Attestation of Scan Compliance

A.1 Scan Customer Information A.2 Approved Scanning Vendor Information

Company: Salesforce Company: Tenable Network Security

Contact Name: Contact Name: Bin Rong

Job Title: Job Title: PCI Analyst

Telephone: Telephone: (410) 872-0555

Email: Email: brong@[Link]

Business Address: Business Address: 7021 Columbia Gateway Drive

Suite 500

City: City: Columbia

State/Province: State/Province: MD

ZIP/Postal Code: ZIP/Postal Code: 21046

Country: United States Country: US

Website/URL: [Link] Website/URL: [Link]

A.3 Scan Status - 1:5 - PCI ASV Scan - APAC

Date scan completed: 01/17/2019 Scan expiration date: 04/17/2019

Compliance status: PASS Scan report type: Full scan

Number of unique in-scope components scanned: 536

Number of identified failing vulnerabilities: 0

Number of components found by ASV but not scanned because customer confirmed they were out of scope: 0

A.4 Scan Customer Attestation

Salesforce attests on 02/07/2019 that this scan (either by itself or combined with multiple, partial, or failed scans/rescans, as indicated in
the above Section A.3, “Scan Status”) includes all components which should be in scope for PCI DSS, any component considered out of
scope for this scan is properly segmented from my cardholder data environment, and any evidence submitted to the ASV to resolve scan
exceptions—including compensating controls if applicable—is accurate and complete. Salesforce also acknowledges 1) accurate and
complete scoping of this external scan is my responsibility, and 2) this scan result only indicates whether or not my scanned systems are
compliant with the external vulnerability scan requirement of PCI DSS; this scan result does not represent my overall compliance status
with PCI DSS or provide any indication of compliance with other PCI DSS requirements.

A.5 ASV Attestation

This scan and report was prepared and conducted by Tenable Network Security under certificate number 5049-01-07, according to internal
processes that meet PCI DSS Requirement 11.2.2 and the ASV Program Guide. Tenable Network Security attests that the PCI DSS scan process
was followed, including a manual or automated Quality Assurance process with customer boarding and scoping practices, review of results
for anomalies, and review and correction of 1) disputed or incomplete results, 2) false positives, 3) compensating controls (if applicable),
and 4) active scan interference. This report and any exceptions were reviewed by Bin Rong.

1
Attestation of Scan Compliance
A.1 Scan Customer Information A.2 Approved Scanning Vendor Information
Company: Salesforce Company: Tenable Network Security

Contact Name: Contact Name: Bin Rong

Job Title: Job Title: PCI Analyst

Telephone: Telephone: (410) 872-0555

Email: Email: brong@[Link]

Business Address: Business Address: 7021 Columbia Gateway Drive

Suite 500

City: City: Columbia

State/Province: State/Province: MD

ZIP/Postal Code: ZIP/Postal Code: 21046

Country: United States Country: US

Website/URL: [Link] Website/URL: [Link]

A.3 Scan Status - 2:5 - PCI ASV Scan - Canada

Date scan completed: 01/17/2019 Scan expiration date: 04/17/2019

Compliance status: PASS Scan report type: Full scan

Number of unique in-scope components scanned: 468

Number of identified failing vulnerabilities: 0

Number of components found by ASV but not scanned because customer confirmed they were out of scope: 0

A.4 Scan Customer Attestation

Salesforce attests on 01/29/2019 that this scan (either by itself or combined with multiple, partial, or failed scans/rescans, as indicated in
the above Section A.3, “Scan Status”) includes all components which should be in scope for PCI DSS, any component considered out of
scope for this scan is properly segmented from my cardholder data environment, and any evidence submitted to the ASV to resolve scan
exceptions—including compensating controls if applicable—is accurate and complete. Salesforce also acknowledges 1) accurate and
complete scoping of this external scan is my responsibility, and 2) this scan result only indicates whether or not my scanned systems are
compliant with the external vulnerability scan requirement of PCI DSS; this scan result does not represent my overall compliance status
with PCI DSS or provide any indication of compliance with other PCI DSS requirements.

A.5 ASV Attestation

This scan and report was prepared and conducted by Tenable Network Security under certificate number 5049-01-07, according to internal
processes that meet PCI DSS Requirement 11.2.2 and the ASV Program Guide. Tenable Network Security attests that the PCI DSS scan process
was followed, including a manual or automated Quality Assurance process with customer boarding and scoping practices, review of results
for anomalies, and review and correction of 1) disputed or incomplete results, 2) false positives, 3) compensating controls (if applicable),
and 4) active scan interference. This report and any exceptions were reviewed by Bin Rong.

1
Attestation of Scan Compliance
A.1 Scan Customer Information A.2 Approved Scanning Vendor Information
Company: Salesforce Company: Tenable Network Security

Contact Name: Contact Name: Bin Rong

Job Title: Job Title: PCI Analyst

Telephone: Telephone: (410) 872-0555

Email: Email: brong@[Link]

Business Address: Business Address: 7021 Columbia Gateway Drive

Suite 500

City: City: Columbia

State/Province: State/Province: MD

ZIP/Postal Code: ZIP/Postal Code: 21046

Country: United States Country: US

Website/URL: [Link] Website/URL: [Link]

A.3 Scan Status - 4:5 - PCI ASV Scan - USWest

Date scan completed: 01/17/2019 Scan expiration date: 04/17/2019

Compliance status: PASS Scan report type: Full scan

Number of unique in-scope components scanned: 805

Number of identified failing vulnerabilities: 0

Number of components found by ASV but not scanned because customer confirmed they were out of scope: 0

A.4 Scan Customer Attestation

Salesforce attests on 01/29/2019 that this scan (either by itself or combined with multiple, partial, or failed scans/rescans, as indicated in
the above Section A.3, “Scan Status”) includes all components which should be in scope for PCI DSS, any component considered out of
scope for this scan is properly segmented from my cardholder data environment, and any evidence submitted to the ASV to resolve scan
exceptions—including compensating controls if applicable—is accurate and complete. Salesforce also acknowledges 1) accurate and
complete scoping of this external scan is my responsibility, and 2) this scan result only indicates whether or not my scanned systems are
compliant with the external vulnerability scan requirement of PCI DSS; this scan result does not represent my overall compliance status
with PCI DSS or provide any indication of compliance with other PCI DSS requirements.

A.5 ASV Attestation

This scan and report was prepared and conducted by Tenable Network Security under certificate number 5049-01-07, according to internal
processes that meet PCI DSS Requirement 11.2.2 and the ASV Program Guide. Tenable Network Security attests that the PCI DSS scan process
was followed, including a manual or automated Quality Assurance process with customer boarding and scoping practices, review of results
for anomalies, and review and correction of 1) disputed or incomplete results, 2) false positives, 3) compensating controls (if applicable),
and 4) active scan interference. This report and any exceptions were reviewed by Bin Rong.

1
Attestation of Scan Compliance
A.1 Scan Customer Information A.2 Approved Scanning Vendor Information
Company: Salesforce Company: Tenable Network Security

Contact Name: Contact Name: Bin Rong

Job Title: Job Title: PCI Analyst

Telephone: Telephone: (410) 872-0555

Email: Email: brong@[Link]

Business Address: Business Address: 7021 Columbia Gateway Drive

Suite 500

City: City: Columbia

State/Province: State/Province: MD

ZIP/Postal Code: ZIP/Postal Code: 21046

Country: United States Country: US

Website/URL: [Link] Website/URL: [Link]

A.3 Scan Status - 3:5 - PCI ASV Scan - UK

Date scan completed: 01/17/2019 Scan expiration date: 04/17/2019

Compliance status: PASS Scan report type: Full scan

Number of unique in-scope components scanned: 204

Number of identified failing vulnerabilities: 0

Number of components found by ASV but not scanned because customer confirmed they were out of scope: 0

A.4 Scan Customer Attestation

Salesforce attests on 01/29/2019 that this scan (either by itself or combined with multiple, partial, or failed scans/rescans, as indicated in
the above Section A.3, “Scan Status”) includes all components which should be in scope for PCI DSS, any component considered out of
scope for this scan is properly segmented from my cardholder data environment, and any evidence submitted to the ASV to resolve scan
exceptions—including compensating controls if applicable—is accurate and complete. Salesforce also acknowledges 1) accurate and
complete scoping of this external scan is my responsibility, and 2) this scan result only indicates whether or not my scanned systems are
compliant with the external vulnerability scan requirement of PCI DSS; this scan result does not represent my overall compliance status
with PCI DSS or provide any indication of compliance with other PCI DSS requirements.

A.5 ASV Attestation

This scan and report was prepared and conducted by Tenable Network Security under certificate number 5049-01-07, according to internal
processes that meet PCI DSS Requirement 11.2.2 and the ASV Program Guide. Tenable Network Security attests that the PCI DSS scan process
was followed, including a manual or automated Quality Assurance process with customer boarding and scoping practices, review of results
for anomalies, and review and correction of 1) disputed or incomplete results, 2) false positives, 3) compensating controls (if applicable),
and 4) active scan interference. This report and any exceptions were reviewed by Bin Rong.

1
Attestation of Scan Compliance
A.1 Scan Customer Information A.2 Approved Scanning Vendor Information
Company: Salesforce Company: Tenable Network Security

Contact Name: Contact Name: Bin Rong

Job Title: Job Title: PCI Analyst

Telephone: Telephone: (410) 872-0555

Email: Email: brong@[Link]

Business Address: Business Address: 7021 Columbia Gateway Drive

Suite 500

City: City: Columbia

State/Province: State/Province: MD

ZIP/Postal Code: ZIP/Postal Code: 21046

Country: United States Country: US

Website/URL: [Link] Website/URL: [Link]

A.3 Scan Status - 5:5 - PCI ASV Scan - USEast

Date scan completed: 01/17/2019 Scan expiration date: 04/17/2019

Compliance status: PASS Scan report type: Full scan

Number of unique in-scope components scanned: 413

Number of identified failing vulnerabilities: 0

Number of components found by ASV but not scanned because customer confirmed they were out of scope: 0

A.4 Scan Customer Attestation

Salesforce attests on 02/07/2019 that this scan (either by itself or combined with multiple, partial, or failed scans/rescans, as indicated in
the above Section A.3, “Scan Status”) includes all components which should be in scope for PCI DSS, any component considered out of
scope for this scan is properly segmented from my cardholder data environment, and any evidence submitted to the ASV to resolve scan
exceptions—including compensating controls if applicable—is accurate and complete. Salesforce also acknowledges 1) accurate and
complete scoping of this external scan is my responsibility, and 2) this scan result only indicates whether or not my scanned systems are
compliant with the external vulnerability scan requirement of PCI DSS; this scan result does not represent my overall compliance status
with PCI DSS or provide any indication of compliance with other PCI DSS requirements.

A.5 ASV Attestation

This scan and report was prepared and conducted by Tenable Network Security under certificate number 5049-01-07, according to internal
processes that meet PCI DSS Requirement 11.2.2 and the ASV Program Guide. Tenable Network Security attests that the PCI DSS scan process
was followed, including a manual or automated Quality Assurance process with customer boarding and scoping practices, review of results
for anomalies, and review and correction of 1) disputed or incomplete results, 2) false positives, 3) compensating controls (if applicable),
and 4) active scan interference. This report and any exceptions were reviewed by Bin Rong.