Trust Center

MacStadium received initial intelligence of a proof-of-concept on this threat Thursday December 4th at 12:00 noon ET and began conducting internal vulnerability scans and threat hunting activities in coordination with our SOC team. No unpatched systems or indicators of compromise were detected in any of our infrastructure environments at that time. Internal and external vulnerability scans were executed again over the weekend and confirmed that no vulnerable instances of Next.js exist within MacStadium’s infrastructure environment.

MacStadium's devops team has confirmed that there were no vulnerable instances of Next.js within any of our software development projects. As part of our CI/CD processes, we have branch protection rules that utilize Renovate to update libraries and Trivey to identify vulnerabilities in the enforcement of our zero-cve policy for all software releases.

Our GRC team has also been engaging with our third-party critical vendors and sub processors to inquire about their potential exposure to the threat and no potential for impact has been identified at this time. We continue to monitor responses from our Nth party vendors for any additional risk exposure and will provide any updates as they are received.

MacStadium's latest ISO 27001/27017/27018 second surveillance audit report is now available for review and download. We are pleased to announce that no major or minor control nonconformities were identified in the review period, reinforcing a high level of confidence in MacStadium's processes and security controls designed to protect our client's systems, users, and data.

Please reach out to security@macstadium.com with any questions or to initiate a vendor risk analysis.

The MacStadium Security & Compliance Team

MacStadium's 2025 annual penetration testing engagement performed by 4Armed Limited (https://4armed.com/) has been completed and the report is now available for review and download within the trust center.

MacStadium is committed to protecting the security and privacy of the personal data you entrust with us. To continue delivering the highest quality of service, we periodically update the third-party vendors and service providers ("sub-processors") that assist us in providing MacStadium services. These sub-processors help us to deliver product features, improve customer support, maintain critical infrastructure, and enhance service reliability.

In accordance with our contractual obligations, this notice is to inform you of the addition of the following subprocessor, with the intent to commence on September 5th, 2025:

Sub-processor: HubSpot
Headquarters Location: United States
Location of hosting: United States and European Union

Service Provided: HubSpot is used for marketing automation, including email campaigns, lead capture, customer engagement tracking, and CRM integration.

Data Handled: First name. last name, email address, physical address, and phone number

HubSpot’s primary security focus is to safeguard our customers’ data. To this end, HubSpot has implemented a comprehensive security program, with teams dedicated to Corporate, Product, Infrastructure, and Physical Security that partner with Compliance, Legal, and Privacy to own the governance process. Our Chief Information Security Officer oversees the implementation of security safeguards across the HubSpot enterprise.

More information on HubSpot's security practices can be found at https://trust.hubspot.com

Effective Date: September 05, 2025 Reason for Use: The MacStadium marketing department is implementing HubSpot's marketing automation and customer engagement platform

What You Need to Do

No action is required on your part if you agree to these updates. However, if you wish to object to our use of this new MacStadium sub-processor for reasons related to data protection, please send an email to privacy@macstadium.com within thirty (30) days of this notification with both:

• The subject “Sub-processor Objection”, and
• The grounds for the objection.

Please note that MacStadium has undertaken appropriate due diligence to ensure any requirements of MacStadium as it relates to its use of subprocessors has been considered and satisfied. Please also note that this subprocessor update does not result in any changes to the personal data types or categories referenced in any applicable Data Processing Agreement (DPA) or similar such agreement between you and MacStadium.

You may view the full list of MacStadium’s subprocessors in the MacStadium Trust Center by visiting https://trust.macstadium.com/

Thank you for trusting MacStadium to manage your data with the highest standards of security and compliance.

The MacStadium Privacy Team
privacy@macstadium.com

MacStadium is committed to protecting the security and privacy of the personal data you entrust with us. To continue delivering the highest quality of service, we periodically update the third-party vendors and service providers ("sub-processors") that assist us in providing MacStadium services. These sub-processors help us to deliver product features, improve customer support, maintain critical infrastructure, and enhance service reliability.

In accordance with our contractual obligations, this notice is to inform you of the addition of the following subprocessor, with the intent to commence on July 5th, 2025:

Sub-processor: Zapier, Inc.
Headquarters Location: United States
Location of hosting: United States

Service Provided: Workflow integration for customer support case management systems

Data Handled: Customer support ticket information, including contact information and customer content processed as part of troubleshooting issues.

As the leader in workflow automation, Zapier empowers businesses to automate workflows and securely move data across applications. Zapier, Inc. adheres to industry-standard security and data privacy practices. MacStadium has implemented appropriate data processing agreements and safeguards to protect your data while it is stored or processed by Zapier, Inc. More information on Zapier's security practices can be found at https://trust.zapier.com

Effective Date: July 05, 2025 Reason for Use: MacStadium Technical Support is implementing Zapier for managing customer inquiries and support requests between our Jira and ZenDesk service platforms.

What You Need to Do

No action is required on your part if you agree to these updates. However, if you wish to object to our use of this new MacStadium sub-processor for reasons related to data protection, please send an email to privacy@macstadium.com within thirty (30) days of this notification with both:

• The subject “Sub-processor Objection”, and
• The grounds for the objection.

Please note that MacStadium has undertaken appropriate due diligence to ensure any requirements of MacStadium as it relates to its use of subprocessors has been considered and satisfied. Please also note that this subprocessor update does not result in any changes to the personal data types or categories referenced in any applicable Data Processing Agreement (DPA) or similar such agreement between you and MacStadium.

Additionally, the following list of former subprocessor vendors are no longer being utilized by MacStadium and have been removed from service:

• Stitch Data
• Referral Rock
• UserGems
• Firebase
• Mailgun
• PlanetScale

Appropriate measures have been taken to delete all personal information that was previously processed or stored by these vendors in accordance with our contractual obligations.

You may view the full list of MacStadium’s subprocessors in the MacStadium Trust Center by visiting https://trust.macstadium.com/

Thank you for trusting MacStadium to manage your data with the highest standards of security and compliance.

The MacStadium Privacy Team
privacy@macstadium.com