DATE OF LAST UPDATE: FEBRUARY 19, 2025

1. Purpose
   The Business Continuity Plan (BCP) outlines the policies and procedures that enable Finpace to respond effectively to significant business disruptions. It ensures the company can make financial and operational assessments, recover quickly, resume operations, and maintain seamless services for its customers.

2. Scope
   This policy encompasses:

• Business Continuity Plan (BCP)
• Business Impact Analysis (BIA)
• Disaster Recovery Plan (DRP)
• Disaster Management Procedures (as part of DRP)
  Finpace's BCP covers critical business aspects, including systems, infrastructure, customer service, and administration. A significant business disruption could be any event that threatens the company’s ability to deliver services, risking reputational harm.

3. About Finpace‍
   Finpace is a software-as-a-service (SaaS) platform specifically designed to streamline financial advisors' workflows. With advanced automation and compliance-focused tools, Finpace empowers advisors to deliver superior client experiences while reducing manual workloads.

4. Core Offerings

1. Automated Client Onboarding:
   
   • Finpace enables advisors to onboard clients accurately and compliantly in under 10 minutes, integrating secure data collection with a seamless user experience.
2. Ongoing Client Maintenance:
   
   • Handles compliance-related tasks like ADV and CRS disclosure deliveries, investment advisory contract updates, and automated client reviews.
   • Facilitates data sharing between clients and firm members through collaborative forms.
3. Email Automation:
   
   • Allows advisors to send on-brand emails, automate client reviews, and set up recurring communications for annual meetings and KYC updates.
4. Engagement Hub:
   
   • Centralizes all client interactions, ensuring tasks like email automation, client reminders, and disclosure compliance are efficiently managed.
5. Cloud-Based Operations:
   
   • Built on Amazon Web Services (AWS), Finpace guarantees security and reliability with 24/7 uptime, ISO 27001 certification, and a commitment to 99% platform availability.
6. Digital Onboarding and Compliance Automation:
   
   • Helps advisors focus on client relationships rather than manual processes by ensuring all onboarding and compliance requirements are met automatically.

5. Policies and Procedures‍
   ‍Business Continuity Planning Process‍
   The BCP is a dynamic document updated continuously to remain relevant and accurate. Steps include:

• Identifying and prioritizing critical processes.
• Assessing the business impact of potential disruptions.
• Establishing responsibilities and emergency arrangements.
• Training staff on emergency procedures.
• Regularly testing and updating the plan.

6. Business Impact Analysis
   Risk Assessment Framework‍
   Finpace employs a framework that evaluates the likelihood and impact of disruptions.

7. Impact
   Likelihood (Possible)
   Likelihood (Remote)
   Likelihood (Extraordinary)‍
   Significant
   3
   2
   1
   Critical
   6
   4
   2
   Catastrophic
   9
   6
   3

8. Recovery Objectives

• RPO (Recovery Point Objective): 8 hours.
• RTO (Recovery Time Objective):
  
  • Automated Onboarding: 1 business day.
  • Ongoing Maintenance: 1 business day.

9. Emergency Contacts and Roles‍
   The Information Security Management Committee (ISMC) is responsible for coordinating responses to disruptions.‍
   Name Forrest Tuten‍
   Position ISMC Chair‍
   Email team@finpace.com‍‍
   ‍Name Security‍
   Position ISM‍
   Email tech@finpace.com

10. Disaster Recovery Plan‍
    The Disaster Recovery Plan ensures risks are mitigated, disruptions are addressed promptly, and normal operations resume swiftly.‍
    Key Policies

• Incident Response Plan: Procedures for identifying, documenting, and responding to security events.
• Vendor Management Policy: Ensures third-party vendors meet high-security standards.
• Backup Policy: Continuous cloud-based backups allow for quick restoration of data.
• Remote Work Policy: Finpace’s employees operate remotely, reducing dependency on physical office spaces.
• Information Security Policy: Protects data accessed via mobile devices and during remote work.

11. Testing and Maintenance‍
    Annual testing ensures BCP effectiveness. The ISMC oversees testing, reviews results, and updates plans based on findings.‍
    Testing Objectives:

• Validate the ability to recover operations.
• Identify and address fail points.
• Update plans based on test outcomes.

12. Commitment to Clients and Security
    ‍Finpace is dedicated to providing uninterrupted services to its clients. Our platform’s design ensures compliance, automation, and scalability, making Finpace an indispensable tool for modern financial advisors.
    With proactive business continuity measures, Finpace protects its reputation, customer trust, and operational integrity in the face of potential disruptions.

13. Exhibit A: Business Continuity Test Report
    ‍Initiated On: <Date/Time with TZ>
    Completed On: <Date/Time with TZ>
    Test #: BCP Test-000_
    Test Leader: ()

14. Business Continuity Scenario Tested:
    <See Impact Scenarios in Business Continuity Plan that have a risk of Medium or above, e.g., Scenario #1 through #6, which are reproduced below:>

• A natural or man-made disaster at the primary data center cuts off outside access or results in critical data loss.
• A high level of user activity causes a non-malicious denial of service.
• A cyberattack disrupts the proper operation of information systems or results in data loss.
• Unintentional code or configuration errors disrupt information systems or result in data loss.
• A fraudulent act by an employee (or third party) disrupts systems or results in data loss.
• A zone at the hosting provider has been destroyed and can't be accessed.‍‍
  ‍

‍Anticipated Priority (if this was an actual disaster): High - P1, Medium - P2, or Low - P3
Anticipated Severity (if this was an actual disaster): High, Medium, or Low

Purpose
The purpose of this test is to facilitate planning, execution, review, and corrective action for scenarios impacting Finpace’s business continuity.

Test Details:

• Start Date/Time: <Date/Time with TZ>
• Finish Date/Time: <Date/Time with TZ>

Test Goals:

• Recovery Point Objective (RPO): 2 hours.
• Recovery Time Objective (RTO): 1 business day.
• Other Goals: Demonstrate ability to comply with communication deadlines.

Description of Test Scenario: <Describe the scenario, e.g., A tornado has hit the hosting provider’s data center in Virginia, rendering it non-operational.>

Method Chosen to Simulate Scenario:

Limitations of Testing Method: <Indicate any aspects of the scenario that could not be replicated, why, and their impact on the test.>

Performance of Disaster Recovery Plan:

Date/Time

Actor

Description

<Date/Time>

Test Leader

Example log entry.

<Date/Time>

Team Member

Actions taken during the test.

Communications Directory:

Date/Time

Actor

Person Contacted

Contact Info

<Date/Time>

Test Leader

Key Stakeholder

<Email>

<Date/Time>

Team Member

Vendor

<Email>

Post-Test Analysis

Actual Recovery Point: [The acceptable amount of data loss measured in time. For example, if a disaster occurs at 12:00pm and the RPO is one hour, the system should recover all data that was in the system before 11:00am and data loss spans only one hour.]

Actual Recovery Time: [Amount of time elapsed between start of test and recovery of applicable business component.]

Performance Relative to Other Goals:

Lessons Learned:

• Identify issues and recommend concrete improvements for future plans and processes.

Corrective Actions Taken:

• Document all adjustments made to the BCP or associated policies as a result of this test.

Other Action Items:

• Outline additional testing or training needed.

1. Circulate completed Business Continuity Test Report to ISMC and other relevant stakeholders.

‍