detect unauthorized changes. Operations Management to determine a
process was in place to deploy system
changes in a secure manner.

Matillion Limited | SOC 2 Type 2 122

For the Period Ending July 31, 2024
 9 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Change Management (Continued)
REF #

CC8.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC8.1 The entity authorizes, designs, Identifies and Evaluates System Inspected the lifecycle of completed No exceptions
(Cont.) develops or acquires, configures, Changes—Objectives affected by system infrastructure change requests in the noted.
documents, tests, approves, and changes are identified, and the ability of ticketing and project management software;
implements changes to the modified system to support the and observed via walkthrough procedures,
infrastructure, data, software, and achievement of the objectives is the lifecycle of completed application
procedures to meet its objectives. evaluated throughout the system development code builds and releases in the
development life cycle. ticketing and project management software
to determine objectives of system changes
were evaluated throughout the system
development lifecycle.

Identifies Changes in Infrastructure, Data, Informed by Management there were no No testing

Software, and Procedures Required to security incidents (affecting the entity’s performed.
Remediate Incidents—Changes in ability to maintain service commitments)
infrastructure, data, software, and reported during the period under review.
procedures required to remediate
incidents are identified and the change
process is initiated upon identification.

Matillion Limited | SOC 2 Type 2 123

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Change Management (Continued)
REF #

CC8.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC8.1 The entity authorizes, designs, Creates Baseline Configuration of IT Inspected the most current change No exceptions
(Cont.) develops or acquires, configures, Technology—A baseline configuration of management and SDLC policies and noted.
documents, tests, approves, and IT and control systems is created and procedures, along with the lifecycle of
implements changes to maintained. completed infrastructure change requests in
infrastructure, data, software, and the ticketing and project management
procedures to meet its objectives. software; and observed via walkthrough
procedures, the lifecycle of completed
application development code builds and
releases in the ticketing and project
management software, along with the
entity’s source code repository and version
control software, to determine a baseline
configuration of IT and control systems was
created and maintained.

Provides for Changes Necessary in Inspected the emergency change No exceptions

Emergency Situations—A process is in management procedures as contained in the noted.
place for authorizing, designing, testing, most current change management policy and
approving, and implementing changes procedures to determine a process was in
necessary in emergency situations (that is, place for the lifecycle management of
changes that need to be implemented in emergency change requests.
an urgent timeframe).

Manages Patch Changes—A process is in Inspected the entity’s patch management No exceptions
place to identify, evaluate, test, approve, process and completed patch update tickets noted.
and implement patches in a timely to determine a process was in place to
manner on infrastructure and software. manage the implementation of patches in a
timely manner on infrastructure and
software.

Matillion Limited | SOC 2 Type 2 124

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Mitigation
REF #

CC9.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC9.1 The entity identifies, selects, and Considers Mitigation of Risks of Business Inspected the most current business No exceptions
develops risk mitigation activities Disruption—Risk mitigation activities continuity plan, the entity's risk management noted.
for risks arising from potential include the development of planned program (i.e., ongoing risk assessments, risk
business disruptions. policies, procedures, communications, ratings, and risk mitigation activities), and
and alternative processing solutions to business continuity and disaster recovery
respond to, mitigate, and recover from procedures and associated results to
security events that disrupt business determine the entity considered mitigation of
operations. Those policies and procedures risks of business disruption and had policies
include monitoring processes and and procedures in place to meet entity
information and communications to meet objectives.
the entity's objectives during response,
mitigation, and recovery efforts.

Considers the Use of Insurance to Inspected the most current declarations of No exceptions
Mitigate Financial Impact Risks—The risk liability insurance from the entity’s insurance noted.
management activities consider the use of provider to determine risk management
insurance to offset the financial impact of activities considered the use of insurance to
loss events that would otherwise impair offset the impact of loss events.
the ability of the entity to meet its
objectives.

Matillion Limited | SOC 2 Type 2 125

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Mitigation (Continued)
REF #

CC9.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC9.2 The entity assesses and manages Establishes Requirements for Vendor and Inspected executed vendor and client No exceptions
risks associated with vendors and Business Partner Engagements—The agreements, the most current vendor noted.
business partners. entity establishes specific requirements management policy and procedures, and the
for a vendor and business partner most current SOC reports of the entity’s
engagement that includes (1) scope of subservice organizations to determine the
services and product specifications, (2) entity established specific requirements for
roles and responsibilities, (3) compliance vendor and business partner engagements
requirements, and (4) service levels. that included scope of services and
specifications, roles and responsibilities,
compliance requirements, and service levels.

Identifies Vulnerabilities—The entity Inspected executed vendor and client No exceptions

evaluates vulnerabilities arising from agreements, the entity's risk management noted.
vendor and business partner program, the most current vendor
relationships, including third-party access management policy and procedures, and the
to the entity’s IT systems and connections most current SOC reports of the entity’s
with third party networks. subservice organizations to determine the
entity evaluated vulnerabilities from vendor
and business partner relationships and third
party access to the entity’s systems.

Matillion Limited | SOC 2 Type 2 126

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Mitigation (Continued)
REF #

CC9.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC9.2 The entity assesses and manages Assesses Vendor and Business Partner Inspected executed vendor and client No exceptions
(Cont.) risks associated with vendors and Risks—The entity inventories, tiers, and agreements, the entity's risk management noted.
business partners. assesses, on a periodic basis, threats program, the most current vendor
arising from relationships with vendors management policy and procedures, and the
and business partners (and those entities’ most current SOC reports of the entity’s
vendors and business partners) and the subservice organizations to determine vendor
vulnerability of the entity's objectives to and business partner risks were assessed on a
those threats. Examples of threats arising periodic basis.
from relationships with vendors and
business partners include those arising
from their (1) financial failure, (2) security
vulnerabilities, (3) operational disruption,
and (4) failure to meet business or
regulatory requirements.

Assigns Responsibility and Accountability Inspected executed vendor and client No exceptions
for Managing Vendors and Business agreements, the entity's risk management noted.
Partners—The entity assigns responsibility program, the most current vendor
and accountability for the management of management policy and procedures, and the
risks associated with vendors and most current SOC reports of the entity’s
business partners. subservice organizations to determine the
entity assigned responsibility and
accountability for the management of risks
associated with vendors and business
partners.

Matillion Limited | SOC 2 Type 2 127

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Mitigation (Continued)
REF #

CC9.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC9.2 The entity assesses and manages Establishes Communication Protocols for Inspected executed vendor and client No exceptions
(Cont.) risks associated with vendors and Vendors and Business Partners—The agreements, along with the online support noted.
business partners. entity establishes communication and and knowledge base user interfaces and user
resolution protocols for service or product community interactions, to determine the
issues related to vendors and business entity established communication and
partners. resolution protocols for service issues related
to vendors and business partners.

Establishes Exception Handling Inspected executed vendor and client No exceptions

Procedures from Vendors and Business agreements, along with the online support noted.
Partners—The entity establishes and knowledge base user interfaces and user
exception handling procedures for service community interactions, to determine the
or product issues related to vendors and entity established exception handling
business partners. procedures for service issues related to
vendors and business partners.

Assesses Vendor and Business Partner Inspected executed vendor and client No exceptions
Performance—The entity assesses the agreements, the entity's risk management noted.
performance of vendors and business program, the most current vendor
partners, as frequently as warranted, management policy and procedures, and the
based on the risk associated with the most current SOC reports of the entity’s
vendor or business partner. subservice organizations to determine the
entity assessed the performance of vendors
and business partners as frequently as
warranted.

Matillion Limited | SOC 2 Type 2 128

For the Period Ending July 31, 2024
 TRUST SERVICES CRITERIA AND POINTS OF FOCUS

TSC
Risk Mitigation (Continued)
REF #

CC9.0 Trust Services Criteria for the Description of Points of Focus Ascend Audit & Advisory Tests of Points of Test Results
Security Category Focus

CC9.2 The entity assesses and manages Implements Procedures for Addressing Inspected executed vendor and client No exceptions
(Cont.) risks associated with vendors and Issues Identified During Vendor and agreements, along with the online support noted.
business partners. Business Partner Assessments—The entity and knowledge base user interfaces and user
implements procedures for addressing community interactions, to determine the
issues identified with vendor and business entity implemented procedures for
partner relationships. addressing issues identified with vendor and
business partner relationships.

Implements Procedures for Terminating Inspected executed vendor and client No exceptions
Vendor and Business Partner agreements, along with the most current noted.
Relationships—The entity implements vendor management policy and procedures,
procedures for terminating vendor and to determine the entity implemented
business partner relationships based on procedures for terminating vendor and
predefined considerations. Those business partner relationships in an
procedures may include safe return of appropriate manner.
data and its removal from the vendor or
business partner system.

Matillion Limited | SOC 2 Type 2 129

For the Period Ending July 31, 2024