Common use of Buyer Data Clause in Contracts

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-code-of-practice the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles The Buyer will specify any security requirements for this project in the Order Form. If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-/protection- sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-management- collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-of- practice/technology-code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-government- security-classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-of- practice/technology-code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles security- principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-policy- framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-security- policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ⚫ the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ⚫ guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-/protection- sensitive-information-and-assets ⚫ the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-management- collection ⚫ government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-of- practice/technology-code-of-practice ⚫ the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-/protection- sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-technology- code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-implementing- cloud-security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-security- classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-technology- code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles security- principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-/protection- sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-of- practice/technology-code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-implementing- cloud-security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ⚫ the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ⚫ guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-/protection- sensitive-information-and-assets ⚫ the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ⚫ government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-technology- code-of-practice ⚫ the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-implementing- cloud-security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-management- approach and Accreditation Protection of Sensitive Information Systems and Assets at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/collection/risk-management-management- collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-of- practice/technology-code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. 13.1 The Supplier must not remove any proprietary notices in the Buyer Data. . 13.2 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.3 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.4 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy policies and all Buyer requirements in the Order Form. . 13.5 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.6 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: : 13.6.1 the principles in the Security Policy Framework at Framework: ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security - Classification policy at ▇▇▇▇▇://policy: https:/▇▇▇.▇▇▇.▇▇/government/publications▇▇▇▇▇▇▇▇▇▇/government▇▇▇▇▇▇▇▇▇▇▇▇/▇▇▇▇▇▇▇▇▇▇-security▇▇▇▇▇▇▇▇-classifications ▇▇▇▇▇▇▇▇▇ ations 13.6.2 guidance issued by the Centre for Protection of National Infrastructure on Risk Management at Management: 13.6.3 the National Cyber Security Centre’s (NCSC) information risk management guidance: ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/collection/risk-management-collection collection 13.6.4 government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at : ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-codetechnologycode-of-practice/technology-codetechn ology -code-of-practice practice 13.6.5 the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇guidance://▇▇▇ 13.6.6 Buyer requirements in respect of AI ethical standards.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles 13.7 The Buyer will specify any security requirements for this project in the Order Form. . 13.8 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.9 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.10 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. The Where relevant to this Call-Off Contract the Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-code-of-practice the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles The Buyer will specify any security requirements for this project in the Order Form. If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ⚫ the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-government- security-classifications ⚫ guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets ⚫ the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ⚫ government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-of- practice/technology-code-of-practice ⚫ the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles security- principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer▇▇▇▇▇’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-security- classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-technology- code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles security- 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. 13.1 The Supplier must not remove any proprietary notices in the Buyer Data. . 13.2 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.3 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.4 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy policies and all Buyer requirements in the Order Form. . 13.5 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.6 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: : 13.6.1 the principles in the Security Policy Framework at ▇▇▇▇▇Framework://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications 13.6.2 guidance issued by the Centre for Protection of National Infrastructure on Risk Management at Management: ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation Protection of Sensitive Information Systems at and Assets: ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive/sensitive-information-and-assets assets 13.6.3 the National Cyber Security Centre’s (NCSC) information risk management guidance, available at : ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/collection/risk-management-collection collection 13.6.4 government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at : ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-codetechnologycode-of-practice/technology-codetechnology -code-of-practice practice 13.6.5 the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇guidance://▇▇▇ 13.6.6 Buyer requirements in respect of AI ethical standards.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles 13.7 The Buyer will specify any security requirements for this project in the Order Form. . 13.8 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.9 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.10 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. The . 13.5 Where relevant to this Call-Off Contract the Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-policy- framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-sensitive- information-and-assets the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-technology- code-of-practice/technology-code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-cloud- security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ⚫ the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ⚫ guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-/protection- sensitive-information-and-assets ⚫ the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ⚫ government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-code-of-practice ⚫ the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-implementing- cloud-security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer▇▇▇▇▇’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ⚫ the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-security- classifications ⚫ guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets ⚫ the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ⚫ government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-code-of-practice technology- ⚫ the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles security- principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. itsobligations. 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-and- assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-code- of-practice/technology-code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles security- principles 13.6 The Buyer will specify any security requirements for this project in the inthe Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-government- security-classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-code-of-practice of- ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles security- principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil ful=l its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification Classi=cation policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications classi=cations ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-/protection- sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/practice/ technology-code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-implementing- cloud-security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly signi=cantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with:  the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-security- classifications  guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-risk- management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets  the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection  government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-of- practice/technology-code-of-practice  the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles security- principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive/protectionsensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ● ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practiceofpractice/technology-technology- code-of-practice the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-implementingcloud- security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ⚫ the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ⚫ guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-sensitive- information-and-assets ⚫ the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ⚫ government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-technology- code-of-practice/technology-code-of-practice ⚫ the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-cloud- security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. 15.1 The Supplier must will not remove any proprietary notices in relating to the Buyer Data. . 15.2 The Supplier will not store or use Buyer Data except if where necessary to fulfil its obligations. . 15.3 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s requested and Buyer’s security policy and all Buyer requirements in the Order Form. format specified by the Buyer. 15.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 15.5 The Supplier will ensure that any Supplier system which holds any Buyer Data complies with the security requirements prescribed by the Buyer. 15.6 The Supplier will ensure that any system on which the Supplier holds any protectively marked Buyer Data or other government data will be accredited as specific to the Buyer and will comply with: the The principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications guidance Guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation Protection of Sensitive Information Systems and Assets at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection government Government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-codetechnologycode-of-practice the The security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloudimplementingcloud-security-principles The principles 15.7 Where the duration of the Call-Off Contract exceeds one year, the Supplier will review the accreditation status at least once a year to assess whether material changes have occurred which could alter the original accreditation decision in relation to Buyer will specify any security requirements for this project in the Order FormData. If any changes have occurred, the Supplier will re-submit such system for accreditation. 15.8 If at any time the Supplier suspects that the Buyer Data that the Supplier has held, used, or accessed has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. 15.9 The Supplier will provide, at the request of CCS or the Buyer, any information relating to the Supplier’s compliance with its obligations under the Data Protection Legislation. The Supplier will also ensure that it does not knowingly or negligently fail to do something that places CCS or any Buyer in breach of its obligations of the Data Protection Legislation. This is an absolute obligation and is not qualified by any other provision of the Call-Off Contract. 15.10 The Supplier agrees to use the appropriate organisational, operational and technological processes and procedures to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-security- policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications securityclassifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation of Information Systems at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-code-of-practice/technology-code-of-practice ofpractice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.

Buyer Data. The Supplier must not remove any proprietary notices in the Buyer Data. . 13.1 The Supplier will not store or use Buyer Data except if necessary to fulfil its obligations. . 13.2 If Buyer Data is processed by the Supplier, the Supplier will supply the data to the Buyer as requested. . 13.3 The Supplier must ensure that any Supplier system that holds any Buyer Data is a secure system that complies with the Supplier’s and Buyer’s security policy and all Buyer requirements in the Order Form. . 13.4 The Supplier will preserve the integrity of Buyer Data processed by the Supplier and prevent its corruption and loss. . 13.5 The Supplier will ensure that any Supplier system which holds any protectively marked Buyer Data or other government data will comply with: ● the principles in the Security Policy Framework at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/security-policy-framework and the Government Security Classification policy at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/government-security-classifications ● guidance issued by the Centre for Protection of National Infrastructure on Risk Management at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/content/adopt-risk-management-approach and Accreditation Protection of Sensitive Information Systems and Assets at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/protection-/protection- sensitive-information-and-assets ● the National Cyber Security Centre’s (NCSC) information risk management guidance, available at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/collection/risk-management-collection ● government best practice in the design and implementation of system components, including network principles, security design principles for digital services and the secure email blueprint, available at ▇▇▇▇▇://▇▇▇.▇▇▇.▇▇/government/publications/technology-technology- code-of-practice/technology-code-of-practice ● the security requirements of cloud services using the NCSC Cloud Security Principles and accompanying guidance at ▇▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇.▇▇/guidance/implementing-cloud-cloud- security-principles principles 13.6 The Buyer will specify any security requirements for this project in the Order Form. . 13.7 If the Supplier suspects that the Buyer Data has or may become corrupted, lost, breached or significantly degraded in any way for any reason, then the Supplier will notify the Buyer immediately and will (at its own cost if corruption, loss, breach or degradation of the Buyer Data was caused by the action or omission of the Supplier) comply with any remedial action reasonably proposed by the Buyer. . 13.8 The Supplier agrees to use the appropriate organisational, operational and technological processes to keep the Buyer Data safe from unauthorised use or access, loss, destruction, theft or disclosure. . 13.9 The provisions of this clause 13 will apply during the term of this Call-Off Contract and for as long as the Supplier holds the Buyer’s Data.