Common use of Improvements to Security Clause in Contracts

Improvements to Security. The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Article 4 on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with the requirements set out in Article 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in applicable data protection law or by data protection authorities of competent jurisdiction. Where an amendment to the Service Agreement is necessary in order to execute a Data Controller instruction to the Data Processor to improve security measures as may be required by changes in applicable data protection law from time to time, the Parties shall negotiate an amendment to the Service Agreement in good faith. Data Transfers The Data Processor shall immediately notify the Data Controller of any (planned) permanent or temporary transfers of Personal Data to a country outside of the European Economic Area without an adequate level of protection and shall only perform such a (planned) transfer after obtaining authorisation from the Data Controller, which may be refused at its own discretion. Annex 4 provides a list of transfers for which the Data Controller grants its consent upon the conclusion of this Data Processing Agreement. To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer. Information Obligations and Incident Management When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. The term “incident” used in Article 7.1 shall be understood to mean in any case: a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; any breach of the security and/or confidentiality as set out in Articles 3 and 4 of this Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident is reasonably likely to require a data breach notification by the Data Controller under applicable EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 hours of having become aware of such an incident. Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the employee of the Data Controller whose contact details are provided in Annex 1 of this Data Processing Agreement, and shall contain:

Improvements to Security. The Parties acknowledge that security requirements are constantly changing changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Article 4 on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with the requirements set out in Article 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in applicable data protection law or by data protection authorities of competent jurisdiction. Where an amendment to the Service Agreement is necessary in order to execute a Data Controller instruction to the Data Processor to improve security measures as may be required by changes in applicable data protection law from time to time, the Parties shall negotiate an amendment to the Service Agreement in good faith. Data Transfers The Data Processor shall immediately notify the Data Controller of any (planned) permanent or temporary transfers of Personal Data to a country outside of the European Economic Area without an adequate level of protection and shall only perform such a (planned) transfer after obtaining authorisation authorization from the Data Controller, which may be refused at its own discretion. Annex 4 provides a list of transfers for which the Data Controller grants its consent upon the conclusion of this Data Processing Agreement. To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer. Information Obligations and Incident Management When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. The term “incident” used in Article 7.1 shall be understood to mean in any case: a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; any breach of the security and/or confidentiality as set out in Articles 3 and 4 of this Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident is reasonably likely to require a data breach notification by the Data Controller under applicable EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 hours of having become aware of such an incident. Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the employee of the Data Controller whose contact details are provided in Annex 1 of this Data Processing Agreement, and shall contain:.

Improvements to Security. The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Article 4 on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with the requirements set out in Article 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in applicable data protection law or by data protection authorities of competent jurisdiction. Where an amendment to the Service Agreement is necessary in order to execute a Data Controller instruction to the Data Processor to improve security measures as may be required by changes in applicable data protection law from time to time, the Parties shall negotiate an amendment to the Service Agreement in good faith. Data Transfers The Data Processor shall immediately promptly within forty-eight (48) hours notify the Data Controller of any (planned) permanent or temporary transfers of Personal Data to a country outside of the European Economic Area without an adequate level of protection and shall only perform such a (planned) transfer after obtaining authorisation from the Data Controller, which may be refused at its own discretion. Annex 4 provides a list of transfers for which the Data Controller grants its consent upon the conclusion of this Data Processing Agreement. To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer. Information Obligations and Incident Management When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Services Agreement, it shall promptly notify within seventy-two (72) hours the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. The term “incident” used in Article 7.1 shall be understood to mean in any case: a complaint or a request with respect to the exercise of a data subjectData Subject’s rights under EU Data Protection Law; an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; any unauthorized or accidental access, processingProcessing, deletion, loss or any form of unlawful processing Processing of the Personal Data; any breach of the security and/or confidentiality as set out in Articles 3 and 4 of this Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident is reasonably likely to require a data breach notification by the Data Controller under applicable EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 seventy-two (72) hours of having become aware of such an incident. Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the employee of the Data Controller whose contact details are provided in Annex 1 of this Data Processing Agreement, and shall contain:: a description of the nature of the incident, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained; a description of the likely consequences of the incident; and a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects. Contracting with Sub-Processors The Data Controller authorises the Data Processor to engage the sub-processors in the country locations for the Service-related activities specified as described in Annex 2. Data Processor shall inform the Data Controller within five (5) days of any addition or replacement of such sub-processors giving the Data Controller an opportunity to object to such changes. Notwithstanding any authorisation by the Data Controller within the meaning of the preceding paragraph, the Data Processor shall remain fully liable vis-à-vis the Data Controller for the performance of any such subprocessor that fails to fulfil its data protection obligations. The consent of the Data Controller pursuant to Article 8.1 shall not alter the fact that consent is required under Article 6 for the engagement of sub-processors in a country outside the European Economic Area without a suitable level of protection. The Data Processor shall ensure that the sub-processor is bound by the same data protection obligations of the Data Processor under this Data Processing Agreement, shall supervise compliance thereof, and must in particular impose on its sub-processors the obligation to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of EU Data Protection Law. The Data Controller may request that the Data Processor audit a Third Party Subprocessor or provide confirmation that such an audit has occurred (or, where available, obtain or assist customer in obtaining a third-party audit report concerning the Third Party Subprocessor’s operations) to ensure compliance with its obligations imposed by the Data Processor in conformity with this Agreement. If, within thirty (30) calendar days of receipt of notification of a proposed Subprocessor engagement, Data Controller notifies Data Processor in writing of any objections (on reasonable grounds) to the proposed engagement, Data Processor shall not appoint and shall not disclose Personal Data provided by, or created on received on behalf of, Controller under the Agreement to the proposed Subprocessor until reasonable steps have been taken to address the objections raised. If the objections are not resolved to Data Controller's satisfaction, Data Controller may terminate this Agreement. Returning or Destruction of Personal Data Upon termination of this Data Processing Agreement, or upon the Data Controller’s written request, or upon fulfilment of all purposes agreed in the context of the Services whereby no further Processing is required, the Data Processor shall, at the discretion of the Data Controller, either delete, destroy or return all Personal Data to the Data Controller and destroy or return any existing copies within thirty (30) calendar days of receiving such request. The Data Processor shall notify all third parties supporting its own Processing of the Personal Data of the termination of the Data Processing Agreement and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the Data Controller. Assistance to Data Controller The Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights under the GDPR. The Data Processor shall assist the Data Controller in ensuring compliance with the obligations pursuant to Section 4 (Security) and prior consultations with supervisory authorities required under Article 36 of the GDPR taking into account the nature of Processing and the information available to the Data Processor. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor’s obligations and allow for and contribute to audits, including inspections, conducted by the Data Controller with the applicable licenses in place or another auditor mandated by the Data Controller.4 The Data Processor shall assist the Data Controller in meeting its obligation to respond to requests of Data Subjects to exercise their rights under applicable Data Protections Laws. Without limited the generality of the foregoing, these rights may include the right to access their Personal Information and rectify incorrect data, the rights of erasure and data portability, the right to restrict the Processing of the Data Subject’s Personal Information, the right to object to Processing in certain circumstances and the right not to be subject to automated decision making, including profiling. Service Provider shall not respond to any such requests or complaints unless expressly authorised to do so by the Data Controller and disclose any request within five (5) business days of receipt. Taking into consideration the nature of the Processing and information available to the Data Processor, the Data Processor will assist the Data Controller in meeting its obligation to carry out data protection impact assessments and prior consultations with supervising authorities (and any similar obligations under applicable Data Protection Laws) as required in relation to Processing of Personal Information. the Data Processor shall provide any information reasonably requested by the Data Controller to assist in complying with any notification, registration or other obligations applicable to the Data Controller under applicable Data Protection Laws or in accordance with the Controller policy. Duration and Termination This Data Processing Agreement shall come into effect on the signature date. Termination or expiration of this Data Processing Agreement shall not discharge the Data Processor from its confidentiality obligations pursuant to Article 3. The Data Processor shall process Personal Data until the date of termination of the agreement, unless instructed otherwise by the Data Controller, or until such data is returned or destroyed on instruction of the Data Controller.

Improvements to Security. The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Article 4 on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with the requirements set out in Article 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in applicable data protection law or by data protection authorities of competent jurisdiction. Where an amendment to the Service Agreement is necessary in order to execute a Data Controller instruction to the Data Processor to improve security measures as may be required by changes in applicable data protection law from time to time, the Parties shall negotiate an amendment to the Service Agreement in good faith. Data Transfers The Data Processor shall immediately notify the Data Controller of any (planned) permanent or temporary transfers of Personal Data to a country outside of the European Economic Area without an adequate level of protection and shall only perform such a (planned) transfer after obtaining authorisation authorization from the Data Controller, which may be refused at its own discretion. Annex 4 provides a list of transfers for which the Data Controller grants its consent upon the conclusion of this Data Processing Agreement. To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer. Information Obligations and Incident Management When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Services Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. The term “incident” used in Article 7.1 shall be understood to mean in any case: a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; any breach of the security and/or confidentiality as set out in Articles 3 and 4 of this Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident is reasonably likely to require a data breach notification by the Data Controller under applicable EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 hours of having become aware of such an incident. Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the employee of the Data Controller whose contact details are provided in Annex 1 of this Data Processing Agreement, and shall contain:.

Improvements to Security. The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Article 4 on an on-going basis and will tighten, supplement and improve these measures in order to maintain compliance with the requirements set out in Article 4. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in applicable data protection law or by data protection authorities of competent jurisdiction. Where an amendment to the Service Agreement is necessary in order to execute a Data Controller instruction to the Data Processor to improve security measures as may be required by changes in applicable data protection law from time to time, the Parties shall negotiate an amendment to the Service Agreement in good faith. Data Transfers The Data Processor shall immediately promptly within forty-eight (48) hours notify the Data Controller of any (planned) permanent or temporary transfers of Personal Data to a country outside of the European Economic Area without an adequate level of protection and shall only perform such a (planned) transfer after obtaining authorisation from the Data Controller, which may be refused at its own discretion. Annex 4 provides a list of transfers for which the Data Controller grants its consent upon the conclusion of this Data Processing Agreement. To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalize international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to promptly terminate the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer. Information Obligations and Incident Management When the Data Processor becomes aware of an incident that impacts the Processing of the Personal Data that is the subject of the Services Agreement, it shall promptly notify within seventy-two (72) hours the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident. The term “incident” used in Article 7.1 shall be understood to mean in any case: a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; any unauthorized or accidental access, processing, deletion, loss or any form of unlawful processing of the Personal Data; any breach of the security and/or confidentiality as set out in Articles 3 and 4 of this Data Processing Agreement leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Data, or any indication of such breach having taken place or being about to take place; where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject. The Data Processor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident is reasonably likely to require a data breach notification by the Data Controller under applicable EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller no later than 24 seventy-two (72) hours of having become aware of such an incident. Any notifications made to the Data Controller pursuant to this Article 7 shall be addressed to the employee of the Data Controller whose contact details are provided in Annex 1 of this Data Processing Agreement, and shall contain: