NTT Data securely builds software by following the DevSecOps Software Development Life Cycle based on the following principles:

• Teams involved in the coding are trained on application security and secure coding practices at least annually, which includes

• NTT Data EMEAL and NTT group cybersecurity team are involved in the development to support Eva's teams in security and vulnerability detection.

• eva’s code has been developed using secure software development lifecycle (SSDLC) best practices; in particular, eva’s team follows OWASP methodology; Security controls of the following areas are covered: 1) Information gathering; 2) Data validation; 3) Configuration Management; 4) Error handling; 5) Identity Administration; 6) Cryptography; 7) Authentication tests; 8) Business logic; 9) Authorization Tests; 10) Client tests; 11) Session Management; 12) Web services.

Penetration Testing

On at least an annual basis, eva undergoes professional penetration testing based on OWASP Top 10. Management addresses all vulnerabilities identified within defined timeframes based on severity level, which is determined using the Common Vulnerability Scoring System (CVSS).

Vulnerability Scanning

On at least a monthly basis, eva executes a vulnerability scan to detect vulnerabilities in eva components and libraries. Infrastructure is also scanned and analyzed in real-time with vulnerability management tools.

Static code analysis and Dynamic scans are performed along with manual security testing whenever there are code changes. Our dedicated Security engineers continuously work with engineering teams to remediate the identified security issues.

Different Dynamic and Static Application Security Testing (DAST and SAST) tools are used to conduct these scans. These tools may vary over time.

All docker images under support are periodically analysed to validate vulnerabilities with the dependencies that may appear. New images will be generated when critical vulnerabilities for the product are detected.

Dynamic Application Security Testing (DAST)

A summary of the DAST test report can be provided under NDA.

Static Application Security Testing (SAST)

A summary of the SAST test report can be provided under NDA.