Common use of COMPETENT SUPERVISORY AUTHORITY Clause in Contracts

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 A. Data importer/sub-processor has implemented and shall maintain a security program in accordance with industry standards. B. More specifically, data importer/sub-processor’s security program shall include: Data importer/sub-processor implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the personal data are processed or used, including: establishing security areas; protection and restriction of access paths; establishing access authorizations for employees and third parties, including the respective documentation; all access to the data center where personal data are hosted is logged, monitored, and tracked; and the data center where personal data are hosted is secured by a security alarm system, and other appropriate security measures. Data importer/sub-processor implements suitable measures to prevent their data processing systems from being used by unauthorized persons, including: use of adequate encryption technologies; identification of the terminal and/or the terminal user to the data importer/sub-processor and processing systems; automatic temporary lock-out of user terminal if left idle, identification and password required to reopen; automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts); and all access to data content is logged, monitored, and tracked. Data importer/sub-processor commits that the persons entitled to use their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished by various measures including: employee policies and training in respect of each employee’s access rights to the personal data; allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions; roles; monitoring capability in respect of individuals who delete, add or modify the personal data; release of data only to authorized persons, including allocation of differentiated access rights and use of adequate encryption technologies; and control of files, controlled and documented destruction of data. Data importer/sub-processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss, including: infrastructure redundancy; and backup is stored at an alternative site and available for restore in case of failure of the primary system. Data importer/sub-processor implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by various measures including: use of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travels; certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within the system; and providing user alert upon incomplete transfer of data (end to end check); and as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data importer/sub-processor implements suitable input control measures, including: an authorization policy for the input, reading, alteration and deletion of data; authentication of the authorized personnel; protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data; utilization of unique authentication credentials or codes (passwords); providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked; automatic log-off of user ID's that have not been used for a substantial period of time; and proof established within data importer/sub-processor’s organization of the input authorization; and electronic recording of entries. Data importer/sub-processor implements suitable measures to ensure that data collected for different purposes can be processed separately, including: access to data is separated through application security for the appropriate users; modules within the data importer/sub-processor’s database separate which data is used for which purpose, i.e. by functionality and function; at the database level, data is stored in different normalized tables, separated per module, per Controller Customer or function they support; and interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately.

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13: A. Data importer/sub-processor has implemented and shall maintain a Measures to ensure security program in accordance with industry standards.of processing B. More specifically, data importer/sub-processor’s security program shall include: Data importer/sub-processor implements suitable 1. Entrance Control Appropriate measures in order to prevent preventing unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the systems on which personal data are processed or used: • Visitors need to register; date and time of arrival, including: establishing time of leaving the building as well as the name of the person being visited shall be recorded; visitors shall be accompanied by an authorized person at all times; • All office units are secured by an “access control system”. Access to the office units is granted with an activated entry card only; • CCTV covers appropriate areas (e.g. entrances to data centers); • Data centers are located in separated areas with special access requirements; Additionally, authorized persons are instructed to grant access to persons known to them only; • Security guard service for the main, operational buildings is provided; • Outside areas may be under video surveillance or under monitoring by a security areasservice. 2. Admission Control Appropriate measures preventing unauthorized persons from using data processing systems. • Access to IT systems is granted only to a user when registered under a valid username and password; protection • Internal password policy requires periodical mandatory password changes and restriction minimum length and the use of access pathsspecial characters; establishing access authorizations for employees and third parties• Policy includes automatic computer lock after a short period, including the respective documentation; all with renewed access to the data center where personal data are hosted is logged, monitored, PC only after new registration with a valid username and trackedpassword; and the data center where personal data are hosted is secured by • Outside network access requires a security alarm system, and other appropriate security measurestwo-factor-authentication. 3. Data importer/sub-processor implements suitable Access Control Appropriate measures to prevent their data processing systems from being used by unauthorized persons, including: use of adequate encryption technologies; identification of the terminal and/or the terminal user to the data importer/sub-processor and processing systems; automatic temporary lock-out of user terminal if left idle, identification and password required to reopen; automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts); and all access to data content is logged, monitored, and tracked. Data importer/sub-processor commits ensuring that the persons entitled to use their a data processing system are have access only able to access the data within to which they should have the scope and to the extent covered by their respective access permission (authorization) right of access, and that personal data cannot be read, copied or copied, modified or removed without authorization. This shall be accomplished by various measures includingauthorization in the course of processing or use and after storage: employee policies and training • Access authorization is issued in respect of each employee’s the specific area of work to which the employee is assigned (work roles); • Policy requires regular verification of access rights authorizations. 4. Separation Control Appropriate measures ensuring that data collected for different purposes can be processed separately: • Personal data of different controllers shall be processed separately; • Functional separation between test and production systems is employed. B. Measures to ensure integrity of processing 1. Transmission Control Appropriate measures ensuring that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is made: • Encrypted data transfer when handling confidential data and when accessing the company network; • Sensitive Personal Data is saved encrypted on employees’ laptops; • Monitor for suspicious data traffic; • Restrictive usage of Wireless LAN; • Restrictive remote-access to the personal dataNetWitness network (using two-factor-authentication); allocation • External access to the internet from internal networks by employees or the use of Wireless LAN within the office building is provided only via internal IT systems, a User-ID, an individual terminals password and /or terminal userencrypted connections; • Data media shall be disposed of in accordance with data protection policies by use of safety container and document shredders; magnetic data storage media shall be destroyed physically, and identification characteristics exclusive to specific functionsor erased using industry recognized processes; roles; monitoring capability in respect of individuals who delete, add or modify the personal data; release compliance with guidelines concerning erasure and/or destruction of data only storage media and documents; • In case of remote support (screen sharing), the connection will be encrypted and requires an affirmative action from the customer. 2. Input Control Appropriate measures ensuring the possibility to authorized personscheck and establish whether and by whom personal data have been input into data processing systems, including allocation accessed, modified or removed: • When using relevant applications, access is automatically recorded; • In case of differentiated access rights and use of adequate encryption technologies; and control of filesremote-support, controlled and documented destruction of data. Data importer/sub-processor implements suitable measures the customer can terminate the data processing or support activity at any time. C. Measures to ensure availability and resilience of processing 1. Job Control No Processing according to Art. 28 GDPR shall take place without Controller’s instructions, clear contract drafting, formalized assignment management, strict vetting processes and checks. • Subcontractors are on-boarded in globally consistent processes. During the onboarding process, subcontractors are carefully vetted and must contractually commit to consistent compliance standards; • Subcontractors are regularly reviewed for compliance with their contractual and legal obligations; • The processor and his subcontractors shall agree on provisions substantially equivalent to the provisions agreed between the controller and the processor. 2. Availability Control Appropriate measures ensuring that personal data are protected from accidental destruction or loss, including: infrastructure redundancy• Anti-virus software is installed on all applicable systems; and backup is stored at an alternative site and available for restore in case of failure • Protection of the primary system. Data importernetwork via Firewall; • Network segmentation; • Use of content filter/subProxys; • Interruption-processor implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport free power supply for all critical systems; • Regular generation of the data media. This is accomplished by various measures including: use backups of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travelsrelevant data; certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within the • Fire safety system; and providing user alert upon incomplete transfer of data (end to end check)• Emergency/ Disaster recovery plans; and as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data importer/sub• Air-processor implements suitable input control measures, including: an authorization policy for the input, reading, alteration and deletion of data; authentication of the authorized personnel; protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data; utilization of unique authentication credentials or codes (passwords); providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked; automatic log-off of user ID's that have not been used for a substantial period of time; and proof established within data importer/sub-processor’s organization of the input authorization; and electronic recording of entries. Data importer/sub-processor implements suitable measures to ensure that data collected for different purposes can be processed separately, including: access to data is separated through application security for the appropriate users; modules within the data importer/sub-processor’s database separate which data is used for which purpose, i.e. by functionality and function; at the database level, data is stored in different normalized tables, separated per module, per Controller Customer or function they support; and interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separatelyconditioned server rooms.

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 A. Data importer/sub-processor has implemented and shall maintain a security program in accordance with industry standards. B. More specifically, data importer/sub-processor’s security program shall include: Data importer/sub-processor implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the personal data are processed or used, including: establishing security areas; ● protection and restriction of access paths; ● establishing access authorizations for employees and third parties, including the respective documentation; ● all access to the data center where personal data are hosted is logged, monitored, and tracked; and ● the data center where personal data are is hosted is secured by a security alarm system, and other appropriate security measures. Data importer/sub-processor implements suitable measures to prevent their data processing systems from being used by unauthorized persons, including: ● use of adequate encryption technologies; identification of the terminal and/or the terminal user to the data importer/sub-processor and processing systems; ● automatic temporary lock-out of user terminal laptop if left idle, identification and password required to reopen; ● automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts); and ● all access to data content is logged, monitored, and tracked. Data importer/sub-processor commits that the persons entitled to use their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished by various measures including: ● employee policies and training in respect of each employee’s access rights to the personal data; allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions; roles; ● monitoring capability in respect of individuals who delete, add or modify the personal data; ● release of data only to authorized persons, including allocation of differentiated access rights and roles; ● use of adequate encryption technologies; and ● control of files, controlled and documented destruction of data. Data importer/sub-processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss, including: ● infrastructure redundancy; and ● backup is stored at an alternative site and available for restore in case of failure of the primary system. Data importer/sub-processor implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by various measures including: ● use of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travels; ● certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within the system; and ● providing user alert upon incomplete transfer of data (end to end check); and ● as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data importer/sub-processor implements suitable input control measures, including: ● an authorization policy for the input, reading, alteration and deletion of data; ● authentication of the authorized personnel; ● protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data; ● utilization of unique authentication credentials or codes (passwords); providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked; ● automatic log-off of user ID's that have not been used for a substantial period of time; and ● proof established within data importer/sub-processor’s organization of the input authorization; and ● electronic recording of entries. Data importer/sub-processor implements suitable measures to ensure that data collected for different purposes can be processed separately, including: ● access to data is separated through application security for the appropriate users; ● modules within the data importer/sub-processor’s database separate which data is used for which purpose, i.e. by functionality and function; ● at the database level, data is stored in different normalized tables, separated per module, per Controller Customer or function they support; and ● interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately.

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13: A. Data importer/sub-processor has implemented and shall maintain a Measures to ensure security program in accordance with industry standards.of processing B. More specifically, data importer/sub-processor’s security program shall include: Data importer/sub-processor implements suitable 1. Entrance Control Appropriate measures in order to prevent preventing unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the systems on which personal data are processed or used: • Visitors need to register; date and time of arrival, including: establishing time of leaving the building as well as the name of the person being visited shall be recorded; visitors shall be accompanied by an authorized person at all times; • All office units are secured by an “access control system”. Access to the office units is granted with an activated entry card only; • CCTV covers appropriate areas (e.g., entrances to data centers); • Data centers are located in separated areas with special access requirements; Additionally, authorized persons are instructed to grant access to persons known to them only; • Security guard service for the main, operational buildings is provided; • Outside areas may be under video surveillance or under monitoring by a security areasservice. 2. Admission Control Appropriate measures preventing unauthorized persons from using data processing systems. • Access to IT systems is granted only to a user when registered under a valid username and password; protection • Internal password policy requires periodical mandatory password changes, a minimum length, and restriction the use of access pathsspecial characters; establishing access authorizations for employees and third parties• Policy includes automatic computer lock after a short period, including the respective documentation; all with renewed access to the data center where personal data are hosted is logged, monitored, PC only after new registration with a valid username and trackedpassword; and the data center where personal data are hosted is secured by • Outside network access requires a security alarm system, and other appropriate security measurestwo-factor-authentication. 3. Data importer/sub-processor implements suitable Access Control Appropriate measures to prevent their data processing systems from being used by unauthorized persons, including: use of adequate encryption technologies; identification of the terminal and/or the terminal user to the data importer/sub-processor and processing systems; automatic temporary lock-out of user terminal if left idle, identification and password required to reopen; automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts); and all access to data content is logged, monitored, and tracked. Data importer/sub-processor commits ensuring that the persons entitled to use their a data processing system are have access only able to access the data within to which they should have the scope and to the extent covered by their respective access permission (authorization) right of access, and that personal data cannot be read, copied copied, modified, or removed without authorization in the course of processing or use and after storage: • Access authorization is issued in respect of the specific area of work to which the employee is assigned (work roles); • Policy requires regular verification of access authorizations; 4. Separation Control Appropriate measures ensuring that data collected for different purposes can be processed separately: • Personal data of different controllers shall be processed separately; • Functional separation between test and production systems is employed. B. Measures to ensure integrity of processing 1. Transmission Control Appropriate measures ensuring that personal data cannot be read, copied, modified or removed without authorization. This authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is made: • Encrypted data transfer when handling confidential data and when accessing the company network; • Sensitive Personal Data is saved and encrypted on employees’ laptops; • Monitor for suspicious data traffic; • Restrictive usage of Wireless LAN; • Restrictive remote-access to the RSA network (using two-factor-authentication); • External access to the internet from internal networks by employees or the use of Wireless LAN within the office building is provided only via internal IT systems, a User-ID, an individual password and encrypted connections; • Data media shall be accomplished disposed of in accordance with data protection policies by various use of safety container and document shredders; magnetic data storage media shall be destroyed physically, or erased using industry recognized processes; compliance with guidelines concerning erasure and/or destruction of data storage media and documents; • In case of remote support (screen sharing), the connection will be encrypted and requires an affirmative action from the customer. 2. Input Control Appropriate measures includingensuring the possibility to check and establish whether and by whom personal data have been input into data processing systems, accessed, modified, or removed: employee policies • When using relevant applications, access is automatically recorded; • In case of remote support, the customer can terminate the data processing or support activity at any time. C. Measures to ensure availability and training resilience of processing 1. Job Control No Processing according to Art. 28 GDPR shall take place without Controller’s instructions, clear Contract drafting, formalized assignment management, strict vetting processes and checks. • Subcontractors are on-boarded in respect of each employeeglobally consistent processes. During the onboarding process, subcontractors are carefully vetted and must contractually commit to consistent compliance standards; • Subcontractors are regularly reviewed for compliance with their contractual and legal obligations; • The Processor and Processor’s access rights subcontractors shall agree on provisions substantially equivalent to the personal data; allocation of individual terminals provisions agreed between the Controller and /or terminal user, and identification characteristics exclusive to specific functions; roles; monitoring capability in respect of individuals who delete, add or modify the personal data; release of data only to authorized persons, including allocation of differentiated access rights and use of adequate encryption technologies; and control of files, controlled and documented destruction of dataProcessor; 2. Data importer/sub-processor implements suitable Availability Control Appropriate measures to ensure ensuring that personal data are protected from accidental destruction or loss, including: infrastructure redundancy• Anti-virus software is installed on all applicable systems; and backup is stored at an alternative site and available for restore in case of failure • Protection of the primary system. Data importernetwork via Firewall; • Network segmentation; • Use of content filter/subProxys; • Interruption-processor implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport free power supply for all critical systems; • Regular generation of the data media. This is accomplished by various measures including: use backups of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travelsrelevant data; certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within the • Fire safety system; and providing user alert upon incomplete transfer of data (end to end check)• Emergency/ Disaster recovery plans; and as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data importer/sub• Air-processor implements suitable input control measures, including: an authorization policy for the input, reading, alteration and deletion of data; authentication of the authorized personnel; protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data; utilization of unique authentication credentials or codes (passwords); providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked; automatic log-off of user ID's that have not been used for a substantial period of time; and proof established within data importer/sub-processor’s organization of the input authorization; and electronic recording of entries. Data importer/sub-processor implements suitable measures to ensure that data collected for different purposes can be processed separately, including: access to data is separated through application security for the appropriate users; modules within the data importer/sub-processor’s database separate which data is used for which purpose, i.e. by functionality and function; at the database level, data is stored in different normalized tables, separated per module, per Controller Customer or function they support; and interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separatelyconditioned server rooms.

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 A. Data importer/sub-processor has implemented a. Controls to specify authorized individuals permitted to access Personal Data b. Access control process to avoid unauthorized access to Simplesat’s premises c. Access control process to restrict access to data centers and/or rooms where data servers are located d. Utilization of video surveillance and alarm devices with reference to access areas e. Process to ensure that personnel without access authorization (e.g., technicians, cleaning personnel) are accompanied all times when access data Processing areas Simplesat shall implement and maintain a the following data security program measures in addition to the measures stated in the Agreement and in accordance with industry standards. B. More specificallyData Protection Laws. Access Control Unauthorized persons shall be prevented from gaining physical access to premises, buildings, or rooms where data importer/subprocessing systems are located which Process Personal Data. Exceptions may be granted for the purpose of auditing the facilities to third-processor’s security program shall includeparty auditors as long as such auditors are supervised by Simplesat and do not get access to Personal Data themselves. Simplesat has (without limitation) implemented the following controls: System Access Control Data importer/sub-processor implements suitable measures in order Processing systems must be prevented from being used without authorization. Simplesat has (without limitation) implemented the following controls: System Access Control a. Controls to ensure that all systems Processing Personal Data (this includes remote access) are password protected during start up to prevent unauthorized persons from gaining accessing any Personal Data b. Provision of dedicated user IDs for authentication against systems user management for every individual c. Assignment of individual user passwords for authentication d. Controls to grant access only to authorized personnel and to assign only the minimum permissions necessary for those personnel to access Personal Data in the performance of their function e. Implementation of a password policy that prohibits the sharing of passwords, outlines processes after a disclosure of a password, and requires the regular change of passwords f. Controls to ensure that passwords are always stored in encrypted form g. Implementation of a proper procedure to deactivate a user account when a user leaves Simplesat or the function h. Implemented a proper process to adjust administrator permissions when an administrator leaves Simplesat or the function i. Implementation of a process to log all access to systems Data Access Control Persons entitled to use a data Processing system shall gain access only to the data processing equipment (namely telephones, database and application servers and related hardware) where the personal data are processed or used, including: establishing security areas; protection and restriction to which they have a right of access paths; establishing access authorizations for employees and third parties, including the respective documentation; all access to the data center where personal data are hosted is logged, monitoredaccess, and tracked; and the data center where personal data are hosted is secured by a security alarm system, and other appropriate security measures. Personal Data importer/sub-processor implements suitable measures to prevent their data processing systems from being used by unauthorized persons, including: use of adequate encryption technologies; identification of the terminal and/or the terminal user to the data importer/sub-processor and processing systems; automatic temporary lock-out of user terminal if left idle, identification and password required to reopen; automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts); and all access to data content is logged, monitored, and tracked. Data importer/sub-processor commits that the persons entitled to use their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data canmust not be read, copied or modified copied, modified, or removed without authorizationauthorization in the course of Processing. This shall Simplesat has (without limitation) implemented the following controls: Data Transmission Control Personal Data must not be accomplished by various measures including: employee policies and training in respect of each employee’s access rights to the personal data; allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions; roles; monitoring capability in respect of individuals who delete, add or modify the personal data; release of data only to authorized persons, including allocation of differentiated access rights and use of adequate encryption technologies; and control of files, controlled and documented destruction of data. Data importer/sub-processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss, including: infrastructure redundancy; and backup is stored at an alternative site and available for restore in case of failure of the primary system. Data importer/sub-processor implements suitable measures to prevent the personal data from being read, copied, altered modified, or deleted removed without authorization during transfer or storage, and it shall be possible to establish to whom Personal Data was transferred. Simplesat has (without limitation) implemented the following controls: Data Entry Control Simplesat shall be able retrospectively to examine and establish whether and by unauthorized parties during whom Personal Data have been entered into data Processing systems, modified, or removed. Simplesat has (without limitation) implemented the transmission thereof or during following controls: a. Controls to restrict access to files and programs on a "need-to-know-basis” b. Storage of physical media containing Personal Data in secured areas c. Controls to grant access only to authorized personnel and to assign only the transport minimum permissions necessary for those personnel to access Personal Data in the performance of their function a. Transportation of physical media containing Personal Data in sealed containers b. Retention of shipping and delivery notes a. Controls to log administrators' and users' activities b. Controls to permit only authorized personnel to modify any Personal Data within the scope of their function Personal Data being Processed in the performance of the data mediaService shall be Processed solely in accordance with the Agreement and in accordance with appropriate instructions. This is accomplished by various measures includingSimplesat has (without limitation) implemented the following controls: use Availability Control Personal Data shall be protected against disclosure, and accidental or unauthorized destruction or loss. Simplesat has (without limitation) implemented the following controls: Organizational Requirements The internal organization of adequate firewall, VPN and encryption technologies to protect Simplesat shall meet the gateways and pipelines through which the data travels; certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within the system; and providing user alert upon incomplete transfer specific requirements of data protection. In particular, Simplesat shall take technical and organizational measures to avoid the accidental mixing of Personal Data. Simplesat has (end without limitation) implemented the following controls: a. Controls to end check); ensure processing of Personal Data only for contractual performance b. Controls to ensure staff members and as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data importer/sub-processor implements suitable input control measures, including: an authorization policy for the input, reading, alteration and deletion of data; authentication of the authorized personnel; protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data; utilization of unique authentication credentials contractors comply with written instructions or codes (passwords); providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked; automatic log-off of user ID's that have not been used for a substantial period of time; and proof established within data importer/sub-processor’s organization of the input authorization; and electronic recording of entries. Data importer/sub-processor implements suitable measures contracts c. Controls to ensure that data collected for different purposes is always physically or logically separated so that, in each step of the Processing, the customer from whom Personal Data originates can be processed separately, including: identified. a. Controls to ensure that Personal Data is not used for any purpose other than for the purposes it has been contracted to perform b. Controls to prevent removal of Personal Data from Simplesat's business computers or premises for any reason (unless Customer has specifically authorized such removal for business purposes). c. Implementation of network firewalls to prevent unauthorized access to systems and services a. Designation of a person responsible for data is separated through application security for the appropriate users; modules within the data importer/sub-processor’s database separate which data is used for which purpose, i.e. by functionality and function; at the database level, data is stored in different normalized tables, separated per module, per Controller Customer or function they support; and interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately.protection

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13: A. Data importer/sub-processor has implemented and shall maintain a Measures to ensure security program in accordance with industry standards.of processing B. More specifically, data importer/sub-processor’s security program shall include: Data importer/sub-processor implements suitable 1. Entrance Control Appropriate measures in order to prevent preventing unauthorized persons from gaining access to the data processing equipment (namely telephones, database and application servers and related hardware) where the systems on which personal data are processed or used: • Visitors need to register; date and time of arrival, including: establishing time of leaving the building as well as the name of the person being visited shall be recorded; visitors shall be accompanied by an authorized person at all times; • All office units are secured by an “access control system”. Access to the office units is granted with an activated entry card only; • CCTV covers appropriate areas (e.g. entrances to data centers); • Data centers are located in separated areas with special access requirements; Additionally, authorized persons are instructed to grant access to persons known to them only; • Security guard service for the main, operational buildings is provided; • Outside areas may be under video surveillance or under monitoring by a security areasservice. 2. Admission Control Appropriate measures preventing unauthorized persons from using data processing systems. • Access to IT systems is granted only to a user when registered under a valid username and password; protection • Internal password policy requires periodical mandatory password changes and restriction minimum length and the use of access pathsspecial characters; establishing access authorizations for employees and third parties• Policy includes automatic computer lock after a short period, including the respective documentation; all with renewed access to the data center where personal data are hosted is logged, monitored, PC only after new registration with a valid username and trackedpassword; and the data center where personal data are hosted is secured by • Outside network access requires a security alarm system, and other appropriate security measurestwo-factor-authentication. 3. Data importer/sub-processor implements suitable Access Control Appropriate measures to prevent their data processing systems from being used by unauthorized persons, including: use of adequate encryption technologies; identification of the terminal and/or the terminal user to the data importer/sub-processor and processing systems; automatic temporary lock-out of user terminal if left idle, identification and password required to reopen; automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts); and all access to data content is logged, monitored, and tracked. Data importer/sub-processor commits ensuring that the persons entitled to use their a data processing system are have access only able to access the data within to which they should have the scope and to the extent covered by their respective access permission (authorization) right of access, and that personal data cannot be read, copied or copied, modified or removed without authorization. This shall be accomplished by various measures includingauthorization in the course of processing or use and after storage: employee policies and training • Access authorization is issued in respect of each employee’s the specific area of work to which the employee is assigned (work roles); • Policy requires regular verification of access rights authorizations. 4. Separation Control Appropriate measures ensuring that data collected for different purposes can be processed separately: • Personal data of different controllers shall be processed separately; • Functional separation between test and production systems is employed. B. Measures to ensure integrity of processing 1. Transmission Control Appropriate measures ensuring that personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is made: • Encrypted data transfer when handling confidential data and when accessing the company network; • Sensitive Personal Data is saved encrypted on employees’ laptops; • Monitor for suspicious data traffic; • Restrictive usage of Wireless LAN; • Restrictive remote-access to the personal dataSecurID network (using two-factor-authentication); allocation • External access to the internet from internal networks by employees or the use of Wireless LAN within the office building is provided only via internal IT systems, a User-ID, an individual terminals password and /or terminal userencrypted connections; • Data media shall be disposed of in accordance with data protection policies by use of safety container and document shredders; magnetic data storage media shall be destroyed physically, and identification characteristics exclusive to specific functionsor erased using industry recognized processes; roles; monitoring capability in respect of individuals who delete, add or modify the personal data; release compliance with guidelines concerning erasure and/or destruction of data only storage media and documents; • In case of remote support (screen sharing), the connection will be encrypted and requires an affirmative action from the customer. 2. Input Control Appropriate measures ensuring the possibility to authorized personscheck and establish whether and by whom personal data have been input into data processing systems, including allocation accessed, modified or removed: • When using relevant applications, access is automatically recorded; • In case of differentiated access rights and use of adequate encryption technologies; and control of filesremote-support, controlled and documented destruction of data. Data importer/sub-processor implements suitable measures the customer can terminate the data processing or support activity at any time. C. Measures to ensure availability and resilience of processing 1. Job Control No Processing according to Art. 28 GDPR shall take place without Controller’s instructions, clear contract drafting, formalized assignment management, strict vetting processes and checks. • Subcontractors are on-boarded in globally consistent processes. During the onboarding process, subcontractors are carefully vetted and must contractually commit to consistent compliance standards; • Subcontractors are regularly reviewed for compliance with their contractual and legal obligations; • The processor and his subcontractors shall agree on provisions substantially equivalent to the provisions agreed between the controller and the processor. 2. Availability Control Appropriate measures ensuring that personal data are protected from accidental destruction or loss, including: infrastructure redundancy• Anti-virus software is installed on all applicable systems; and backup is stored at an alternative site and available for restore in case of failure • Protection of the primary system. Data importernetwork via Firewall; • Network segmentation; • Use of content filter/subProxys; • Interruption-processor implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport free power supply for all critical systems; • Regular generation of the data media. This is accomplished by various measures including: use backups of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travelsrelevant data; certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within the • Fire safety system; and providing user alert upon incomplete transfer of data (end to end check)• Emergency/ Disaster recovery plans; and as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data importer/sub• Air-processor implements suitable input control measures, including: an authorization policy for the input, reading, alteration and deletion of data; authentication of the authorized personnel; protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data; utilization of unique authentication credentials or codes (passwords); providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked; automatic log-off of user ID's that have not been used for a substantial period of time; and proof established within data importer/sub-processor’s organization of the input authorization; and electronic recording of entries. Data importer/sub-processor implements suitable measures to ensure that data collected for different purposes can be processed separately, including: access to data is separated through application security for the appropriate users; modules within the data importer/sub-processor’s database separate which data is used for which purpose, i.e. by functionality and function; at the database level, data is stored in different normalized tables, separated per module, per Controller Customer or function they support; and interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separatelyconditioned server rooms.

COMPETENT SUPERVISORY AUTHORITY. Identify the The competent supervisory authority as identified in Clause 13 – Any independent public authority/ies in accordance with Clause 13, which is established by an EU Member State pursuant to the GDPR A. 1. Data importer/sub-processor has implemented Importer shall establish a procedure for allowing access to Data Exporter Personal Data and restriction of such access. Data Importer shall ensure that access to Data Exporter Personal Data is strictly limited to those individuals who "need to know" or need to access the relevant Data Exporter Personal Data and as strictly necessary for the purpose of providing the Services and shall maintain a security program in accordance with industry standardskeep record of the persons authorised to access the Data Exporter Personal Data. B. More specifically2. Data Importer shall take all steps reasonably necessary to ensure the reliability of the individuals who may have access to Data Exporter Personal Data and shall ensure that each such individual (i) is informed of the confidential nature of Data Exporter Personal Data; (ii) has received appropriate training on his/her responsibilities; and (iii) is subject to written confidentiality undertakings and signs written security protocols. 3. To the extent required under applicable law, Data Importer shall implement physical measures to ensure that access to the Data Exporter Personal Data is granted only to authorized users. 4. Data Importer shall maintain and implement sufficient and appropriate (based on the type of Data Exporter Personal Data and its sensitivity) environmental, physical and logical security measures with respect to Data Exporter Personal Data and to Data Importer’s system's infrastructure, data importer/sub-processor’s security program shall include: processing system (including the system in which the Data importer/sub-processor implements suitable measures Exporter Personal Data is processed), communication means, terminals, system architecture, hardware and software, in order to prevent penetration and unauthorized persons from gaining access to Data Exporter Personal Data or to the system or communication lines between Data Exporter and Data Importer. Data Importer further agrees that systems on which Data Exporter Personal Data is processed shall be located in a secure location, which may be accessed only by properly authorized employees. 5. Data Importer shall list all components (hardware and software) used to process Data Exporter Personal Data, including computer systems, communication equipment, and software. Data Importer shall use such list to continuously monitor such components and identify weaknesses and risks for the purpose of implementing appropriate security measures to mitigate them. 6. The Data Importer shall act in accordance with an appropriate security policy and working procedures that comply with the security requirements under this Appendix and privacy laws, including with respect to backup and recovery procedures. Data Importer shall review its security policies and operating procedures periodically and not less than on an annual basis, and when material changes to the systems or processing are made, all in order to amend them, if required. 7. Data Importer shall take measures to record the access to the data processing equipment (namely telephonesData Exporter Personal Data, database and application servers and related hardware) including recording the exit or en try of any employee for or into the facilities where the personal data are processed or used, including: establishing security areas; protection and restriction of access paths; establishing access authorizations for employees and third parties, including the respective documentation; all access to the data center where personal data are hosted Data Exporter Personal Data is logged, monitored, and tracked; and the data center where personal data are hosted is secured by a security alarm system, and other appropriate security measures. Data importer/sub-processor implements suitable measures to prevent their data processing systems from being used by unauthorized persons, including: use of adequate encryption technologies; identification of the terminal and/or the terminal user to the data importer/sub-processor and processing systems; automatic temporary lock-out of user terminal if left idle, identification and password required to reopen; automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts); and all access to data content is logged, monitored, and tracked. Data importer/sub-processor commits that the persons entitled to use their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished by various measures including: employee policies and training in respect of each employee’s access rights to the personal data; allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions; roles; monitoring capability in respect of individuals who delete, add or modify the personal data; release of data only to authorized persons, including allocation of differentiated access rights and use of adequate encryption technologies; and control of files, controlled and documented destruction of data. Data importer/sub-processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss, including: infrastructure redundancy; and backup is stored at an alternative site and available for restore in case of failure of the primary system. Data importer/sub-processor implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by various measures including: use of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travels; certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within the system; and providing user alert upon incomplete transfer of data (end to end check); and as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data importer/sub-processor implements suitable input control measures, including: an authorization policy for the input, reading, alteration and deletion of data; authentication of the authorized personnel; protective measures for the data input into memoryprocessed, as well as any equipment brought in or taken out of such facilities. 8. Data Importer shall implement automatic control mechanism for verifying access to systems containing Data Exporter Personal Data, which shall include, inter alia, the readinguser identity, alteration date and deletion time of stored data; utilization access attempt, the system component attempted to be accessed, type and scope of unique authentication credentials access and if access was granted or codes (passwords); providing that entries denied. Data Importer shall periodically monitor the information from the control mechanism, list issues and irregularities and the measures taken to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked; automatic log-off of user ID's that have not been used handle them. Control records shall be maintained for a substantial period minimum of time; and proof established within data importer/sub-processor’s organization of the input authorization; and electronic recording of entries24 months. Data importer/subImporter records and any related reports and measures will be shared with Data Exporter, upon request, and to extent required under applicable law, such records shall be backed-processor implements suitable up by Data Importer. 9. Data Importer will perform security risk survey and penetration testing, at least once every 18 months and shall make require d amendments in case of any irregularities are discovered. Data Importer records and any related reports and measures related to ensure that data collected for different purposes can the risk survey and penetration testing will be processed separatelyshared with Data Exporter, including: access to data is separated through application security for the appropriate users; modules within the data importer/sub-processor’s database separate which data is used for which purpose, i.e. by functionality and function; at the database level, data is stored in different normalized tables, separated per module, per Controller Customer or function they support; and interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separatelyupon request.

COMPETENT SUPERVISORY AUTHORITY. Identify In the competent supervisory authority/ies jurisdiction of the Data Controller Processor has implemented technical and organizational measures that conform to SOC2 Trust Services Principles that apply to Processor Deliverables or Services (collectively, “Contracted Services”) provided by Processor to Controller. On an annual basis, Processor will provide a current or updated attestation certification showing date of validity. Processor must provide Controller a copy of each such report within thirty (30) days of Processor's receipt thereof or promptly upon Controller’s request. In addition: 1. Processor will protect all Controller’s Personal Data from disclosure as set forth in accordance with Clause 13 A. Data importer/the service agreements and herein, to Processor employees, contractors, and sub-processor has implemented and shall maintain a security program processors on need basis and, unless Controller agrees otherwise in accordance with industry standardswriting, only to the extent necessary to deliver the Contracted Service. B. More specifically, data importer/sub-processor’s security program shall include: Data importer/sub-processor implements suitable measures in order to prevent unauthorized persons from gaining access 2. Processor will maintain and follow employment verification requirements for its employees based on the level of exposure to the data of the data subjects. 3. In addition to Processor's obligations as set forth regarding security incidents and Personal Data Breaches of the data processing equipment (namely telephonesterms in the service agreements, database Processor will provide Controller with reasonable information requested about such security incident and application servers status of applicable remediation and related hardware) restoration activities performed or directed by Processor. 4. Processor shall maintain physical safeguards of its premises as required under the laws, and require its sub processors to ensure similar level of physical safeguards are applied to areas where the any personal data are processed processed. 5. Processor will maintain or usedenable, including: establishing security areas; protection and restriction of access paths; establishing access authorizations for employees and third parties, including the respective documentation; all access to the data center where personal data are hosted is loggedextent possible, monitored, and tracked; and the data center where personal data are hosted is secured by a security alarm system, and minimum of logical separation of Controller’s Personal Data from other appropriate security measurescustomer data. Data importer/sub-processor implements suitable Processor will maintain measures designed to prevent their data processing systems Controller’s Personal Data from being used exposed to or accessed by unauthorized persons. 6. With each Contracted Service, including: use of adequate encryption technologies; identification of the terminal and/or the terminal user as applicable, Processor will enlist a qualified and reputable independent third party to the data importer/sub-processor and processing systems; automatic temporary lock-out of user terminal if left idleperform penetration testing at least annually. Such penetration testing will include, identification and password required to reopen; automatic temporary lock-out of the user ID when several erroneous passwords are enteredat a minimum, log file of eventsapplication security scanning, monitoring of break-in-attempts (alerts); and all access to data content is logged, monitoredsystem vulnerability scanning, and trackedmanual ethical hacking activities. Data importer/sub-processor commits that the persons entitled to Processor will use their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished by various measures including: employee policies and training in respect of each employee’s access rights to the personal data; allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions; roles; monitoring capability in respect of individuals who delete, add or modify the personal data; release of data only to authorized persons, including allocation of differentiated access rights and use of adequate encryption technologies; and control of files, controlled and documented destruction of data. Data importer/sub-processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss, including: infrastructure redundancy; and backup is stored at an alternative site and available for restore in case of failure of the primary system. Data importer/sub-processor implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by various measures including: use of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travels; certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within the system; and providing user alert upon incomplete transfer of data (end to end check); and as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data importer/sub-processor implements suitable input control measures, including: an authorization policy for the input, reading, alteration and deletion of data; authentication of the authorized personnel; protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data; utilization of unique authentication credentials or codes (passwords); providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked; automatic log-off of user ID's that have not been used for a substantial period of time; and proof established within data importer/sub-processor’s organization of the input authorization; and electronic recording of entries. Data importer/sub-processor implements suitable measures to ensure that data collected for different purposes can be processed separately, including: access to data is separated through application security for the appropriate usersdue diligence to remediate any vulnerabilities found. Processor will provide Controller with attestations confirming that such testing has occurred, which will include confirmation that (i) no material items were found; modules within or (ii) the data importer/sub-processor’s database separate which data is used for which purpose, i.e. by functionality and function; at the database level, data is stored in different normalized tables, separated per module, per Controller Customer or function they support; and interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separatelyappropriate remediation measures were taken.

COMPETENT SUPERVISORY AUTHORITY. Identify the The data exporter’s competent supervisory authority/ies will be determined in accordance with Clause 13 A. Data importer/sub-processor has implemented the GDPR. Dragos’s administrative, physical, organizational and shall maintain a security program in accordance with industry standards. B. More specifically, data importer/sub-processor’s security program technical measures shall include, at a minimum, the following: Data importer/subImplementation of accountability principles and documentation of operations related to data processing and data security, This is accomplished through: ▪ Drafting, implementing and monitoring an extensive company-processor implements wide IT Security Policy and Standards for IT Assets; and ▪ Applying Confidentiality and Non-Disclosure Agreements where appropriate and as described in Dragos Policies. Implementation of suitable measures in order to prevent unauthorized unauthorised persons from gaining access to the data processing equipment (namely telephones, database used to process the Personal Data. This is accomplished through: ▪ Keys and application servers and related hardware) where the personal data are processed or used, including: establishing security areascard key systems; protection and restriction of access paths; establishing access authorizations for employees and third parties, including the respective documentation; all access to the data center where personal data are hosted is logged, monitored, and tracked▪ building security; and the data center where personal data are hosted is secured by a security alarm system, and other appropriate security measures▪ CCTV. Data importer/sub-processor implements Implementation of suitable measures to prevent their data processing systems from being used by unauthorized unauthorised persons, including. This is accomplished through: ▪ Individual user ID's and strong passwords subject to minimum security requirements for staff members; ▪ Mandatory password changes on regular intervals; ▪ Acceptable use of adequate encryption technologiespolicies for IT Assets such as PC's and mobile phones and applications; identification of the terminal and/or the terminal user to the data importer/sub▪ Strict on- and off-processor and processing systemsboarding policies for staff members; automatic temporary lock-▪ Lock out of user terminal if left idle, identification and password required to reopen; automatic temporary lockaccounts after a limited number of failed log-out of the user ID when several erroneous passwords are entered, log file of events, monitoring of break-in-attempts (alerts)in attempts; and all access to data content is logged▪ Advanced firewalls, monitoredPEN testing, anti-virus and trackedspam scanning. Data importer/sub-processor commits that the The persons entitled to use their its data processing system systems are only able to access the data within the scope and to the extent covered by their respective access permission (authorizationauthorisation) and that personal data the Personal Data cannot be read, copied or modified or removed without authorizationauthorisation. This shall be accomplished by various measures includingby: employee policies ▪ Access management on strict need-to-know principles, job duties, project responsibilities and training in respect of each employee’s access rights to the personal data; allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions; roles; monitoring capability in respect of individuals who delete, add or modify the personal data; release of data only to authorized persons, including allocation of differentiated access rights and use of adequate encryption technologiesactual business activities; and control ▪ Strict VPN corporate network requirements. Implementation of files, controlled and documented destruction of data. Data importer/sub-processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss, including: infrastructure redundancy; and backup is stored at an alternative site and available for restore in case of failure of the primary system. Data importer/sub-processor implements suitable measures to prevent the personal data Personal Data from being read, copied, altered or deleted by unauthorized unauthorised parties during the transmission thereof or during the transport of the data mediamedia and to ensure that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged. This is shall be accomplished by various measures includingby: use of adequate firewall, VPN ▪ Firewall and encryption technologies to protect the gateways and pipelines through which the data travels; certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within the system; and providing user alert upon incomplete transfer ▪ Monitoring of data (end to end check); and as far as possible, all data transmissions are logged, monitored and trackedencryption technologies. Input Control Data importer/sub-processor implements suitable input control measures, including: an authorization policy for the input, reading, alteration and deletion Implementation of data; authentication of the authorized personnel; protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data; utilization of unique authentication credentials or codes (passwords); providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked; automatic log-off of user ID's that have not been used for a substantial period of time; and proof established within data importer/sub-processor’s organization of the input authorization; and electronic recording of entries. Data importer/sub-processor implements suitable measures to ensure that it is possible to check and establish whether, when, by whom and for what reason Personal Data have been input into data collected processing systems or otherwise processed. This shall be accomplished by: Authentication of the authorised users via user ID and passwords; ▪ Restricted physical access to processing areas; and ▪ System time-out after non-activity for a pre-determined time period. Personal data may only be processed in accordance with the DPA and Customer’s instructions. This shall be accomplished by information & security training and policies & procedures for staff. Implementing suitable measures to ensure that Personal Data are protected from accidental destruction or loss. This shall be accomplished by: ▪ Backup and disaster recovery management; and ▪ Offsite backup storage. Implementing suitable measures to ensure that Personal Data that are intended for different purposes can be processed separately, including. This shall be accomplished by: access ▪ Access to Personal Data being restricted via user authorization passwords; ▪ Function separation of Personal Data of different customers; and ▪ Use of Personal Data being application specific. As set forth in section 9 of the DPA. Customer consents to Dragos engaging the subprocessors found at: ▇▇▇▇▇://▇▇▇.▇▇▇▇▇▇.▇▇▇/subprocessors/. (a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data is separated through application security and on the free movement of such data (General Data Protection Regulation) (i) for the appropriate users; modules within transfer of data to a third country. (b) The Parties: (i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and (ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer/sub-processor’s database separate which ’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’). (c) These Clauses apply with respect to the transfer of personal data is used for which purpose, i.e. by functionality and function; at as specified in Annex I.B. (d) The Appendix to these Clauses containing the database level, data is stored in different normalized tables, separated per module, per Controller Customer or function they support; and interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separatelyAnnexes referred to therein forms an integral part of these Clauses.

COMPETENT SUPERVISORY AUTHORITY. Identify the The competent supervisory authority/ies authority is the Irish Data Protection Commission. Licensor shall implement and maintain the controls listed in accordance with Clause 13 A. Data importer/sub-processor has implemented and shall maintain a security program this Annex II in accordance with industry standards. B. More specificallystandards generally accepted by information security professionals as necessary to reasonably protect Personal Data during storage, data importer/sub-processor’s security program shall include: Data importer/sub-processor implements suitable processing and transmission. Technical and organizational measures in order to prevent unauthorized persons from gaining access to the data processing equipment Processing systems available in premises and facilities (namely telephonesincluding databases, database and application servers and related hardware), where Personal Data are Processed, include: (a) where the personal data are processed or used, including: establishing security areas; protection and , restriction of access paths; (b) establishing access authorizations for employees and third parties; (c) access control system (ID reader, including the respective documentationmagnetic card, chip card); all access to the data center where personal data are hosted is logged(d) key management, monitoredcard-keys procedures; (e) door locking (electric door openers etc.); (f) security staff, and trackedjanitors; (g) surveillance facilities, video/CCTV monitor, alarm system; and the (h) Securing decentralized data center where Processing equipment and personal data are hosted is secured by a security alarm system, computers. Technical and other appropriate security measures. Data importer/sub-processor implements suitable organizational measures to prevent their data processing Processing systems from being used by unauthorized persons, includingpersons include: use of adequate encryption technologies; identification of the terminal and/or the terminal (a) user to the data importer/sub-processor and processing systems; automatic temporary lock-out of user terminal if left idle, identification and authentication procedures; (b) ID/password required to reopensecurity procedures (special characters, minimum length, change of password); (c) automatic temporary lock-out of the user ID when several erroneous passwords are entered, log file of events, blocking (e.g. password or timeout); (d) monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; (alerts)e) creation of one master record per user, user-master data procedures per data Processing environment; and all access (f) encryption of archived data media. Technical and organizational measures to data content is logged, monitored, and tracked. Data importer/sub-processor commits ensure that the persons entitled to use a data Processing system gain access only to such Personal Data in accordance with their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) rights, and that personal data Personal Data cannot be read, copied or copied, modified or removed deleted without authorization. This shall be accomplished by various measures including, include: employee (a) internal policies and training in respect of each employee’s access rights to the personal dataprocedures; allocation of individual terminals and /or terminal user, and identification characteristics exclusive to specific functions(b) control authorization schemes; roles; monitoring capability in respect of individuals who delete, add or modify the personal data; release of data only to authorized persons, including allocation of (c) differentiated access rights (profiles, roles, transactions and use objects); (d) monitoring and logging of adequate encryption technologiesaccesses; (e) disciplinary action against employees who access Personal Data without authorization; (f) reports of access; (g) access procedure; (h) change procedure; (i) deletion procedure; and control of files, controlled and documented destruction of data. Data importer/sub-processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss, including: infrastructure redundancy; and backup is stored at an alternative site and available for restore in case of failure of the primary system. Data importer/sub-processor implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by various measures including: use of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travels; certain highly confidential employee data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbersj) is also encrypted within the system; and providing user alert upon incomplete transfer of data (end to end check); and as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data importer/sub-processor implements suitable input control measures, including: an authorization policy for the input, reading, alteration and deletion of data; authentication of the authorized personnel; protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data; utilization of unique authentication credentials or codes (passwords); providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked; automatic log-off of user ID's that have not been used for a substantial period of time; and proof established within data importer/sub-processor’s organization of the input authorization; and electronic recording of entries. Data importer/sub-processor implements suitable measures to ensure that data collected for different purposes can be processed separately, including: access to data is separated through application security for the appropriate users; modules within the data importer/sub-processor’s database separate which data is used for which purpose, i.e. by functionality and function; at the database level, data is stored in different normalized tables, separated per module, per Controller Customer or function they support; and interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separatelyencryption.