Business Services Catalog 2023

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 2 of 41

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of Dizzion Inc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document published November 2022.

1 Overview and Description

Dizzion’s Business Services Catalog contains information about the managed Digital Workspace services that Dizzion offers to customers.This catalog includes service descriptions of primary and supporting services, pricing models, delineation of responsibilities, fulfillment timeframes, and other details, where applicable.

Major items for each service that is provided include:

• Service Name: The name by which Dizzion references the service.

• Service Description: A summary of what the service does and the outcomes it helps customers achieve.

• What You Should Expect: Expected prerequisites, processes for implementation and timelines.

• How We Charge: Pricing models for the service.

• Dizzion Responsibilities: Dizzion’s operation and management responsibilities for the service.

• Customer Responsibilities: Customer operation and management responsibilities for the service.

• Compliance: How the service relates to compliance requirements such as PCI, HIPAA, SOC 2, or GDPR.

• Architecture: Where the service fits in the overall architecture of the Dizzion service environment.

Page 3 of 41

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of Dizzion Inc.Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document published November 2022.

2 Private Cloud Virtual Datacenter

The PrivateCloud Virtual Data Center (PCVDC) is a required component of every customer’s Digital Workspace deployment, regardless of whether the customer is consuming desktops, application streaming services, disaster recovery or another service from Dizzion. It is the foundation of every customer tenant within the Dizzion Service.

SERVICE DESCRIPTION

A PCVDC consists of the infrastructure, networking, and virtual server components required to host virtual desktops and applications in a dedicated customer tenant within the Dizzion Service. It is the basis of every customer deployment in the Dizzion cloud whether the customer is consuming virtual desktops, virtual applications, disaster recovery or another service from Dizzion. Each Dizzion customer environment exists independently of other Dizzion customers within a unique dedicated PCVDC.

SERVICE FEATURES

Every Dizzion customer will have at least one PCVDC, which consists of a dedicated private IP address space, dedicated virtual firewalls, dedicated Virtual LAN(s) (VLAN), dedicated identity services (Active Directory), authentication trusts, and a dedicated Virtual Desktop Infrastructure (VDI) stack (Security Gateway Servers,Connection Servers, Load Balancers and Network Integrations). These dedicated services are established for each customer to provide secure connections to and from the Dizzion Digital Workspace environment. In addition, the PCVDC provides the networking devices required to route and switch traffic within the environment itself. PCVDCs are single tenant/dedicated.

Providing a unique PCVDC to each customer ensures that no customer can “see” any other customer’s data, activity, or intellectual property. Custom security policies can also be applied to an individual PCVDC to protect each customer uniquely. In addition, the performance of each customer environment is not affected by the configuration of any other customer’s environment.

WHAT YOU SHOULD EXPECT

Each customer’s PCVDC is deployed in a Highly Available (HA) configuration. This means for each PCVDC, there are two of each critical component, deployed in a failover configuration. If a failure should occur or a maintenance window needs to be scheduled, this helps to ensure minimal to no interruption to the service.

Standard time frame for the deployment of a PCVDC is 5-10 business days after submission of an order and all required supporting documentation (i.e., executed MSA, order form, completed technical deliverables documentation), and a kickoff call between Dizzion and the customer. Additional components that support the PCVDC, including networking integrations may require additional coordination between Dizzion and the customer.

HOW WE CHARGE

A PCVDC is not offered as a stand-alone service, nor does it appear as a separate charge as part of a service subscription with Dizzion. All components required for a PCVDC are included in the desktop or streaming application charges to which a customer would subscribe.

Page 4 of 41

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com

DIZZION RESPONSIBILITIES

SETUP:

• Provide Firewalls, Security Gateway Servers, Connection Servers, Active Directory Servers, Authentication Trusts and Load Balancers

• Provide dedicated VLANs and assign public and private IP addresses

• Configure firewall rules

• Assist with and guide network integration (VPN, MPLS, etc.) between Dizzion and Customers

• Assist with and guide ActiveDirectory (AD) integration and apply computer-side GPOs

• Configure monitoring for all PCVDC components

ONGOING:

• Provide continuous monitoring of each component in the PCVDC

• Troubleshoot any functionality, reliability, security or performance concerns for PCVDC components

• Change management responsibility for PCVDC components.

• Antivirus/anti-malware responsibility for allPCVDC components.

• Provide 24/7/365 email, portal and phone support to the customer

• Perform patching and upgrades to each component of the PCVDC

• Perform and guide configuration changes requested by the customer

• Maintain and apply changes in desktop controls/configurations (computer-side GPOs)

CUSTOMER RESPONSIBILITIES

SETUP:

• Assist with any needed network integrations (DNS Forwarders, VPN, MPLS, SD-WAN etc.) between Dizzion and customer infrastructure.

• Create new Active Directory Security Groups to manage users and user groups

• Create a two-way SSL certificate for the AD trust and provide Dizzion with the key

• Ensure there is no IP address overlaps or conflicts

ONGOING:

• Managing user-side GPOs

• Troubleshoot, update and manage overall functionality, performance and reliability of any non- Dizzion managed systems (i.e., infrastructure deployed in customer locations)

• Configure and maintain customer’s network termination points (DNS Forwarders, VPN, MPLS, etc.)

• Contact Dizzion support to report any Dizzion service issues

• Work with Dizzion to resolve any Dizzion service-related issues

• Approve Maintenance Windows and communicate to possible affected parties

COMPLIANCE

Although the standardPCVDC is deployed in a secure manner, it has not been audited for any specific compliant standard and may be missing components required to meet certain compliance requirements. For organizations that require compliance (i.e., PCI DSS, HIPAA, SOC 2, etc ), Dizzion offers third-party audited, CompliantPCVDC packages. See section5, “CompliantServices” for more information about achieving industry compliance within a PCVDC.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 5 of 41

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document publishedNovember 2022.

ARCHITECTURE

The diagram shown here illustrates many of the components in a typical Dizzion cloud deployment. The shaded areas indicate the portion of the diagram that is relevant to this section (i.e., in this section, the shaded portions of the diagram represent the components that correspond to a customer’s PCVDC).

Page 6 of 41

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion,Inc. This document publishedNovember 2022.

3 Cloud Delivered Desktops

Cloud Delivered Desktops are at the core of Dizzion’s Digital Workspace offerings, providing a managed virtual desktop platform in the cloud. Dizzion’s Cloud Delivered Desktop service is the service most widely subscribed to by Dizzion customers.

SERVICE description

With Dizzion’s Cloud Delivered Desktop service, customers can take advantage of the security and flexibility of the cloud while maintaining – and most often improving – the end user desktop experience. Dizzion takes the guesswork out of Digital Workspaces as our platform is purpose built and guaranteed to scale, which removes expensive infrastructure, licensing, and staffing costs.

By delivering virtual desktops from the cloud, Dizzion helps customers increase data protection while adding additional flexibility for organizations and their end users. Cloud delivered desktops keep information off endpoint devices where most data loss and theft occur. Bring Your Own Device (BYOD), work at home and true mobility are made possible because users can securely access their desktops (and data) wherever they have an internet connection, and from nearly any device.

Dizzion’s Cloud Delivered Desktop Services consist of two distinct service levels, called “DaaS” and “Managed DaaS”. Descriptions of these services are provided here.

DAAS

Dizzion’s DaaS service consists of a virtual desktop platform provided as a managed service in the cloud. DaaS does not require customers to purchase, maintain, or plan for the underlying infrastructure. Components of the service that are managed by Dizzion include the physical compute, storage, networking, virtual server infrastructure, virtual networking, directory services, and platform licensing. Customers who subscribe to Dizzion’s DaaS service have full responsibility for the operation, management, security, patching, and updating of Golden Images, Operating Systems, Desktops and applications.

For more information on the DaaS service level, see the DaaS Service Description available at help.dizzion.com.

Managed DaaS

Dizzion’s Managed DaaS service includes everything in the DaaS service level, plus additional technologies and services which allow customers to consume virtual desktops as a fully managed service.

Managed DaaS is intended to take the complexities of designing, implementing, optimizing, and running a Digital Workspace environment off an organization’s IT department. Managed DaaS is a fully managed Desktop as a Service offering, with Dizzion acting as your 24/7 operations and engineering team. Dizzion works with you to design a dedicated Digital Workspace service in accordance with your business and end user needs, without the need for you to have VDI skilled experts on staff. With Managed DaaS, operation, management, security, upkeep, and day-to-day burden of managing desktops and desktop delivery lies largely on Dizzion. The service allows you to rapidly onboard new employees, contractors, customers or project teams, and automatically scale your services up and down during periods of increased or decreased demand. With Managed DaaS, Dizzion’s engineering and operations teams take an active role in ensuring optimal workspace performance regardless of when or where your end users do their jobs.

Dizzion’s Cloud Delivered Desktops, at the Managed DaaS service level are fully managed and include anti-malware/antivirus, OperatingSystem patching & updates, data protection (backup), bandwidth and monitoring, as well as business and user analytics. Dizzion handles all infrastructure enhancements and upgrades as needed to ensure your Cloud DeliveredDesktops always perform at the highest level possible.

Dizzion Managed DaaS also offers compliance and performance-enhancing add-ons to ensure end users are happy and productive, no matter the workload or use case.

For more information on the Managed DaaS service level, see the Managed DaaS Service Description documentation available at help.dizzion.com.

SERVICE FEATURES

Dizzion offers two standard base configurations for Cloud Delivered Desktops. Resources such as vCPU, RAM, and HDD space can be added to these base configurations, but customers must choose a base configuration as a starting point for each virtual desktop workload. Dizzion can help guide you as well.

Component	Professional	Premium
vCPU	2	2
RAM (GB)	4	6
HDD (GB)	80	80
Workload Type	VDI	VDI
Windows 10 Client OS	Yes	Yes
Windows Server OS	Yes	Yes

vCPU, RAM, andHDD space can be added to these base configurations individually in increments of 2vCPU,2GB RAM, and 500GBHDD space.HDD space is also available with multiple speed (IOPS)options. Refer to section 11, “Persistent/Protected Storage”, for more detail.

DESKTOP TYPES

Cloud Delivered Desktops offer two provisioning types, Instant Clones and Full Clones, described here.

Instant Clones

An instant clone is a instant copy of the Golden Image. Instant clones can be used to deploy a non-persistent desktop environment, where all changes made to the virtual desktop are discarded following user logoff. This means that any changes a user makes to the desktop, any downloaded files, data left on the virtual hard drive, configuration changes, and any other change does not remain on that desktop image following the user logging off the desktop. This can greatly reduce the risk of data leakage as no data persists between user sessions. If certain parts of the data or settings need to be persisted or “show back up” the next time that users access a desktop, profile management can be applied to have that data applied the next time the user accesses a virtual desktop. In addition to assisting with data leakage, Instant clones have multiple other advantages including, speed to provision, speed to update and or patch, and cost reduction.

Page 7 of 41

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com

© 2021 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document publishedNovember 2022.

Full Clones

A full clone is an independent copy of a Golden Image that shares nothing with the Golden Image after the cloning operation. Full Clone VMs provide a truly persistent desktop experience. That is, all data and changes that a user makes to a Full Clone virtual desktop are saved on that virtual desktop and assigned to that user. Full clone desktops cannot be shared among multiple users, which means that each user must be assigned their own, unique full clone desktop, but this does allow each user to have an experience that feels more like their own desktop or laptop, with limited restrictions on their ability to save data and modify their desktop experience. Full clones are typically slower to provision, update and patch, and typically come with a higher cost as each user needs to be assigned to a dedicated desktop vs only needing enough desktops to satisfy peak demand.

GPU SUPPORT

Virtual GPU support can be added to Cloud Delivered Desktops for an additional charge. Specific chipsets and 3D features may vary depending on geographic location and deployment size. Please contact your AccountExecutive or Client Relations Manager for further details on GPU sizing, pricing, and availability.

WHAT YOU SHOULD EXPECT

Before implementation, a project plan is developed which includes live testing and tuning (UAT) to ensure end users have an exceptional desktop experience. For Managed DaaS deployments only, Dizzion works with customers to create a finely tuned, customized Golden Image (GI) that serves as a template Operating System for each desktop pool. This template makes adding additional desktops a quick and seamless process.

In most cases, your Dizzion cloud delivered desktops will integrate with your existing identity management system for authentication and allow usernames and passwords to remain the same. Dizzion can also host Identity management (Active Directory) and allow you to control user access but remove the need to deploy your own infrastructure.

Dizzion’sCloud Delivered Desktops can be accessed from zero-clients as well as any device running Windows, macOS, Linux, Android, iOS or Chrome OS. For customers who wish to explore secure BYOD options for their endusers, Dizzion also offers “zLink BYOD”, a software package that allows for added security, compliance and additional efficiencies, while allowing endusers to use their own devices to connect to the Dizzion service. For more information on zLink BYOD, see section 9 “zLink BYOD”.

Standard deployment times for Cloud Delivered Desktops are 2 -3 weeks after a customer’s PCVDC has been fully deployed. Additional components that support cloud desktops, including networking integrations, GPU support, custom configurations, and/or add-on features may require additional deployment time. If cloud desktops are being added to an existing production customer environment (PCVDC), adding additional desktops may take considerably less time.

HOW WE CHARGE

Cloud Delivered Desktops are offered as a per-desktop subscription. Dizzion does not offer a per-user subscription model. A customer must subscribe to a fixed number of virtual desktops and are invoiced for the total number of desktops under contract, regardless of the actual number of users who have connected to the service over any period of time, or whether the Service Offering has been used or not. whether the desktops are instant clones or full clones, and whether users are assigned their own desktops, or groups of users are sharing desktops.

` Page 8 of 41

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com

Other components of the Dizzion service that are used in conjunction with Cloud Delivered Desktops may be offered based on the quantity of service components purchased, or the quantity of users that have access to a given component.

The Dizzion DaaS and Managed DaaS Services are available in a month-to-month subscription term, or subscription periods of 1 year or 3 years. Customers can prepay for the entire committed subscription term or can choose to be invoiced monthly or pre-pay annually.

DIZZION RESPONSIBILITIES

Dizzion’s service responsibilities within the DaaS service include:

• Infrastructure Services, including the implementation of components needed to support the Digital Workspace environment.

• Provisioning of initial capacity for virtual desktops and servers (i.e., vCPU allocation, memory, storage and networking), and the provisioning of the virtual desktops themselves.

• Service initiation, validation, testing, and training.

• Provide 24/7/365 tier 2 and tier 3 IT support including email, web, and phone support.

Dizzion’s service responsibilities within the Managed DaaS service include:

• Infrastructure Services, including the implementation of components needed to support the virtual desktop infrastructure.

• Provisioning of initial capacity for virtual desktops and servers (i.e., vCPU allocation, memory, storage and networking), and the provisioning of the virtual desktops themselves.

• Service initiation, validation, testing, and training.

• Creation and management of Golden Images to use as templates for virtual desktops

• Operating System management, including OS licensing, patching, antivirus/anti-malware, and monitoring.

• Setup, operation, and management of profile management/persistent data technologies.

• Planning, implementation and operation of backup & data protection technologies and procedures.

• Planning, implementation and operation of Disaster Recovery and Business Continuity technologies and procedures.

• Perform testing and tuning with customer’s end users.

• Provide 24/7/365 tier 2 and tier 3 IT support including email, web, and phone support.

CUSTOMER RESPONSIBILITIES

Customer responsibilities within the DaaS service include:

• Creation and management of Golden Images to use as templates for virtual desktops.

• Operating System management, including OS licensing, patching, antivirus/anti-malware, and monitoring.

• Third party application installation, management, and patching/updating.

• Setup, operation, and management of profile management/persistent data technologies.

• Identity and Access Management including user entitlements to desktops and desktop resources.

• End user device management.

• Planning, implementation and operation of backup & restoration technologies and procedures.

• Planning, implementation and operation of Disaster Recovery and Business Continuity technologies and procedures.

Page 9 of 41

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com

• Provide a Tier 1 support process for end users (Dizzion does not provide direct end user support).

Customer responsibilities within the Managed DaaS service include:

• Third party application installation, management, and patching/updating.

• Identity and Access Management including user entitlements to desktops and desktop resources.

• End user device management.

• Provide a Tier 1 support process for end users (Dizzion does not provide direct end user support).

COMPLIANCE

Cloud Delivered Desktops are delivered in a secure manner but do not have controls in place to guarantee alignment with industry compliance standards. Managed DaaS customers that require compliance (i.e., PCI DSS,HIPAA, SOC 2, etc.…), can subscribe to Dizzion’s Compliant Services, an add-on to the service that has been audited for PCI DSS, HIPAA HITECH, andSOC 2 Type II compliance. With Compliant Services, Dizzion takes responsibility for a vast majority of compliance requirements. See section 5 “Compliant Services” for more information on compliance options for Managed DaaS. Please note that Compliant Services are not offered in the DaaS service level.

ARCHITECTURE

Page 10 of 41

(888) 225-2974| 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com © 2021 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of Dizzion Inc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document publishedNovember 2022.

4 Golden Images & Desktop Pools

One of the many advantages that Dizzion’s services provide for customers is uniform desktop manageability.This is done in part by leveraging Golden Images and Desktop Pools. These two elements work together to create an efficient environment that can support disparate use cases and various technical requirements.

SERVICE DESCRIPTION

A Golden Image (GI) is the base operating system template (Microsoft Windows) intended for use by one or more Desktop Pools. Golden Images are the base image from which virtual desktops are created.

A Desktop Pool is a collection, or cluster, of virtual desktops that are each deployed from the same GI. DesktopPools can be configured to host either instant clones or full clones, but not both. Each virtual desktop in any pool has its own dedicated resources to ensure a consistent and high performing end user experience.

Dizzion services may include multiple Golden Images and Desktop Pools based on the number of use cases defined. Dizzion works with customers to determine the appropriate number and types of Golden Images and Desktop Pools. As a best practice, Dizzion aims to help customers reduce the number of Desktop Pools deployed to realize the greatest efficiencies of the Cloud Desktop service.

SERVICE FEATURES

Customers who subscribe to Dizzion’s DaaS service level have the option to bring their own Golden Images, or use Golden Images provided by Dizzion. Managed DaaS customers may only use Dizzion provided Golden Images. Dizzion-provided Golden Images have been optimized for use in Dizzion’s service environment.

Customers in both service levels have responsibility for third-party application installation, management, updating, and patching.DaaS customers also have responsibility for keeping all Golden Images up to date with updates, patches, and security controls. Dizzion will give access to the Golden Image so the customer can install any third-party applications. Dizzion will then fine-tune the GI so that it is optimized based on the applications that have been installed.

WHAT YOU SHOULD EXPECT

Once Golden Images and Desktop Pools have been provisioned and configured, customers can manage which users have access to each pool through Active Directory. The pool can be used by a single department, multiple departments, or other use cases where users require access to the same applications.

Once a deployment is active, customers can request access to the GI in the event an update needs to be made.After updates, testing, and troubleshooting is complete on the updated GI, Dizzion will push the updated image out to all members of the Desktop Pool providing an easy way to centrally manage your desktop environment.

Standard time frame for delivery of a Golden Image to a customer is 1-2 weeks after a customer’s PCVDC has been fully deployed.Additional components that support cloud desktops, including networking integrations, GPU support, custom configurations, and/or add-on features may require additional deployment time. Following delivery of the Golden Image to a customer, the customer can add third-party applications to the image. This typically takes 1-2 weeks. If a Golden Image is being added to an existing production customer environment(PCVDC), this process may take considerably less time.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 11 of 41

The standard time frame for deployment of a Desktop Pool to a customer environment is 1-3 days after completion of a Golden Image.

FOR MANAGED DAAS CUSTOMERS ONLY

Managed DaaS customers subscribe to a fully managed virtual desktop service, which allows a customer to focus less on day-to-day desktop management, and more on business-critical items. As such, Managed DaaS customers have access to Dizzion engineers to assess and recommend Golden Image configurations, including sizing, quantities, and specifications needed for each GI and desktop pool based on application requirements, understanding the features and ways in which your end users use applications, and years of experience in working with hundreds of virtual desktop deployments.

For Managed DaaS customers, Dizzion will provision, configure and provide the desktop pool and GIs, and the customer is responsible for the installation and maintenance of any third-party applications that run on the desktop. Dizzion will ensure all base operating system updates are managed at intervals established with the customer and will monitor and manage all underlying architecture for the desktop.

HOW WE CHARGE

Golden Images and Desktop Pools have a one-timeNRC (Non-Recurring Charge). The charge for the Golden Image includes the provisioning, tuning, configuration and implementation support that ensures optimal performance. The charge for the Desktop Pool includes the configuration and setup of the underlying virtual desktops.

DIZZION RESPONSIBILITIES

SETUP:

• Provision a Desktop Pool with specifications agreed upon by the customer.

• Provide the customer with access to Golden Image(s).

• (Managed DaaS only) Work with endusers to tune the Golden Image(s) for best performance in Dizzion's virtual environment.

• Assign the Golden Image to the Desktop Pool and deploy virtual desktops based on this image.

ONGOING:

• Provide support via web portal, email and phone assistance that allow customer administrators to request access to or report concerns with the Golden Image, or to add more virtual desktops to the Desktop Pool.

• Push out any updates that the customer makes to the GI to all desktops in the appropriate Desktop Pools.

• (Managed DaaS only) - Monitor, manage and update the OS and software provided by Dizzion on the Golden Image during maintenance windows (which are discussed and planned in conjunction with the customer).

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 12 of 41

Customer responsibilities

Setup:

Work with Dizzion to determine configurations for GIs and Desktop Pools.
Install and test any third-party applications that will be used on the Golden Image.
(Managed DaaS only) - Work with Dizzion and provide users for testing and tuning.

Ongoing:

Install updates to third-party applications on the GI and ensure functionality before and after updates.
Communicate with Dizzion on any modifications that need to be made to the GI or Desktop Pool
(DaaS only) - Monitor the performance and health of the desktop OS and software on the Golden Image. Manage and resolve incidents related to the desktop OS and Golden Image. Coordinate maintenance windows if required.

Compliance

Although Golden Images and Desktop Pools are deployed in a secure manner, they have not been audited for any specific compliant standard and may be missing components required to meet certain compliance requirements. For organizations that require compliance (i.e., PCI DSS, HIPAA, SOC 2, etc....), Dizzion offers several different third-party audited, Compliant PCVDC packages. See section 5, “Compliant Services” for more information about achieving industry compliance within your Dizzion services.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 13 of 41

ARCHITECTURE

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 14 of 41

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document published November 2022.

5 Compliant Services

Managed DaaS customers who operate in industries that are subject to regulatory compliance, periodic security audits, or otherwise require additional security oversight in their Managed DaaS service often choose to subscribe to Dizzion’sCompliant Services. Please note that Compliant Services are only available to Managed DaaS subscribers and are not available to DaaS subscribers.

SERVICE DESCRIPTION

Compliant Services can relieve customers of much of the ever-changing burden of PCI DSS, HIPAA HITECH, SOC 2 TypeII, and GDPR compliance. Customers that subscribe to Dizzion’s CompliantServices will have their PCVDC augmented with additional security systems, logging, monitoring, change control, audit reporting, and other processes and procedures that meet some of the most rigorous specifications of PCI, HIPAA HITECH, SOC 2, and GDPR.

In addition to these technologies and procedures, Compliant Services customers are also given access to Dizzion’sAttestation of Compliance (AOC) documentation (also referred to as a Report on Compliance, or ROC).This documentation is the result of Dizzion’s yearly third-party audits to ensure compliance with PCI DSS, HIPAA HITECH, SOC 2 Type II, and GDPR. These documents can help a Dizzion customer prove to an auditor that the services being used at Dizzion meet applicable compliance standards.

SERVICE FEATURES

Components Included in a compliant PCVDC include:

• Compliant Dedicated HA Firewalls

• Compliant Dedicated HA Security Gateway Servers

• Compliant Dedicated HA ConnectionServers

• Compliant Dedicated HA Active Directory Servers

• Compliant Dedicated HA Load Balancers

• Compliant Dedicated HA Security Incident and Event Management (SIEM) Instance

• Compliant Dedicated HA Log Management System (LMS)

• Compliant Dedicated HA File Integrity Monitoring (FIM)

• Compliant Dedicated HA Intrusion Detection/Protection Systems (IDS/IPS)

In addition to these components, Dizzion performs periodic external penetration testing and vulnerability scanning of the customers PCVDC (as required by applicable compliance standards) and employs more than 100 audited process and controls specific to desktop delivery, maintenance and enduser desktop management. All Compliant Services customers also receive 24/7 security monitoring and alerting from our Security Operations Center.

ADDITIONAL INFORMATION REGARDING PCI DSS

Dizzion offers PCI compliant services that conform to the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a proprietary information security standard administered by the PCI Security Standards Council and applies to any business that processes credit or debit card transactions, or that stores, processes or transmits cardholder data. Dizzion is a PCI DSS3.2 Level 1 Service provider, the highest level of assessment available.Dizzion’s PCI Attestation of Compliance (AOC) satisfies the Tier 1 validation level and typically helps clients meet more than 65% of PCI requirements.Dizzion’s Managed DaaS service with Compliant Services has been verified by Coalfire, an independent Qualified Security Assessor (QSA), as meeting PCI DSS compliance standards.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 15 of 41

A PCVDC with Compliant Services protects your Dizzion desktop environment by providing coverage and audit responsibilities for the following (not an exhaustive list):

PCI Component	Customer Benefit	PCI Section/Requirement
Security Information and Event Management (SIEM)	Aggregation of all alerts & logs from each security monitoring point for real time correlation of events.	Section 10 Control 10.6.1 Section 11 Control 11.4
Log Management Service (LMS)	Collects logs from all security devices and services for analysis and review.	Section 10 Controls 10.5.4, 10.6, 10.6.1, 10.6.2
File Integrity Management	Captures changes and provides alerts based on changes to monitored files.	Section 10 Control 10.5.5 Section 11 Control 11.5
Intrusion Detection Systems & Intrusion Prevention Systems (IDS/IPS)	Detects, alerts, and prevents known network attacks and breaches.	Section 11 Control 11.4
Multi-Factor Authentication (MFA)*	Secondary authentication method beyond username & password.	Section 8 Control 8.3
Penetration Testing	Testing for exposure from inside & outside the service boundary.	Section 11 Controls 11.3, 11.3.1, 11.3.2, 11.3.3
Vulnerability Scans	Scan both internally & externally to the service boundary for vulnerabilities.	Section 11 Controls 11.2, 11.2.1, 11.2.2, 11.2.3
Antivirus (AV)	Up to date and actively monitored antivirus, not just installed and ignored.	Section 5 Controls 5.1, 5.1.1, 5.2, 5.3
Change Management	All changes go through review and approval processes to assess impacts on security and compliance as well as stability and performance.	Section 1, Section 2, Section 8, Section 9, Section 1, Section 11, Section 12
Physical Security	Any access to the physical infrastructure (servers/hardware) is secured by badges and biometric readers and CCTV cameras that record all activity.	Section 9
Policy & Procedures	Policies and strict step-by-step procedures surround every detail of how the service is operated, maintained and tested on a regular basis.	Section 1, Section 2, Section 4, Section 5, Section 7, Section 8, Section 9, Section 10, Section 11, Section 12
Notes: * Multi-Factor Authentication technologies are not included as part of Complaint Services but are available from Dizzion as an add-on service. Dizzion can also integrate many third-party MFA technologies into the service if licenses are provided by a customer.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 16 of 41

ADDITIONAL INFORMATION REGARDING HIPAA AND HIPAA HITECH

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a non-prescriptive compliance framework created by the USGovernment designed to protect a patient’s electronic healthcare record. The HITECH Act, enacted as a part of the American Recovery and Reinvestment Act (ARRA) of 2009, builds upon HIPAA requirements, mandating the disclosure of data breaches of personal health records, including those by business associates, vendors and related entities.

Under these regulations, service providers such as Dizzion are considered business associates. The BusinessAssociate Addendum (BAA) is a contract required between service providers and healthcare organizations under HIPAA rules. As part of our service, Dizzion will enter into a BAA with our HIPAA compliant customers.

Dizzion’s Managed DaaS Service with Compliant Services has been verified by Coalfire, an independent QualifiedSecurity Assessor (QSA), as meeting HIPAA HITECH compliance standards.

A PCVDC with Compliant Services protects your Dizzion desktop environment by providing coverage and audit responsibilities for the following (not an exhaustive list):

Control	Audit Responsibilities
SECURITY MANAGEMENT PROCESS §164.308(A)(1)	Security policy, change control, risk analysis, risk management, incident response, configuration management and vulnerability management
WORKFORCE SECURITY §164.308(A)(3)	Background checks, onboarding and termination, acknowledgment and awareness procedures
INFORMATION ACCESS MANAGEMENT §164.308(a)(4)(i)	Access authorization
SECURITY AWARENESS TRAINING §164.308(a)(5)(i)	Security reminders, protection from malicious software, password management, log-in monitoring
SECURITY INCIDENT PROCEDURES §164.308(a)(6)(i)	Response and reporting
CONTINGENCY PLAN §164.308(a)(7)(i)	Data backup plan, disaster recovery plan, emergency mode operations, testing and revision procedures, application and data criticality analysis
EVAULATION §164.308(a)(8)	Required technical and non-technical
BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENTS §164.308(b)(1)	Identify entities that are Business Associates under the HIPAA Security Rule, written contract or other arrangement, establish process for measuring contract performance and terminating the contract if security requirements are not being met, implement an arrangement other than a Business Associate Contract if reasonable and appropriate
FACILITY ACCESS CONTROLS §164.310(A)(1)	Conduct an analysis of existing physical security vulnerabilities, identify corrective measures, develop a facility security plan, develop access control and validation procedures, establish contingency operations procedures, maintain maintenance records

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 17 of 41

DEVICE AND MEDIA CONTROLS §164.310(D)(1)	Hardened provisioning, performance reporting and configuration management
ACCESS CONTROL §164.312(A)(1)	Ensure that all system users have been assigned a unique identifier, develop access control policy, automatic logoff and encryption and decryption
AUDIT CONTROLS §164.312(B)	Determine the activities that will be tracked or audited, select the tools that will be deployed for auditing and system activity reviews, develop and deploy the information system activity review/audit policy, develop appropriate standard operating procedures, implement the audit/system activity review process
INTEGRITY §164.312(C)(1)	Identify users who have been authorized to access EPHI, identify any possible unauthorized sources that may be able to intercept the information and modify, develop the integrity policy and requirements, implement procedures to address these requirements
PERSON OR ENTITY AUTHENTICATION §164.312(d)	Identify any possible unauthorized sources that may be able to intercept and/or modify the information, develop and implement transmission security policy and procedures, implement integrity controls, implement encryption
TRANSMISSION SECURITY §164.312(e)(1)	Integrity controls, encryption
BUSINESS ASSOCIATE CONTRACTS OR OTHER ARRANGEMENTS §164.314(a)(1)	Contract must provide that business associates adequately protect EPHI, contract must provide that business associate’s agents adequately protect EPHI, contract must provide that business associates will report security incidents, contract must provide that business associates will authorize termination of the contract if it has been materially breached, government entities may satisfy business associate contract requirements through other arrangements, other arrangements for covered entities and business associates
POLICIES AND PROCEDURES §164.316(a)	Policy and procedure documentation requirements
DOCUMENTATION §164.316(b)(1)	Time limit, availability, updates
NOTIFICATION BY A BUSINESS ASSOCIATE §164.410(a)	Timeliness of notification, content of notification

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 18 of 41

ADDITIONAL INFORMATION REGARDING SOC 2 TYPE II

Dizzion’sManaged DaaS Service with Compliant Services has been verified by Coalfire, an independent QualifiedSecurity Assessor (QSA), as meeting SOC 2 Type II compliance standards. This audit is performed each year.

Dizzion’s SOC 2 report verifies to customers thatsubscribe to Dizzion’s Compliant Services that Dizzion is deliveringthese services in accordance with best practices in the following applicable trust services areas:

Security: Information and systems are protected against unauthorized access,unauthorized disclosure of information,and damage to systems that could compromise the availability or confidentiality of information or systems and affect the entity'sability to meet its objectives.

Availability: Information and systems are available for operation and use to meet the entity's objectives.

Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

GeneralData Protection Regulation, or GDPR, is a comprehensive data privacy regulation adopted by the EuropeanParliament in 2016 that became enforceable in May 2018. Following the UK’s exit from the EU, the UKadopted the EU’s GDPR, with some minor adjustments. Both regulations apply toall organizations that collect, process, or store private information pertaining to residents of the EU or the UK, regardless of whether theorganization is locatedin Europe or the UK. The GDPR codifies the basic rights of EU and UK residents (data subjects),which include:

1. The right to be informed about what data the organization is collecting and processing, and for what purposes.

2. The right to obtain confirmation that this data is being processed and to be provided access to the data that the organization is processing on the data subject’s behalf.

3. The right to amend this data.

4. The right to request that this data be deleted.

5. The right to change the data subject’s elections regarding collection and processing of private data.

6. The right to port the data subject’s data to another competing organization.

GDPR defines additional responsibilities on thepart of data processors and controllers regarding breach notification, security, and other activities.

Dizzion’sManaged DaaS Service with Compliant Services have been verified by Coalfire, an independentQualified Security Assessor (QSA), as meeting GDPR compliance standards.

WHAT YOU SHOULD EXPECT

Customers who subscribe to Dizzion Compliant Services are eligible to receive Dizzion’s audit reports(Attestations of Compliance) showing Dizzion’s compliance with PCI DSS, HIPAA HITECH, SOC 2, or GDPR as applicable. Customers who are subject to PCI DSS compliance are eligible to receive Dizzion’s PCI ResponsibilitiesMatrix that details the party responsible for each PCI control within the standard (and is a requirement of service providers who provide PCI compliant services). Customers subject to HIPAA compliance are eligible to receive a similar document that delineates responsibility for the party responsible for HIPAA controls within the standard (although not required by HIPAA).

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 19 of 41

Compliant Services are added to a customer environment during deployment time of that environment and can add 1-2 weeks to the deployment time for that environment. Please note that Dizzion’s Compliant Services must be purchased at the same time as the PCVDC on which they will be run. Compliant Services cannot be added to an existing non-compliant PCVDC.

HOW DO WE CHARGE?

Compliant Services are purchased separately, as an add-on item to the virtual desktops they support and priced on a per-desktop basis. Compliant Services consist of a one-time, non-recurring cost (NRC), and a monthly recurring cost (MRC). Non-Recurring Costs (NRC) for Compliant Services include:

Deployment and initial configuration of:

• Compliant PCVDC

• Compliant services (FIM, SIEM, LMS, IDS/IPS, & Audit Reports)

• Audit Reports

• Compliant Internal and External NetworkScanning & Penetration Testing

• Vulnerability Management and remediation with the Operating System

• 24/7 Security Monitoring, Alerting and Security Operations Center Monthly Recurring Costs (MRC) for Compliant Services include:

• 24/7 Security Operations Center

• Annual audit reporting for Dizzion services

• Operation,management and monitoring of compliant components (FIM, SIEM, LMS, IDS/IPS)

• Ongoing licensing costs and management for compliant components

DIZZION RESPONSIBILITIES

SETUP:

• Compliant dedicated: HA Firewalls, HA Security Servers, HA Connection Servers, HA Active Directory Servers, HA Load Balancers, SIEM Instance, LMS, FIM, IDS/IPS.

• Internal and external network scanning configuration.

• Change procedure implementation in audited compliant process.

ONGOING:

• 24/7/365 security operations center for monitoring and management.

• Monitoring, management, ongoing updates and configuration changes to all included compliant PCVDC components.

• All licensing components related to compliant PCVDC components.

• Provide annual Audit Reports for Dizzion provided compliant services

• Results from quarterly penetration tests

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 20 of 41

CUSTOMER RESPONSIBILITIES

SETUP:

• Work with Dizzion to provide any required application considerations for security tuning/configuration.

• Provide resources to implement any security related items that require integration with Dizzion or third-party networks.

• Ensure all security configurations, processes and procedures are in place based on the delineation of responsibilities as provided in Dizzion documentation or discussed with Dizzion security team.

ONGOING:

• Any items required for security or compliance that are not provided by Dizzion.

• Inform Dizzion of any application or network changes that affect compliance and or network configurations.

• Ensure all customer responsibilities as communicated are kept current, maintained and followed.

• Work with Dizzion to support any Dizzion related updates, changes, or fixes.

COMPLIANCE

With Compliant Services added to your Managed DaaS service, Dizzion provides coverage and audit responsibilities for all the items described in this section. As stated previously, Compliant Services customers are given access to Dizzion’s Attestation of Compliance (AOC) documentation. This documentation is the result of Dizzion’s yearly third-party audits to ensure compliance with PCI DSS, HIPAA HITECH, and SOC 2 Type II. These documents can help a Dizzion customer prove to an audit or that the services being used at Dizzion meet applicable compliance standards.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 21 of 41

ARCHITECTURE

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 22 of 41

6 Application Streaming

Dizzion offers application streaming services as an alternative to, or an augmentation of a virtual desktop deployment.Application Streaming can provide an economical solution if end users only need access to a single application and not a full Windows desktop.Application streaming also allows IT to manage application settings, make security changes and update applications easily, without touching each individual desktop.

SERVICE DESCRIPTION

Application streaming is a software technology that centrally hosts applications in a data center or cloud and delivers (or streams)them to an end user’s device or virtual desktop, allowing users to access resources that have not been installed or configured on their local device. A major benefit to application streaming is that applications can be centrally managed (like Golden Images). Application configurations, updates, and patches can be performed on a single application instance and the need to “touch” many end user devices or virtual desktops can be removed. This“one-to-many” model of providing applications provides IT organizations with increased application density as well as centralized administration and simplified management of applications.

Another challenge some customers face is continuing to support legacy applications, often after OEM support has ended. These legacy applications can require specialized third-party software or plugins to remain intact, and the failure to do so can cause application instability. ApplicationStreaming can allow many legacy applications to continue to run as intended and eliminate much of the hassle associated with keeping them functional. Application Streaming also allows multiple versions of the same application to coexist on a single cloud desktop, eliminating the need for multiple cloud desktops. This simplifies the end user's desktop and application experience and allows them to be more efficient.

By streaming applications to a Dizzion virtual desktop, Dizzion allows customers to keep Golden Images more manageable. Application Streaming can help to reduce the number of GIs needed and improve the ability to granularly control application access.

SERVICE FEATURES

Dizzion offers several different Application Streaming methods, all of which can be tailored to meet specific customer needs. During an application discovery process, we determine which Application Streaming method fits most appropriately. There’s no need for you to understand all of the technical jargon– we simplify the ordering process by providing this service with standard rates, and ordering is straightforward and easy.

WHAT YOU SHOULD EXPECT

Dizzion works closely with our customers to build an Application Streaming solution that will enable the most optimized and performance driven application experience available. Customers will benefit from the overall ease of application management, decreased deployment times, increased licensing control and avoiding application compatibility issues, just to name a few.

Standard time frame for deployment is 3-5 days to provide App streaming server to customer for application installation. Customer will then need to install applications and Dizzion and customer will schedule testing and tuning session which typically takes a few hours to perform.

HOW DO WE CHARGE?

Dizzion’s Application Streaming Service has both a Non-Recurring Charge (NRC) and a Monthly Recurring Charge (MRC). The NRC includes the setup and use of Application Server(s) and often the base Operating System licensing to deliver the application. The MRC includes server resources, end user access to the applications, ongoing licensing costs, system monitoring and reporting. The application streaming MRC and the End User access rates are kept separate so applications can scale as well as the number of end users with access to them.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 23 of 41

DIZZION RESPONSIBILITIES

SETUP:

• Provide customers with access to a patched and secured application server for third-party application installation

• After application installation is complete, Dizzion will promote the application server into User Acceptance Testing (UAT)

• Upon a successful UAT period and customer approval, the application will be promoted into production

ONGOING:

• Provide continuous real-time monitoring of each application server

• Troubleshoot any functionality, reliability, security and performance concerns with customer

• Alert the customer in the event of a failure or change in the environment

• Provide 24/7/365 email and phone support to the customer

• Maintain and apply computer control changes

CUSTOMER RESPONSIBILITIES

SETUP:

• Install applications and plugins on the application server

• Create a new Active Directory Security Group to manage users accessing Dizzion's Cloud Delivered services

• Provide users and support for (UAT)

ONGOING:

• Open service desk tickets for ongoing maintenance of applications

• Open service desk tickets for application or user access issues

• Provide users for UAT applications and updates

• Patch/Update applications as required

COMPLIANCE

Although Application Streaming services are deployed in a secure manner, they have not been audited for any specific compliant standard and may be missing components required to meet certain compliance requirements. For organizations that require compliance (i.e., PCI DSS, HIPAA, SOC 2, etc..), Dizzion offers several different third-party audited, Compliant PCVDC packages. See section 5, “Compliant Services” for more information about achieving industry compliance within your Dizzion services.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 24 of 41

ARCHITECTURE

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 25 of 41

7 Cloud Burst

Cloud Burst is a Dizzion service that enables organizations to deploy virtual desktops “on-demand” to accommodate unexpected or unplanned increases in user demand, or to facilitate a business continuity plan.

SERVICE DESCRIPTION

Cloud Burst allows an organization to keep a pre-determined number of Dizzion virtual desktops on reserve and use them on an on-demand, temporary basis. Cloud Burst desktops are provisioned in a fraction of the time it takes to deploy standard steady-state desktops, allowing these resources to quickly be made available to endusers. When the additional demand drops, or is no longer required, Cloud Burst desktops can be put back in to“standby” mode, until the next time they are needed.

Cloud Burst virtual desktops can be built in the same environment (i.e., the same PCVDC) as an organization’s existing virtual desktops, or in a separate PCVDC. In the same PCVDC, Cloud Burst is an effective method to ensure that desktops are available during the need for a temporary increase in capacity. In a separate PCVDC, Cloud Burst can be an effective strategy for a business continuity plan. In either scenario, Cloud Burst resources can be protected by the same controls and policies that are already in place to meet security and compliance requirements, govern individual user groups, and secure existing desktop pools.

Cloud Burst is intended as a method to temporarily provide additional capacity in the event of an unexpected, unplanned, or short-term event. It is not intended as a method to accommodate planned increases in user capacity due to seasonal business cycles, short-term projects, or other events that require additional desktop capacity for extended periods of time.

SERVICE FEATURES

Cloud Burst desktops and applications are available with the same resource configurations (i.e., vCPU, RAM, HDD) as Dizzion’s standard virtual desktop and application offerings - Dizzion recommends that an organization’sCloud Burst desktops match the configurations of their production desktops.Golden Images in an organization’s primary production PCVDC can be shared with their Cloud Burst desktops. Cloud Burst desktops can be provisioned into existing production desktop pools, or into separate desktop pools.

Cloud Burst desktops can be configured to automatically provide additional capacity when needed. As the system identifies a need for additional capacity, Cloud Burst begins spinning up additional desktops automatically to handle the increased demand.

HOW WE CHARGE

Cloud Burst desktops and applications have an NRC(Non-Recurring Charge) for setup and configuration, a MRC (Monthly Recurring Charge) for desktops in their “standby” state, and a DUC (Daily Utilization Charge) which applies only during the time that Cloud Burst desktops have been promoted to a “ready” state (i.e. available for user connection).

Dizzion services for Cloud Burst include hardware and resource capacity, hardware maintenance, licensing and ongoing maintenance of the virtualization software, OS management and monitoring, security services and configuration support.Cloud Burst desktops are licensed per desktop.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 26 of 41

Note: Cloud Burst desktops are intended to be kept in a “standby” state until they are needed, however, 10% of the total number of Cloud Burst desktops, or 5 desktops (whichever is greater) are required to be powered on and available for user connection at all times. This allows Dizzion to continuously monitor the environment to ensure it is operational at all times. These “always-on” desktops are priced at the MRC (Monthly Recurring Charge), and not subject to a DUC (Daily Utilization Charge).

WHAT YOU SHOULD EXPECT

Organizations can expect to have the ability to burst up to their total number of Cloud Burst desktops stated in their contract.

The standard time frame for the implementation of Cloud Burst desktops in an existing PCVDC from an existing golden image is 3-5 business days from receipt of executed MSA, Order Form and completed Deliverables Document. The implementation of CloudBurst desktops in a new PCVDC with a new golden image follows the standard implementation time frame for new PCVDC builds, usually 4-8 weeks depending on services chosen.

DIZZION RESPONSIBILITIES

SETUP:

• Allocate resources necessary to install Cloud Burst desktops.

• Create Cloud Burst desktops from Golden Image(s).

• Assign Cloud Burst desktops to desktop pool(s).

• Configure monitoring and reporting for Cloud Burst desktops.

ONGOING:

• Capacity management.

• Patches and updates for the Cloud Burst Windows OS, antivirus and anti-malware (Managed DaaS subscribers only).

CUSTOMER RESPONSIBILITIES

SETUP:

• Assist with customer-side network and Active Directory configurations (if required).

• Application installation on the Golden Images used for Cloud Burst desktops.

ONGOING:

• Updating applications on the GI used for Cloud Burst desktops.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 27 of 41

COMPLIANCE

Cloud Burst desktop scan be deployed in a compliant or non-compliant PCVDC, with all the features, security and compliance controls available from Dizzion within a PCVDC. Cloud Burst resources can be protected by the same controls and policies that are already in place in a customer’s production environment to meet security and compliance requirements, govern individual user groups, and secure existing desktop pools.

ARCHITECTURE

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 28 of 41

8 Web Content Filtering

Web Content Filtering is an optional Dizzion service that allows an organization to block access from Dizzion virtual desktops or applications to web content that may be deemed offensive, inappropriate, or otherwise objectionable.

SERVICE DESCRIPTION

Web ContentFiltering allows an organization to establish rules about the types of websites that may be visited by end users when using a Dizzion virtual desktop or application. Using keywords or other commonalities between sites, content is grouped into categories - such as sports, gambling, adult, streaming, and so on - and those sites in undesirable categories can be blocked. This service can enable organizations to enforce acceptable use policies (AUPs) for users of Dizzion virtual desktops and applications.

SERVICE FEATURES

Dizzion’s Web Content Filtering service provides the following:

• URL filtering for 120+ categories, languages for 200+ countries, and 99.9% of the active web

• Filtering includes YouTube categories, app categories, translation services, and safe search

• Custom web filtering categories, plus allow and deny lists(whitelist/blacklist) In addition, the service provides:

• Silent Ad Blocking - Blocks web pages from connecting to ad servers for banners, ads, videos, pop-ups, and other elements, including analytical trackers and widgets from social media.

• Dynamic Web Page Categorization - Uses machine-learning analysis to dynamically rate new and unknown web page content for 70+ categories in 16 languages.

• Custom Categories - Allows administrators to define custom categories, and URL include or exclude lists (whitelist/blacklist).

• Security Risk Categories - Prevents known threats and delivers immediate insights into the type of specific security risks, with 16 granular risk categories. Examples include Botnets, Phishing/Fraud, DGA Detection, and Malware Call-home security risks.

• Monitoring andReporting - Allows administrators to view details about user activity, including policies that are triggered, the users who have triggered policies, the device(s) they were using, as well as information about the website to which access was attempted, and source and destination IP.

HOW WE CHARGE

Web Content Filtering has an NRC (Non-Recurring Charge) for setup and configuration and an MRC (MonthlyRecurring Charge) for the ongoing service. Dizzion services for Web Content Filtering include the operation and maintenance of the servers, software, licensing, network configuration, integration with the Dizzion virtual desktop or application service, and maintenance and support of the client software on the virtual desktop image. Web ContentFiltering is licensed per user.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 29 of 41

WHAT YOU SHOULD EXPECT

Organizations can expect to designate administrators who will have the ability to access, view, and modify content filtering rules. Rules can be modified as needed, by the customer, without the need to submit a service ticket or request permission from Dizzion.

The standard time frame for the implementation of Web Content Filtering in an existing PCVDC from an existing golden image is 3-5 business days from receipt of executed MSA, Order Form and completed Deliverables Document. The implementation of Cloud Burst desktops in a new PCVDC with a new golden image follows the standard implementation time frame for new PCVDC builds, usually 4-8 weeks depending on services chosen.

DIZZION RESPONSIBILITIES

SETUP:

• Installation and initial configuration of the Web Content Filtering service

• Customer training (for administrators)

ONGOING:

• Monitor and maintain the Web Content Filtering service and infrastructure

CUSTOMER RESPONSIBILITIES

SETUP:

• Assist with customer-side Active Directory configurations

• Perform initial configuration of the service (setup content filtering rules)

ONGOING:

• Responsible for updating allowed/blocked categories, whitelists, and blacklists.

COMPLIANCE

Web Content Filtering can be deployed in a compliant or non-compliant PCVDC. As of the creation of this document(November 2022), Web Content Filtering is not an explicit requirement for any compliance standards for which Dizzion is audited (PCI, HIPAA, SOC 2, or GDPR). Even so, many organizations choose to leverage WebContent Filtering to increase security or enforce Acceptable Use Policies (AUPs).

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 30 of 41

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document published November 2022.

ARCHITECTURE

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 31 of 41

9 zLink BYOD

Dizzion’s zLink offerings consist of endpoint management tools that reduce risk and improve the security posture of PCs, laptops, or other endpoint devices that access the Dizzion cloud. Organizations that have compliance requirements, are concerned with security at the endpoint, or want to offload endpoint management tasks to Dizzion can benefit from zLink.

SERVICE DESCRIPTION

zLink BYOD is a downloadable software package that an end user installs on their own PC. zLink BYOD enables IT to deliver secure, policy driven, temporary workspace environments on personally owned Windows-based end point devices and is typically used to support end users that use their personal devices (BYOD) to connect to the Dizzion service.

Before allowing the user to connect to the Dizzion service, zLink BYOD performs several security checks on the user’s personal device, including:

• Antivirus and anti-malware validation (ensures AV is installed and up to date)

• Windows security patch validation (ensures the latest security patches are installed)

• Windows firewall validation (ensures firewall is enabled)

• Wired network validation (ensures a hard-wired network connection)

• Physical machine validation (verifies that the software is not running in a VM)

These, and other security checks can be configured based on the type of compliance required or the security focus of a given organization. Once the user’s endpoint passes these security checks, zLink provides them with secure access into the Dizzion cloud, while temporarily disabling access to their local Windows OS. The user’s device is only locked down for the duration of the secure session, and full control is returned to the user once they logout. In addition, zLink BYOD leverages Application Execution Prevention (AEP)and Service Execution Prevention (SEP) so that IT can be sure that end users aren’t running applications or services on their local machine that aren’t approved by IT while they are connected to their secure Dizzion workspace. zLink BYOD does not require a user to reboot, dual-boot, or boot from an external USB device. zLink BYOD supportsWindows endpoints only.

SERVICE FEATURES

The zLink BYOD service is activelymanaged by Dizzion, which allows for the remote enforcement of security andpolicy control.Dizzion remotely updates software, provides security controls and remotely wipes any data in thecase of loss or theft - services are provided 24/7/365, and included in theservice fee. Dizzion works with each customer to disable or enable device functions such as mapping USB ports, wireless network connections orBluetooth on a per-usecase basis (making it a simpler task to achieve PCI, HIPAA, and other compliancestandards).

The zLink BYOD service Includes:

• Software Support

• Remote Lock and Wipe

• Device Certificate Management (authenticates the device to the company)

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 32 of 41

HOW WE CHARGE

Each zLink option has an NRC (Non-Recurring Charge) for setup and configuration and an MRC (Monthly Recurring Charge), which includes management and monitoring, security services, software, and configuration support. zLink is licensed per user.

WHAT YOU SHOULD EXPECT

Dizzion will provide a link to down load the zLink software, access to installation instructions, and a setup guide. Customers are responsible for distributing the software to end users as well as providing support for end users during the installation and setup process. Dizzion will provide technical support (tier 2 and) to customer IT staff during the service period. zLink BYOD supports Windows endpoints only and requires:

• Windows 10 or higher

• x86-64bit CPU running at 1GHz or greater

• 4GB RAM

zLink BYOD software downloads are available within five business days after receipt of an order.

DIZZION RESPONSIBILITIES

SETUP:

• Provide URL for zLink BYOD software download

• Configure software and security controls to meet customer policy requirements

ONGOING:

• Manage, update, patch, and maintain zLink software.

• Maintain zLink policy control systems.

• Update zLink operating system and security policies when needed.

CUSTOMER RESPONSIBLITIES

SETUP:

• Advise Dizzion of any security or compliance controls to be applied to zLink devices

• Distribute zLink devices or software to end users

ONGOING:

• Advise Dizzion of any required changes to security controls

• Distribute zLink BYOD software to end users

• Revoke access for devices on which zLink software is installed that is reported to be compromised or stolen

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 33 of 41

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document published November 2022.

COMPLIANCE

Security controls are enforced on zLink software that help meet many compliance controls required by PCI, HIPAA, SOC 2 and others. The use of zLink in conjunction with Dizzion Compliant Services can help customers meet compliance requirements down to the endpoint. Dizzion’s zLink BYOD service is within the scope of Dizzion’s PCI, HIPAA, SOC 2, and other applicable compliance audits. Dizzion can provide Attestations of Compliance(AOCs) that include zLinkBOYD upon request.

ARCHITECTURE

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 34 of 41

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document published November 2022.

10 Private Network Connections

Private Network Connections are a common component of many Dizzion customer environments. These services enable a secure network connection between Dizzion’s cloud services and a customer’s on premise, cloud, or private network environment.

SERVICE DESCRIPTION

Many Dizzion customers choose to implement a private network connection (either physical or virtual) between their Dizzion cloud environment and their datacenter, or another cloud location owned by the customer. This enables secure/encrypted access from a customer’s Dizzion environment to authentication services, applications, or data that may reside on the customer’s network.

Dizzion offers a few methods to establish private network connections, the most common are described here.

VPN

Dizzion can support an IPSec VPN tunnel for customers that do not require a dedicated physical connection into their Dizzion service. This is the most common connection type chosen by Dizzion customers due to the low cost and ease of configuration. An IPSec VPN allows a customer a virtual, secure data pipe over a standard internet connection. Customers can choose between a highly available (HA) or non-HA configuration for the VPN deployment. Support for an HA VPN tunnel requires support and knowledge of BGP configurations on the customer side.

SD-WAN

Dizzion offers a Managed SD-WAN service that utilizes the public internet to provide MPLS like priority queuing, redundancy and traffic management. Dizzion can provide SD-WAN services in both physical and virtual deployment models. As a fully managed DataConnection Service,Dizzion’s SD-WAN service provides services for implementation, configuration, operation and maintenance, as well as any physical equipment required.

Dizzion’s managed SD-WAN service can allow a customer to focus on the more important aspects of their business rather than network operations.

Customers can also choose to use an existing SD-WAN implementation with their Dizzion service, by providing Dizzion with physical or virtual SD-WAN appliances to be put into the Dizzion cloud. Virtual appliances are highly encouraged due to the need for physical rack space, Direct Connect fees, and remote hands services that are required with physical appliances. Other complications may exist when implementing physical devices.

EQUINIX CLOUD EXCHANGE (ECX)

Dizzion offers Data Connection Services via Equinix Cloud Exchange to customers who subscribe to this Equinix service. Dizzion can provide a private token to the customer via the Equinix portal and will work with the customer to configure IP addressing, routing configurations and other requirements prior to deployment. ECX services do not require physical cross connects to the Dizzion service, however additional charges for a DizzionDirect Connect are required with any ECX connection.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 35 of 41

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document publishedNovember 2022.

DIRECT CONNECT

Dizzion offers customers the ability to connect from a physical source to your Dizzion cloud deployment using a“Dizzion Direct Connect”. This service provides the private physical connection between Dizzion’s physical networking layer to your individual Dizzion cloud deployment and is required for ECX, MPLS, Cross Connects, or any other physical network ingress or egress to the Dizzion service.Dizzion Direct Connect is not required if you are utilizing a Dizzion provided VPN, SD-WAN and/or a virtual network appliance deployed within yourDizzion environment.

DATACENTER CROSS-CONNECT

Dizzion supports data connections to a customer’s environment via dedicated physical cross-connect circuits for customers who are a tenant in the same data center(s) as a Dizzion deployment. Cross connects can be delivered via either copper or fiber and also serve to facilitate a number of different types of other data connections (MPLS, SD-WAN, Cloud Exchange Networks, Point-to-Point, etc.), ensuring your business has the proper, most optimized access to your data and/or services. A physical cross connect may be required to extend a dedicated circuit (like MPLS) to one of Dizzion’s cloud environments.

SERVICE FEATURES

PrivateNetwork Connections can be deployed in standard or HA configurations, based on a customer’s uptime requirements. Dizzion will work with you to create a connectivity solution to meet your deployment needs.

Dizzion Solution Advisors and Network Architects will collaborate with your team to design the best solution based on your requirements.

WHAT YOU SHOULD EXPECT

Dizzion will install, configure and continuously monitor the Dizzion side of any network connection provided by Dizzion. We alert customers in the event of any network failure so that the issue can be quickly diagnosed and remediated. Customers are responsible for the contracting, configuration and management of any customer provided connection or portion of the connection.

The standard time frame for deployment of a VPN is 1 day after the PCVDC is delivered. The standard time frame for deployment of a cross connect is 10-15 days after orders are placed. However, additional time may be required based on the telecom provider if circuits and hardware are required.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 36 of 41

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document published November 2022.

HOW WE CHARGE

Private Network Connections have a Non-Recurring Charge (NRC) and Monthly Recurring Charge (MRC). The NRC includes any physical hardware required as well as the installation and configuration of the connection. The MRC includes out-bound bandwidth from our data center (for VPN), as well as monitoring and ongoing maintenance of the Dizzion end of the connection.

DIZZION RESPONSIBILITIES

SETUP:

• Working with the customer to plan and implement the network connections, including IP addressing, Security Ciphers & Encryption Levels, and Routing protocols

• Physical implementation (Equipment installation, power, cabling, other physical requirements at Dizzion’sdeployment location)

• Any required LOA/CFA

• Working with data center provider on any required connection items or remote hands requirements

ONGOING:

• Ongoing Maintenance of the Dizzion connection components

• Ongoing Monitoring of the Dizzion connection components

• Working with the customer to re-establish connectivity when required

• Any required software, configuration, security, or hardware updates/upgrades required for Dizzion owned and solely managed items.

• Working with data center provider on any required connection items or remote hands requirements

CUSTOMER RESPONSIBILITIES

SETUP:

• Work with Dizzion to determine networking configurations including IP addressing, Security Ciphers, Encryption Levels, and Routing protocols

• Physical implementation (Equipment installation, power, cabling, other physical requirements at Customer’sdeployment location)

• Work with Telecom provider to order and deploy any required internet connectivity, circuits, or hardware

• Any required LOA/CFA

• Work with Dizzion to test and ensure network connectivity

ONGOING:

• Maintain customer side Internet connectivity and termination hardware

• Ongoing monitoring and maintenance of Customer connection components

• Work with Dizzion to re-establish connectivity when required

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 37 of 41

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document published November 2022.

• Any required Software, configuration, security, or hardware updates/upgrades required for Customer owned and managed items.

• Notify Dizzion of any problems with connectivity or access to the Dizzion environment

• Notify Dizzion of any changes, issues or modifications of customer provided internet connection, IP addressing, etc.

COMPLIANCE

Private Network Connections are not inherently compliant in nature. Although all network traffic should be encrypted from a customer’s network to Dizzion, additional services may be needed to ensure adherence to specific compliant frameworks.

ARCHITECTURE

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 38 of 41

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document published November 2022.

11 Persistent/Protected Storage

Many customers choose to purchase additional storage to increase the size of virtual hard drives on their virtual desktops or vApplication servers (a “vApplication Server” is a hosted Virtual Machine with a Microsoft Windows Server operating system, intended to provide Windows services to a customer’s Dizzion environment), or to add additional virtual hard drives to existing virtual desktops or vApplication servers. Additional storage can also be used to store user profile data when using profile management with the Dizzion service.

SERVICE DESCRIPTION

Persistent/Protected Storage is often used when a customer needs to increase the amount of local storage on a user’s cloud delivered desktop, provide additional storage to all desktops within a desktop pool, or when customers subscribe to profile management services and require an area to store user profile data.

Persistent/Protected Storage can also be used to create a virtual network-attached storage segment that can be accessed by end users in the same way that they would access a shared network drive. These storage options can provide persistent storage for user files, even in a non-persistent or shared desktop deployment.

SERVICE FEATURES

All options utilize Dizzion’s high performance storage to deliver industry leading performance. Storage IOPS (Inputs/Outputs per second) in the Dizzion cloud are five to ten times faster than what most other providers can offer, which is just one of the many things that makes Dizzion’s services out-perform other cloud-based virtual desktop services.

WHAT YOU SHOULD EXPECT

Dizzion offers flexible storage plans to fit the needs of a customized deployment. The standard time frame for deployment of additional storage is 1-3 days upon receiving an order (new deployments may require additional time).

HOW WE CHARGE

Persistent/Protected storage can be purchased in 500 GB increments. Storage can be purchased as a single large quantity, and then allocated across multiple virtual desktops, vApplication servers or file shares. Storage is available in a variety of speeds (IOPS);contact your Dizzion account representative to coordinate placing an order for additional storage.

Storage has an NRC (non-recurring cost) and an MRC (monthly recurring cost). The NRC includes allocating, configuring and delivering the storage to the correct users, while the MRC includes hardware maintenance, monitoring, upkeep and backup of the storage data.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 39 of 41

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document published November 2022.

SETUP:

• Create a virtual storage platform

• Format and configure the new storage to meet the customer’s requirements

• Attach the new storage to cloud delivered desktops, file share or application server

• Per customer request

• Confirm with customer that the new storage configuration matches the solution's expectations

ONGOING:

• Maintain and upkeep the physical and virtual storage infrastructure

• Provide nightly backups of the storage data

CUSTOMER RESPONSIBILITIES

SETUP:

• Provide Dizzion with a list of how much storage should be allocated to which users, and/or what user groups should be granted access to any shared storage areas.

ONGOING:

• Contact Dizzion concerning any storage performance or capacity concerns

COMPLIANCE

Although deployed in a secure manner, Dizzion storage offerings have not been audited for any specific compliant standard and may be missing components required to meet certain compliance requirements. For organizations that require compliance (i.e., PCI DSS, HIPAA, SOC 2, etc ), Dizzion offers several different third-party audited,Compliant PCVDC packages. See section 5 “Compliant Services” for more information about achieving industry compliance within a PCVDC.

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 40 of 41

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document published November 2022.

ARCHITECTURE

(888) 225-2974 | 600 17th St, Suite 2600S, Denver, CO 80202 | info@dizzion.com Page 41 of 41

© 2022 Dizzion, Inc. All rights reserved. Dizzion is a registered trademark of DizzionInc. Any confidential information contained in this document may not be used, published, or redistributed without the prior written consent of Dizzion, Inc. This document published November 2022.

Table of Contents

1 Overview and Description

2 Private Cloud Virtual Datacenter

SERVICE DESCRIPTION

SERVICE FEATURES

WHAT YOU SHOULD EXPECT

HOW WE CHARGE

DIZZION RESPONSIBILITIES

SETUP:

ONGOING:

CUSTOMER RESPONSIBILITIES

SETUP:

ONGOING:

COMPLIANCE

ARCHITECTURE

3 Cloud Delivered Desktops

SERVICE description

DAAS

Managed DaaS

SERVICE FEATURES

DESKTOP TYPES

Instant Clones

Full Clones

GPU SUPPORT

WHAT YOU SHOULD EXPECT

HOW WE CHARGE

DIZZION RESPONSIBILITIES

CUSTOMER RESPONSIBILITIES

COMPLIANCE

ARCHITECTURE

4 Golden Images & Desktop Pools

SERVICE DESCRIPTION

SERVICE FEATURES

WHAT YOU SHOULD EXPECT

FOR MANAGED DAAS CUSTOMERS ONLY

DIZZION RESPONSIBILITIES

SETUP:

ONGOING:

Customer responsibilities

Setup:

Ongoing:

Compliance

ARCHITECTURE

5 Compliant Services

SERVICE DESCRIPTION

SERVICE FEATURES

ADDITIONAL INFORMATION REGARDING PCI DSS

ADDITIONAL INFORMATION REGARDING HIPAA AND HIPAA HITECH

ADDITIONAL INFORMATION REGARDING SOC 2 TYPE II

ADDITIONAL INFORMATION REGARDING GDPR

WHAT YOU SHOULD EXPECT

HOW DO WE CHARGE?

DIZZION RESPONSIBILITIES

SETUP:

ONGOING:

CUSTOMER RESPONSIBILITIES

SETUP:

ONGOING:

COMPLIANCE

ARCHITECTURE

6 Application Streaming

SERVICE DESCRIPTION

SERVICE FEATURES

WHAT YOU SHOULD EXPECT

HOW DO WE CHARGE?

DIZZION RESPONSIBILITIES

SETUP:

ONGOING:

CUSTOMER RESPONSIBILITIES

SETUP:

ONGOING:

COMPLIANCE

ARCHITECTURE

7 Cloud Burst

SERVICE DESCRIPTION

SERVICE FEATURES

HOW WE CHARGE

WHAT YOU SHOULD EXPECT

DIZZION RESPONSIBILITIES

SETUP: