REPORT ON MANAGEMENT’S DESCRIPTION OF PATRIOT MANAGED CARE

SOLUTIONS, INC’S SYSTEM AND THE SUITABILITY OF THE DESIGN OF

CONTROLS

September 30, 2011

 TABLE OF CONTENTS

SECTION 1 INDEPENDENT SERVICE AUDITOR’S REPORT ................................................2

SECTION 2 SERVICE ORGANIZATION’S ASSERTION ..........................................................5
PATRIOT MANAGED CARE SOLUTIONS, INC.’S ASSERTION .......................................... 6
SECTION 3 DESCRIPTION OF THE SYSTEM PROVIDED BY THE SERVICE
ORGANIZATION ....................................................................................................8
OVERVIEW OF OPERATIONS ............................................................................................. 9
Company Background ........................................................................................................ 9
Description of Services ....................................................................................................... 9
CONTROL ENVIRONMENT ................................................................................................ 10
Integrity and Ethical Values .............................................................................................. 10
Commitment to Competence ............................................................................................ 10
Management’s Philosophy and Operating Style ............................................................... 11
Organizational Structure and Assignment of Authority and Responsibility ....................... 11
Human Resource Policies and Practices.......................................................................... 11
RISK ASSESSMENT ........................................................................................................... 11
CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES ................................... 12
MONITORING ...................................................................................................................... 15
INFORMATION AND COMMUNICATION SYSTEMS ......................................................... 15
Information Systems ......................................................................................................... 15
Communications Systems ................................................................................................ 15
COMPLEMENTARY USER ORGANIZATION CONTROLS ................................................ 15
SECTION 4 OTHER INFORMATION PROVIDED BY MANAGEMENT .................................. 17
CONTINUITY OF OPERATIONS ......................................................................................... 18

Proprietary and Confidential 1

 SECTION 1

INDEPENDENT SERVICE AUDITOR’S REPORT

Proprietary and Confidential 2

 INDEPENDENT SERVICE AUDITOR’S REPORT ON A DESCRIPTION OF A SERVICE
ORGANIZATION’S SYSTEM AND THE SUITABILITY OF THE DESIGN OF CONTROLS

To: Patriot Managed Care Solutions, Inc.:

We have examined Patriot Managed Care Solutions, Inc.’s (hereafter may be referred to as “Patriot” or
the “Service Organization”) description of its Patriot application and supporting services (the system) for
processing user entities’ transactions as of September 30, 2011, and the suitability of the design of
controls to achieve the related control objectives stated in the description.

Patriot uses a third-party hosting provider (hereafter may be referred to as the “subservice organization”)
to host the technology infrastructure used by the system. The description on pages 8-16 includes only
the controls and related control objectives of Patriot and excludes the control objectives and related
controls of the subservice organization. Our examination did not extend to controls of the subservice
organization.

The description indicates that certain control objectives specified in the description can be achieved only
if complementary user entity controls contemplated in the design of Patriot’s controls are suitably
designed and operating effectively, along with related controls at the service organization. We have not
evaluated the suitability of the design or operating effectiveness of such complementary user entity
controls.

On page 6 of the description, Patriot has provided an assertion about the fairness of the presentation of
the description and suitability of the design of the controls to achieve the related control objectives stated
in the description. Patriot is responsible for preparing the description and for its assertion, including the
completeness, accuracy, and method of presentation of the description and the assertion, providing the
services covered by the description, specifying the control objectives and stating them in the description,
identifying the risks that threaten the achievement of the control objectives, selecting the criteria, and
designing, implementing, and documenting controls to achieve the related control objectives stated in the
description.

Our responsibility is to express an opinion on the fairness of the presentation of the description and on
the suitability of the design of the controls to achieve the related control objectives stated in the
description, based on our examination. We conducted our examination in accordance with attestation
standards established by the American Institute of Certified Public Accountants. Those standards require
that we plan and perform our examination to obtain reasonable assurance, in all material respects, about
whether the description is fairly presented and the controls were suitably designed to achieve the related
control objectives stated in the description as of September 30, 2011.

An examination of a description of a service organization’s system and the suitability of the design and
operating effectiveness of the service organization’s controls to achieve the related control objectives
stated in the description involves performing procedures to obtain evidence about the fairness of the
presentation of the description of the system and the suitability of the design of those controls to achieve
the related control objectives stated in the description. Our procedures included assessing the risks that
the description is not fairly presented and that the controls were not suitably designed to achieve the
related control objectives stated in the description. An examination engagement of this type also includes
evaluating the overall presentation of the description and the suitability of the control objectives stated
therein, and the suitability of the criteria specified by the service organization and described at page 6.

Proprietary and Confidential 3

We did not perform any procedures regarding the operating effectiveness of the controls stated in the
description and, accordingly, do not express an opinion thereon.

We believe that the evidence we obtained is sufficient and appropriate to provide a reasonable basis for
our opinion.

Because of their nature, controls at a service organization may not prevent, or detect and correct, all
errors or omissions in processing or reporting by the system. The projection to the future of any
evaluation of the fairness of the presentation of the description, or any conclusions about the suitability of
the design of the controls to achieve the related control objectives is subject to the risk that controls at a
service organization may become inadequate or fail.

In our opinion, in all material respects, based on the criteria described in Patriot’s assertion,

a. the description fairly presents the system that was designed and implemented as of
September 30, 2011, and
b. the controls related to the control objectives stated in the description were suitably designed to
provide reasonable assurance that the control objectives would be achieved if the controls
operated effectively as of September 30, 2011.

This report is intended solely for the information and use of Patriot, user entities of Patriot’s system as of
September 30, 2011, and the independent auditors of such user entities, who have a sufficient
understanding to consider it, along with other information including information about controls
implemented by user entities themselves, when obtaining an understanding of user entities information
and communication systems relevant to financial reporting. This report is not intended to be and should
not be used by anyone other than these specified parties.

October 18, 2011

Tampa, FL

Proprietary and Confidential 4

 SECTION 2

SERVICE ORGANIZATION’S ASSERTION

Proprietary and Confidential 5

 1800 Augusta, Suite 200
Houston, TX 77057-3149
T: 713.346.6200
F: 713.346.6220
www.patriotmcs.com

PATRIOT MANAGED CARE SOLUTIONS, INC.’S ASSERTION

October 18, 2011

We have prepared the description of Patriot Managed Care Solutions, Inc.’s Patriot application (the
system) for user entities of the system as of September 30, 2011, and their user auditors who have a
sufficient understanding to consider it, along with other information, including information about controls
implemented by user entities of the system themselves, when assessing the risks of material
misstatements of user entities’ financial statements. We confirm, to the best of our knowledge and belief,
that
a. the description fairly presents the system made available to user entities of the system as of
September 30, 2011 for processing their transactions. The criteria we used in making this
assertion were that the description
i. presents how the system made available to user entities of the system was designed and
implemented to process relevant transactions, including
(1) the classes of transactions processed.
(2) the procedures, within both automated and manual systems, by which those
transactions are initiated, authorized, recorded, processed, corrected as necessary,
and transferred to the reports presented to user entities of the system.
(3) the related accounting records, supporting information, and specific accounts that are
used to initiate, authorize, record, process, and report transactions; this includes the
correction of incorrect information and how information is transferred to the reports
presented to user entities of the system.
(4) how the system captures and addresses significant events and conditions, other than
transactions.
(5) the process used to prepare reports or other information provided to user entities of
the system.
(6) specified control objectives and controls designed to achieve those objectives.
(7) other aspects of our control environment, risk assessment process, information and
communication systems (including the related business processes), control activities,
and monitoring controls that are relevant to processing and reporting transactions of
user entities of the system.
ii. does not omit or distort information relevant to the scope of the system, while
acknowledging that the description is prepared to meet the common needs of broad range
of user entities of the system and the independent auditors of those user entities, and may
not, therefore, include every aspect of the system that each individual user entity of the
system and its auditor may consider important in its own particular environment.

Proprietary and Confidential 6

 1800 Augusta, Suite 200
Houston, TX 77057-3149
T: 713.346.6200
F: 713.346.6220
www.patriotmcs.com

b. the controls related to the control objectives stated in the description were suitably designed as of
September 30, 2011 to achieve those control objectives. The criteria we used in making this
assertion were that
i. the risks that threaten the achievement of the control objectives stated in the description
have been identified by the service organization;
ii. the controls identified in the description would, if operating as described, provide
reasonable assurance that those risks would not prevent the control objectives stated in
the description from being achieved.

Mr. Joseph Antonucci

Executive Vice President
Patriot Managed Care Solutions, Inc.

Proprietary and Confidential 7

 SECTION 3

DESCRIPTION OF THE SYSTEM PROVIDED

BY THE SERVICE ORGANIZATION

Proprietary and Confidential 8

OVERVIEW OF OPERATIONS
Company Background

Patriot Managed Care Solutions, Inc. was formed by Eaglestone Investment Partners, I, L.P. as a result
of an acquisition that took place in 2003. Patriot, headquartered in Houston Texas, was incorporated in
the State of Delaware following this acquisition in 2003.

Patriot offers cost effective, maintainable, intuitive solutions for healthcare organizations. Our rules based
systems are easily customized to simplify the administrative processes, which results in marked
improvement in workplace efficiencies.

Patriot and its predecessor company have been providing solutions to the healthcare community
since 1985. Patriot healthcare solutions are proven, having been in production for seven years and
consistently upgraded over that period. Our latest release has been in production for five years.
Patriot has successfully implemented its system and services for numerous clients across the United
States.

Description of Services

Patriot delivers an ASP model solution, providing our clients the latest in modern technology without the
investment typically required in hardware, technology and security infrastructure. With our ASP solution,
our clients’ IT staff can focus on your core lines of business because Patriot software and server
maintenance is included with our services.

Patriot has dedicated teams assigned to claims processing, claims scanning and claim review tasks.
Automated routines are run nightly and monitored by IT staff to upload claims in to the Patriot application.

Claims processing staff collect and open claims data daily in a clean desk, designated mail sorting area.
Documented procedures are followed to open and sort the claims based on predefined criteria. The
claims staff uses color coded batch cover sheets to identify and control the individual batches processed
by Patriot. Batch control totals are used to verify the completeness of each batch.

After claims are batched, they are scanned using industry recognized optical character recognition
software (“OCR”). The OCR software scans the claim data in to electronic format to be used for claims
processing, assigning each batch a unique tracking number.

Prior to importing the claim data in to the Patriot application, automated and manual data verification is
performed to ensure the completeness and accuracy of the claim data. Automated controls ensure that
each batch is manually verified before it is uploaded to the Patriot application.

Each night automated jobs run using Windows job scheduler to sweep all claim forms and scanned claim
images to the Patriot application. Errors detected in the upload process automatically generate alerts to
members of the IT department for resolution.

Patriot maintains all client-specific hardware and software at Verizon’s (formerly MCI) collocation data
center, located in Houston, Texas near Intercontinental Airport. Patriot controls access to all hardware
located at the data center by using client-specific account names, user names and passwords.

The U.S. Government has designated the Verizon Data Center as a FEMA Data Center Facility. To
maintain this designation, Verizon is contractually committed to maintaining extensive services and
procedures to monitor the performance of its clients’ computing environment and the safety of its data,
including Patriot’s servers as well as its other clients (i.e. the U.S. Federal Government).

Proprietary and Confidential 9

Verizon’s Monitoring infrastructure is comprised of a combination of leading hardware and software
technologies. Monitoring activities are focused on server resources including CPU, Disk Space and
Memory. Verizon maintains multiple levels of redundancy of data as well as well-established back up &
recovery procedures.

Additionally, Patriot and Verizon employ sophisticated load balancing techniques to facilitate performance
management for each of our clients. Verizon offers routine reports to Patriot to show ways we can
accommodate system performance at the data center level. This is used to monitor hardware,
infrastructure and connectivity.

Patriot utilizes WhatsUp Gold, and Websense industry accepted performance and Internet monitoring
software, to continuously monitor SQL and the Patriot application to ensure a satisfactory level of
performance and Internet security. We are committed to the growth of hardware and network service
capacity in Patriot’s data center as our clients’ volume increases.

CONTROL ENVIRONMENT
Integrity and Ethical Values

The effectiveness of controls cannot rise above the integrity and ethical values of the people who create,
administer, and monitor them. Integrity and ethical values are essential elements of Patriot’s control
environment, affecting the design, administration, and monitoring of other components. Integrity and
ethical behavior are the product of Patriot’s ethical and behavioral standards, how they are
communicated, and how they are reinforced in practices. They include management’s actions to remove
or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or
unethical acts. They also include the communication of entity values and behavioral standards to
personnel through policy statements, as well as by example.

Specific control activities that the service organization has implemented in this area are described below.
 Organizational policy statements and codes of conduct are documented and communicate entity
values and behavioral standards to personnel. The new hire packet contains organizational policy
statements and codes of conduct to which employees are required to adhere.
 Policies and procedures require employees sign an acknowledgment form indicating they have
been given access to the employee handbook and understand their responsibility for adhering to
the policies and procedures contained within the manual.

Commitment to Competence

Patriot’s management defines competence as the knowledge and skills necessary to accomplish tasks
that define employees’ roles and responsibilities. Management’s commitment to competence includes
management’s consideration of the competence levels for particular jobs and how those levels translate
into the requisite skills and knowledge.

Specific control activities that the service organization has implemented in this area are described below.
 Management has considered the competence levels for particular jobs and translated required
skills and knowledge levels into written position requirements.
 Skills testing are utilized during the hiring process to qualify the skills of personnel for certain
positions.
 Ongoing training is provided to maintain the skill level of personnel in certain positions.

Proprietary and Confidential 10

Management’s Philosophy and Operating Style

Patriot’s management philosophy and operating style encompass a broad range of characteristics. Such
characteristics include management’s approach to taking and monitoring business risks, and
management’s attitudes toward information processing, accounting functions and personnel.

Specific control activities that the service organization has implemented in this area are described below.
 Management tracks and reviews operational, process and customer items impacting the
organization.
 Management meetings are held to discuss operational issues.

Organizational Structure and Assignment of Authority and Responsibility

Patriot’s organizational structure provides the framework within which its activities for achieving entity-
wide objectives are planned, executed, controlled, and monitored. Management believes establishing a
relevant organizational structure includes considering key areas of authority and responsibility. An
organizational structure has been developed to suit its needs. This organizational structure is based, in
part, on its size and the nature of its activities.

Patriot’s assignment of authority and responsibility activities include factors such as how authority and
responsibility for operating activities are assigned and how reporting relationships and authorization
hierarchies are established. It also includes policies relating to appropriate business practices, knowledge
and experience of key personnel, and resources provided for carrying out duties. In addition, it includes
policies and communications directed at ensuring personnel understand the entity’s objectives, know how
their individual actions interrelate and contribute to those objectives, and recognize how and for what they
will be held accountable. Organizational charts are in place to communicate key areas of authority and
responsibility. These charts are communicated to employees and updated as needed.

Human Resource Policies and Practices

Patriot’s human resources policies and practices relate to employee hiring, orientation, training,
evaluation, counseling, promotion, compensation, and disciplinary activities.

Specific control activities that the service organization has implemented in this area are described below.
 Employee hiring processes are in place to guide the hiring process.
 Pre-hire screening processes are in place.
 Employee termination processes are in place to guide the termination process.

RISK ASSESSMENT
Patriot has placed into operation a risk assessment process to identify and manage risks that could affect
the organization's ability to provide reliable transaction processing for user organizations. This process
requires management to identify significant risks in their areas of responsibility and to implement
appropriate measures to address those risks.

Risks considered during management’s assessment activities include consideration of the following:
 Overall enterprise risk assessment
 Operational risk
 Compliance, regulatory, and fraud risks

Proprietary and Confidential 11

Management’s recognition of risks that could affect the organization’s ability to provide reliable
transaction processing for its user organizations is generally implicit, rather than explicit. Management’s
involvement in the daily operations allows them to learn about risks through direct personal involvement
with employees and outside parties, thus reducing the need for formalized and structured risk
assessment processes.

CONTROL OBJECTIVES AND RELATED CONTROL ACTIVITIES

Computer Operations

Control Objective 1: Control activities provide reasonable assurance that systems are maintained in a
manner that helps ensure system availability.

Control Activities Specified by the Service Organization:

1.1 A ticket tracking system is used to log customer calls regarding system issues.
1.2 Nightly the Patriot application and associated databases are backed up and stored locally.
1.3 Weekly the Patriot application and associated databases are backed up and rotated offsite to a third-party
storage facility.
1.4 Weekly the Patriot application client databases are backed up electronically to a third-party backup facility.
1.5 Antivirus software is installed on workstations and servers to detect and prevent the transmission of data
or files that contain certain virus signatures recognized by the antivirus software.
1.6 Antivirus software on workstations and servers is configured to automatically update virus definitions daily.
1.7 A third party service provider monitors email traffic to prevent the transmission of data or files that contain
certain virus signatures recognized by the antivirus software.
1.8 A system monitoring tool is utilized to monitor critical production servers for potential system issues.
1.9 Critical operating system patches are installed on the servers monthly.

Information Security

Control Objective 2: Control activities provide reasonable assurance that system information, once
entered into the system, is protected from unauthorized or unintentional use, modification, addition or
deletion.

Control Activities Specified by the Service Organization:

2.1 Client access to the Patriot application is granted based on an approved request form.
2.2 Client access to the Patriot application is removed based on an approved request form.
2.3 Users are required to authenticate via a user account and password before being granted access to
the internal network domain.
2.4 Administrative access to the Windows Domain and Windows servers is restricted to system and
application administrators.
2.5 Administrative functions in the Patriot application are restricted to authorized Patriot employees.
2.6 Remote access to the Patriot application is controlled through Windows Domain authentication.
2.7 Active Directory and the Patriot application enforce the following password requirements:
 Minimum length
 Expiration interval

Proprietary and Confidential 12

  Password history
 Invalid login lockout
 Password complexity requirements
2.8 The Windows Domain audit settings are configured to log specific events which are retained and
used for investigative purposes.
2.9 Physical access to the office facility is controlled through the use of proximity readers and key
cards.
2.10 Physical access and logical access to Patriot resources is removed as part of the termination
process.
2.11 The ability to administer the key card access system is limited to the system administrators.

Application Change Control

Control Objective 3: Control activities provide reasonable assurance that unauthorized changes are not
made to production application systems.

Control Activities Specified by the Service Organization:

3.1 A change management ticketing system is utilized to maintain and track application and supporting
infrastructure change requests.
3.2 Changes to the Patriot application are approved by select members of management.
3.3 Changes to the Patriot application are documented in the change management ticketing system.
3.4 Application development and testing efforts are performed in development environments that are
separated from the production environment.
3.5 Version control software is utilized to centrally maintain source code versions and promote application
source code through the development process.
3.6 Access to modify code in development source code libraries is restricted to user accounts accessible by
developers.
3.7 Changes to the application and supporting infrastructure are approved prior to migration to the production
environment.
3.8 The ability to migrate application changes to the production environment is limited to the system
administrators.

Data Communications

Control Objective 4: Control activities provide reasonable assurance that data maintains its integrity and
security as it is transmitted between third parties and the service organization.

Control Activities Specified by the Service Organization:

4.1 A stateful inspection firewall is in place to filter unauthorized inbound network traffic from the
Internet.
4.2 The ability to administer the firewall is restricted to the system administrators.
4.3 Firewall rules have a business justification and block unnecessary inbound and outbound traffic.
4.4 An encrypted VPN tunnel is established to transmit data between the office facility and the
colocation facility.

Proprietary and Confidential 13

 4.5 Remote connections to the Patriot application are encrypted using secure sockets layer (SSL)
encryption.

Mail Opening and Sorting

Control Objective 5: Control activities provide reasonable assurance that incoming mail is accounted
for, sorted, and distributed in accordance with company policies / client contractual obligations.

Control Activities Specified by the Service Organization:

5.1 Documented procedures are in place for opening, sorting and batching the incoming mail.
5.2 Incoming mail is opened and sorted in a designated, clean desk area.
5.3 Incoming mail is sorted based on predefined criteria, including customer, institution type and
document type.
5.4 Incoming mail is batched using color coded cover sheets to identify the type and content of the
batch.
5.5 The number of claims is counted and noted on the color coded batch cover sheets.
5.6 Improperly submitted or unreadable claims are returned to the originating organization using a
standard exception form.

Claim Data Optical Character Recognition

Control Objective 6: Control activities provide reasonable assurance that claim data is entered into the
system completely, accurately, and timely in accordance with company policy / client contractual
obligations.

Control Activities Specified by the Service Organization:

6.1 Procedures for scanning claim data in to the system are documented.
6.2 Automated routines are preconfigured to scan each customers’ claim data to a logically separate
location.
6.3 Scanning personnel verify the number of documents in the batch on the batch cover sheet with the
number of documents scanned by the scanning software and confirms all claims were recognized
by the scanning software.
6.4 The scanning program generates a unique batch ID and prints it on each claim record to uniquely
identify the batch.
6.5 An automated data verification process runs to validate the accuracy of the scanned data.
6.6 Exceptions identified during the automated data verification process are sent to the “fix-up” queue
for resolution.
6.7 A manual verification process is performed to compare the scanned data with an image of the claim
prior to uploading the data in to the Patriot application.
6.8 Nightly batch jobs upload all scanned claim data to the Patriot application.
6.9 An email alert is generated if the nightly batch job that transfers the scanned claim data to the
Patriot application fails to complete successfully.

Proprietary and Confidential 14

MONITORING

Peer review protocols, division of responsibilities and weekly management meetings to discuss
outstanding items and issues provides for real time monitoring of operational activities. Senior
management is involved in the day to day operations of the company and provides for hands on
monitoring. An independent financial audit and internal audit take place to allow for monitoring of
operations by outside parties.

INFORMATION AND COMMUNICATION SYSTEMS

Information Systems

Patriot’s applications are installed on Microsoft Windows servers with a Coyote Point Systems Network
Balancer. Remote desktop connections provide remote connectivity to the Patriot application.

Network connectivity and logical security is provided by redundant Cisco ASA5500 series Firewalls, Cisco
2800 series routers and Cisco Catalyst 2970G switches.

Communications Systems

Upper management is involved with day-to-day operations and is able to provide personnel with an
understanding of their individual roles and responsibilities pertaining to internal controls. This includes
the extent to which personnel understand how their activities relate to the work of others and the means
of reporting exceptions to a higher level within Patriot. Management believes that open communication
channels help ensure that exceptions are reported and acted on. Management’s communication
activities are made electronically, verbally, and through the actions of management.

COMPLEMENTARY USER ORGANIZATION CONTROLS

Patriot’s services are designed with the assumption that certain controls will be implemented by user
organizations. Such controls are called complementary user organization controls. It is not feasible for all
of the control objectives related to Patriot’s services to be solely achieved by Patriot control procedures.
Accordingly, user organizations, in conjunction with the services, should establish their own internal
controls or procedures to complement those of Patriot.

The following complementary user organization controls should be implemented by user organizations to
provide additional assurance that the control objectives described within this report are met. As these
items represent only a part of the control considerations that might be pertinent at the user organizations’
locations, user organizations’ auditors should exercise judgment in selecting and reviewing these
complementary user organization controls.

1. User organizations are responsible for understanding and complying with their contractual
obligations to Patriot.
2. User organizations are responsible for notifying Patriot of changes made to technical or
administrative contact information.
3. User organizations are responsible for maintaining their own system(s) of record.
4. User organizations are responsible for ensuring the supervision, management and control of the
use of Patriot services by their personnel.
5. User organizations are responsible for developing their own disaster recovery and business
continuity plans that address the inability to access or utilize Patriot services.

Proprietary and Confidential 15

 6. User organizations are responsible for ensuring that user IDs and passwords are assigned to only
authorized individuals.
7. User organizations are responsible for the timely removal of terminated users’ accounts.
8. User organizations are responsible for ensuring the confidentiality of any user IDs and passwords
used to access Patriot’s systems.
9. User organizations are responsible for ensuring that data submitted to Patriot is complete,
accurate and timely.
10. User organizations are responsible for ensuring that their data are formatted in accordance with
agreed upon standards.

Proprietary and Confidential 16

 SECTION 4

OTHER INFORMATION PROVIDED BY MANAGEMENT

Proprietary and Confidential 17

CONTINUITY OF OPERATIONS

Verizon’s Back-Up and Restore Services are designed to meet Patriot’s (and our clients) high availability
and business continuity needs by providing scalability to safeguard rapidly growing quantity of data. The
Back-Up and Restore Services include scheduled and full incremental back-ups with rotating off-site
storage for outstanding data protection. Standard service elements include flexible back-up and retention
policies, short-term, on-site retention for most recent back-ups, long-term offsite storage for full back-ups
after one week, service level agreements, optional customer-initiated back-ups and customer-controlled
recovery process.

Verizon also maintains an extensive back-up infrastructure to secure host servers and offers a private
virtual network dedicated to back-up traffic. Database and application back-ups are supported using
automated tools, such as Networker modules.

Verizon maintains procedures that are well and routinely tested to ensure an orderly shutdown of the
server and advisories to its clients. As a FEMA Class 1 facility, Verizon is also contractually committed to
multiple levels of redundancy and back-up generators to ensure that its servers and computers operate at
full capacity during a declared emergency.

Patriot maintains a disaster recovery plan, which is routinely tested at both the Verizon Data Center and
Patriot’s offices. Patriot maintains a near-identical hardware and software infrastructure an alternate data
center location (Atlanta, GA). In the event of a catastrophic-type event in Houston, clients would simply
be provided access to our alternate technology infrastructure. Patriot’s main office is located in Houston,
Texas approximately 25 miles south of the Verizon data center. In the event that a catastrophic-type
event affected our physical office facility, support responsibilities would be shifted to our Kentucky office,
approximately 45 minutes north of Nashville. If an alternate to the Kentucky location was needed, support
responsibilities would be shifted to our West Coast Office (Newport Beach, CA).

Proprietary and Confidential 18