Common use of Locations for processing Clause in Contracts

Locations for processing. 4.6.1 Censornet has the following office locations within the UK: • Basingstoke • Bristol • Lerwick, Shetland ANNEX B - Non EEA Sub-processors As at the date of this Agreement, we use the following non-EEA Sub- processors: Amazon EC2: Amazon Web Services Inc, 000 Xxxxx Xxx North, Seattle, WA, 98109-5210, United States. The Supplier has selected either a specific EU/ESS Datacenter location, or a EU/ESS region (eg Western Europe, Northern Europe) depending on the Sub-Processor options provided at the time of provisioning the systems. ApriorIT: (VRSoft LTD) Headquarters - 34B Kniazia Volodymyra Xxxxxxxx Xx., Xxxxxx, 00000, Xxxxxxx. Datadog, Inc.: Headquarters - 000 0xx Xxxxxx, 00xx Xxxxx, Xxx Xxxx, XX 00000, XXX. Entrust DataCard Corp: 0000 Xxxx Xxxxx, Xxxxxxxxxxx, XX 00000, XXX. Functional Software, Inc. dba Sentry: 000 Xxxxxxxxx Xxxxxx, Xxx Xxxxxxxxx, XX 00000, XXX. IBM Cloud: Corporate headquarters - IBM Corporation, 0 Xxx Xxxxxxx Xxxx, Xxxxxx, Xxx Xxxx 00000-0000, Xxxxxx Xxxxxx. The Supplier has selected either a specific EU/ESS Datacenter location, or a EU/ESS region (eg Western Europe, Northern Europe) depending on the Sub-Processor options provided at the time of provisioning the systems. Microsoft Azure: Microsoft Ireland Operations Ltd, Atrium Building Block B, Carmenhall Road, Sandyford Industrial Estate, Dublin 18, Ireland. The Supplier has selected either a specific EU/ESS Datacenter location, or a EU/ESS region (eg Western Europe, Northern Europe) depending on the Sub-Processor options provided at the time of provisioning the systems. SendGrid, Inc. (part of Twilio): 0000 Xxxxxxxxxx Xxxxxx, Xxxxx 000, Xxxxxx, Xxxxxxxx 00000, XXX. Module C – Terms for Unified Security Service (USS) including Web Security (WS), Cloud Application Security (CASB), Cloud Multi-Factor Authentication (Cloud MFA), MFA powered by IntelliTrust (MFA), Compliant Email Archive (CEMA) and Autonomous Security Engine (ASE) PLEASE READ CAREFULLY BEFORE ORDERING SERVICE(S) or DOWNLOADING ANY SOFTWARE: These terms (“USS Licence Terms”) apply to the use of our Unified Security Service software that you are buying from us (“USS Software”); and any associated Documentation. We license use of the USS Software and Documentation to you on the basis of these USS Licence Terms. We do not sell the Software or Documentation to you. We remain the owners of the Software and Documentation at all times.

Locations for processing. 4.6.1 Censornet has the following office locations within the UK: • Basingstoke • Bristol • Lerwick, Shetland ANNEX B - Non EEA Sub-processors As at the date of this AgreementContract, we use the following nonSub-EEA Sub- processors: Amazon EC2: Amazon Web Services Inc, 000 Xxxxx Xxx North, Seattle, WA, 98109-5210, United StatesUSA. The Supplier has selected either a specific EU/ESS Datacenter location, or a EU/ESS region (eg Western Europe, Northern Europe) depending on the Sub-Processor options provided at the time of provisioning the systems. ApriorIT: (VRSoft LTD) Headquarters - 34B Kniazia Volodymyra Xxxxxxxx Xx., Xxxxxx, 00000, Xxxxxxx. Datadog, Inc.: Headquarters - 000 0xx Xxxxxx, 00xx Xxxxx, Xxx Xxxx, XX 00000, XXX. Entrust DataCard Corp: 0000 Xxxx Xxxxx, Xxxxxxxxxxx, XX 00000, XXX. Functional Software, Inc. dba Sentry: 000 Xxxxxxxxx Xxxxxx, Xxx Xxxxxxxxx, XX 00000, XXX. IBM Cloud: Corporate headquarters - IBM Corporation, 0 Xxx Xxxxxxx Xxxx, Xxxxxx, Xxx Xxxx 00000-0000, Xxxxxx XxxxxxXXX. The Supplier has selected either a specific EU/ESS Datacenter location, or a EU/ESS region (eg Western Europe, Northern Europe) depending on the Sub-Sub- Processor options provided at the time of provisioning the systems. Microsoft Azure: Microsoft Ireland Operations Ltd, Atrium Building Block B, Carmenhall Road, Sandyford Industrial Estate, Dublin 18, Ireland. The Supplier has selected either a specific EU/ESS Datacenter location, or a EU/ESS region (eg Western Europe, Northern Europe) depending on the Sub-Processor options provided at the time of provisioning the systems. SendGrid, Inc. (part of Twilio): 0000 Xxxxxxxxxx Xxxxxx, Xxxxx 000, Xxxxxx, Xxxxxxxx 00000, XXX. Module C – Terms for Unified Security Service Please note this Sub-processor is only used if MFA is enabled on portal (USS) including Web logins. Sorry App Limited: Building 0, Xxx Xxxxxxx Xxxxxxxx Xxxx, Xxxxxxxx, Xxxx Xxxxxx, XX, GU28 0JF. Please note this Sub-processor is only used if Customers subscribe to system status updates/notifications. Twilio Inc.: 000 Xxxxx Xxxxxx, Suite 300, San Francisco, CA 94105, USA. Please note this Sub- processor is only used if MFA is enabled on portal (USS) logins. Vade Secure Inc.: 000 Xxxxxxx Xxxxxx, Xxxxx 0 – Xxx Xxxxxxxxx, XX 00000, XXX. Please note this Sub-processor is only used if Email Security (WS), Cloud Application Security (CASB), Cloud Multi-Factor Authentication (Cloud MFA), MFA powered by IntelliTrust (MFA), Compliant Email Archive (CEMA) and Autonomous Security Engine (ASE) PLEASE READ CAREFULLY BEFORE ORDERING SERVICE(S) or DOWNLOADING ANY SOFTWARE: These terms (“USS Licence Terms”) apply to the use of our Unified Security Service software that you are buying from us (“USS Software”); and any associated Documentationis purchased/used. We license use of the USS Software and Documentation to you on the basis of these USS Licence Terms. We do not sell the Software or Documentation to you. We remain the owners of the Software and Documentation at all times.ANNEX C – Processing Details

Locations for processing. 4.6.1 Censornet has the following office locations within the UK: •  Basingstoke •  Bristol •  Lerwick, Shetland ANNEX B - Non EEA Sub-processors As at the date of this Agreement, we use the following nonSub-EEA Sub- processors: Amazon EC2: Amazon Web Services Inc, 000 Xxxxx Xxx North, Seattle, WA, 98109-5210, United StatesUSA. The Supplier has selected either a specific EU/ESS Datacenter location, or a EU/ESS region (eg Western Europe, Northern Europe) depending on the Sub-Processor options provided at the time of provisioning the systems. ApriorIT: (VRSoft LTD) Headquarters - 34B Kniazia Volodymyra Xxxxxxxxxx Xxxxxxxx Xx., Xxxxxx, 00000, Xxxxxxx. Datadog, Inc.: Headquarters - 000 0xx Xxxxxx, 00xx Xxxxx, Xxx Xxxx, XX 00000, XXX. Entrust DataCard Corp: 0000 Xxxx Xxxxx, Xxxxxxxxxxx, XX 00000, XXX. Functional Software, Inc. dba Sentry: 000 Xxxxxxxxx Xxxxxx, Xxx Xxxxxxxxx, XX 00000, XXX. IBM Cloud: Corporate headquarters - IBM Corporation, 0 Xxx Xxxxxxx Xxxx, Xxxxxx, Xxx Xxxx 00000-0000, Xxxxxx XxxxxxXXX. The Supplier has selected either a specific EU/ESS Datacenter location, or a EU/ESS region (eg Western Europe, Northern Europe) depending on the Sub-Processor options provided at the time of provisioning the systems. Lastline Inc.: 000 Xxxxxxx Xxxxxx Xxxxxxx, Xxxxx 000, Xxxxxxx Xxxx, XX 00000, XXX. Please note this Sub-processor is only used if the ‘Sandbox Level 2’ add on is purchased/used with EMS. Microsoft Azure: Microsoft Ireland Operations Ltd, Atrium Building Block B, Carmenhall Road, Sandyford Industrial Estate, Dublin 18Xxxxxx 00, IrelandXxxxxxx. The Supplier has selected either a specific EU/ESS Datacenter location, or a EU/ESS region (eg Western Europe, Northern Europe) depending on the Sub-Processor options provided at the time of provisioning the systems. SendGrid, Inc. (part of Twilio): 0000 Xxxxxxxxxx Xxxxxx, Xxxxx 000, Xxxxxx, Xxxxxxxx 00000, XXX. Module C – Terms for Unified Security Service Sorry App Limited: Building 1, Old Station Business Park, Petworth, West Sussex, XX, XX00 0XX. Please note this Sub-processor is only used if Customers subscribe to system status updates/notifications. Twilio Inc.: 000 Xxxxx Xxxxxx, Suite 300, San Francisco, CA 94105, USA. Please note this Sub-processor is only used if MFA is enabled on portal (USS) logins. Vade Secure Inc.: 000 Xxxxxxx Xxxxxx, Xxxxx 2 – Xxx Xxxxxxxxx, XX 00000, XXX. Please note this Sub-processor is only used if Email Security is purchased/used. ANNEX C – Processing Details Data subjects The personal data transferred concern the following categories of data subjects (please specify):  Customers, Clients and Prospects (including their staff) Categories of data The personal data transferred concern the following categories of data (please specify):  Basic personal data (for example street name and building number or name (address), postal code, city, country, mobile phone number, first name, last name, initials, email address, domain and related data);  Authentication data (for example user name, password, audit trail);  Contact information (for example addresses, email, phone numbers, website address);  Device identification / Unique identification numbers (for example IP addresses, MAC addresses, logical tag);  Commercial Information (subscription (license) information, purchase history, payment history);  Location data (for example, geo-location network data);  Email activity (inbound and outbound email messages, including attachments);  Internet activity (for example browsing activity, cloud application activity);  Any other personal data identified in Article 4 of the GDPR. Summary of Data Processed (input / output data) by Service: Service Input Data Output Data Web Security (WS))  All http and https web requests and associated metadata  Log data relating to http and https web requests. Log information includes  Metadata includes Active Directory (AD) usernames, IP addresses and MAC addresses AD usernames, IP addresses and MAC addresses Cloud Application Security (CASB))  All http and https cloud application requests and associated metadata  Metadata includes AD usernames, IP addresses, Real Names, MAC addresses, Email addresses and any captured application data  Log data relating to http and https cloud application requests. Log information includes AD usernames, IP addresses Real Names, MAC addresses, Email addresses and any captured application data. Cloud Multi-Factor Authentication MFA (Cloud MFA))  User authentication requests and associated metadata. Metadata includes Usernames, UPNs, Common Names (Real Names) and IP addresses  Mobile phone numbers  Authentication log data. Log information includes Usernames, UPNs, Common Names (Real Names) and IP addresses MFA powered Powered by IntelliTrust (MFA))  User authentication requests and associated metadata. Metadata includes Usernames, UPNs, Common Names (Real Names) and IP addresses  Mobile phone numbers  Authentication log data. Log information includes Usernames, UPNs, Common Names (Real Names) and IP addresses Email Security (EMS)  Inbound and outbound email messages (including attachments) sent or received externally to or from the organization  Log data relating to inbound and outbound email messages sent or received externally. Log information includes IP addresses, To, From and Subject fields, server responses, and other metadata, but does not include the message body or any file attachments Email Back Up Emergency Inbox Compliant Email Archive (CEMA)  Inbound and Autonomous Security Engine outbound email messages (ASEincluding attachments) PLEASE READ CAREFULLY BEFORE ORDERING SERVICE(Ssent or received externally to or from the organization  Inbound and outbound email messages (including attachments) sent or DOWNLOADING ANY SOFTWARE: These terms received externally to or from the organization Special categories of data (“USS Licence Terms”if appropriate) apply The personal data transferred concern the following special categories of data (please specify):  None Processing operations The personal data transferred will be subject to the following basic processing activities (please specify): Data processing operations are summarised as:  Receiving data, including collection and recording  Holding data, including storage, organisation and structuring  Updating data, including adaptation, alignment and combination  Computer processing of Personal Data, including data transmission, data retrieval, data access, and network access to allow data transfer if required  Protecting data, including restricting, encrypting, and security testing. Censornet and Censornet’s Sub-processors will use of our Unified Security Service software that you are buying from us and otherwise process Personal Data only in accordance with and as described in the Master Services Agreement (“USS Software”); MSA) and any associated Documentation. We license use for Censornet’s legitimate business operations related to delivery of the USS Software and Documentation Services to you on the basis of these USS Licence Terms. We do not sell the Software or Documentation to you. We remain the owners of the Software and Documentation at all timesCustomers.

Locations for processing. 4.6.1 Censornet has the following office locations within the UK: •  Basingstoke •  Bristol •  Lerwick, Shetland ANNEX B - Non EEA Sub-processors As at the date of this Agreement, we use the following nonSub-EEA Sub- processors: Amazon EC2: Amazon Web Services Inc, 000 Xxxxx Xxx North, Seattle, WA, 98109-5210, United StatesUSA. The Supplier has selected either a specific EU/ESS Datacenter location, or a EU/ESS region (eg Western Europe, Northern Europe) depending on the Sub-Processor options provided at the time of provisioning the systems. ApriorIT: (VRSoft LTD) Headquarters - 34B Kniazia Volodymyra Xxxxxxxx Xx., Xxxxxx, 00000, Xxxxxxx. Datadog, Inc.: Headquarters - 000 0xx Xxxxxx, 00xx Xxxxx, Xxx Xxxx, XX 00000, XXX. Entrust DataCard Corp: 0000 Xxxx Xxxxx, Xxxxxxxxxxx, XX 00000, XXX. Functional Software, Inc. dba Sentry: 000 Xxxxxxxxx Xxxxxx, Xxx Xxxxxxxxx, XX 00000, XXX. IBM Cloud: Corporate headquarters - IBM Corporation, 0 Xxx Xxxxxxx Xxxx, Xxxxxx, Xxx Xxxx 00000-0000, Xxxxxx XxxxxxXXX. The Supplier has selected either a specific EU/ESS Datacenter location, or a EU/ESS region (eg Western Europe, Northern Europe) depending on the Sub-Processor options provided at the time of provisioning the systems. Lastline Inc.: 000 Xxxxxxx Xxxxxx Xxxxxxx, Xxxxx 000, Xxxxxxx Xxxx, XX 00000, XXX. Please note this Sub-processor is only used if the ‘Sandbox Level 2’ add on is purchased/used with EMS. Microsoft Azure: Microsoft Ireland Operations Ltd, Atrium Building Block B, Carmenhall Road, Sandyford Industrial Estate, Dublin 18, Ireland. The Supplier has selected either a specific EU/ESS Datacenter location, or a EU/ESS region (eg Western Europe, Northern Europe) depending on the Sub-Processor options provided at the time of provisioning the systems. SendGrid, Inc. (part of Twilio): 0000 Xxxxxxxxxx Xxxxxx, Xxxxx 000, Xxxxxx, Xxxxxxxx 00000, XXX. Module C – Terms for Unified Security Service Sorry App Limited: Building 0, Xxx Xxxxxxx Xxxxxxxx Xxxx, Xxxxxxxx, Xxxx Xxxxxx, XX, GU28 0JF. Please note this Sub-processor is only used if Customers subscribe to system status updates/notifications. Twilio Inc.: 000 Xxxxx Xxxxxx, Suite 300, San Francisco, CA 94105, USA. Please note this Sub-processor is only used if MFA is enabled on portal (USS) logins. Vade Secure Inc.: 000 Xxxxxxx Xxxxxx, Xxxxx 0 – Xxx Xxxxxxxxx, XX 00000, XXX. Please note this Sub-processor is only used if Email Security is purchased/used. ANNEX C – Processing Details Data subjects The personal data transferred concern the following categories of data subjects (please specify):  Customers, Clients and Prospects (including their staff) Categories of data The personal data transferred concern the following categories of data (please specify):  Basic personal data (for example street name and building number or name (address), postal code, city, country, mobile phone number, first name, last name, initials, email address, domain and related data);  Authentication data (for example user name, password, audit trail);  Contact information (for example addresses, email, phone numbers, website address);  Device identification / Unique identification numbers (for example IP addresses, MAC addresses, logical tag);  Commercial Information (subscription (license) information, purchase history, payment history);  Location data (for example, geo-location network data);  Email activity (inbound and outbound email messages, including attachments);  Internet activity (for example browsing activity, cloud application activity);  Any other personal data identified in Article 4 of the GDPR. Summary of Data Processed (input / output data) by Service: Service Input Data Output Data Web Security (WS))  All http and https web requests and associated metadata  Log data relating to http and https web requests. Log information includes  Metadata includes Active Directory (AD) usernames, IP addresses and MAC addresses AD usernames, IP addresses and MAC addresses Cloud Application Security (CASB))  All http and https cloud application requests and associated metadata  Metadata includes AD usernames, IP addresses, Real Names, MAC addresses, Email addresses and any captured application data  Log data relating to http and https cloud application requests. Log information includes AD usernames, IP addresses Real Names, MAC addresses, Email addresses and any captured application data. Cloud Multi-Factor Authentication MFA (Cloud MFA))  User authentication requests and associated metadata. Metadata includes Usernames, UPNs, Common Names (Real Names) and IP addresses  Mobile phone numbers  Authentication log data. Log information includes Usernames, UPNs, Common Names (Real Names) and IP addresses MFA powered Powered by IntelliTrust (MFA))  User authentication requests and associated metadata. Metadata includes Usernames, UPNs, Common Names (Real Names) and IP addresses  Mobile phone numbers  Authentication log data. Log information includes Usernames, UPNs, Common Names (Real Names) and IP addresses Email Security (EMS)  Inbound and outbound email messages (including attachments) sent or received externally to or from the organization  Log data relating to inbound and outbound email messages sent or received externally. Log information includes IP addresses, To, From and Subject fields, server responses, and other metadata, but does not include the message body or any file attachments Email Back Up Emergency Inbox Compliant Email Archive (CEMA)  Inbound and Autonomous Security Engine outbound email messages (ASEincluding attachments) PLEASE READ CAREFULLY BEFORE ORDERING SERVICE(Ssent or received externally to or from the organization  Inbound and outbound email messages (including attachments) sent or DOWNLOADING ANY SOFTWARE: These terms received externally to or from the organization Special categories of data (“USS Licence Terms”if appropriate) apply The personal data transferred concern the following special categories of data (please specify):  None Processing operations The personal data transferred will be subject to the following basic processing activities (please specify): Data processing operations are summarised as:  Receiving data, including collection and recording  Holding data, including storage, organisation and structuring  Updating data, including adaptation, alignment and combination  Computer processing of Personal Data, including data transmission, data retrieval, data access, and network access to allow data transfer if required  Protecting data, including restricting, encrypting, and security testing. Censornet and Censornet’s Sub-processors will use of our Unified Security Service software that you are buying from us and otherwise process Personal Data only in accordance with and as described in the Master Services Agreement (“USS Software”); MSA) and any associated Documentation. We license use for Censornet’s legitimate business operations related to delivery of the USS Software and Documentation Services to you on the basis of these USS Licence Terms. We do not sell the Software or Documentation to you. We remain the owners of the Software and Documentation at all timesCustomers.