Common use of Security Incident Notification Clause in Contracts

Security Incident Notification. If R3 becomes aware of a personal data breach which is likely to result in a risk to the rights and freedom of natural persons while processed by R3 (each a “Security Incident”), R3 will without undue delay (1) notify Customer of the Security Incident and provide Customer with detailed information about the Security Incident; (2) investigate the cause of the Security Incident; and (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident. Notification(s) of Security Incidents will be delivered to Customer by any means R3 selects, including via email. It is Customer’s sole responsibility to ensure that R3 has accurate contact information for delivery of such notifications. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident, but R3 shall give Customer such assistance as Customer reasonably requests and R3 is reasonably able to provide in relation to the performance of any such third party notification obligations which arise as a result of a breach by R3 of this Addendum. R3’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by R3 of any fault or liability with respect to the Security Incident. Customer must notify R3 promptly about any possible misuse of its accounts or authentication credentials or any security incident related to a Product or Service. Data Transfers and Location Customer Personal Data that R3 processes about the Customer may be transferred to, and stored and processed in, the United States or any other country in which R3 or its Affiliates or sub-contractors (“Subprocessors”) with access to Customer Personal Data operate. Customer appoints R3 to perform any such transfer of Customer Personal Data to any such country and to store and process Customer Personal Data to provide the Products and Services. All transfers of Customer Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.

Security Incident Notification. If R3 becomes aware of a personal data breach which is are likely to result in a risk to the rights and freedom of natural persons while processed by R3 (each a “Security Incident”), R3 will without undue delay (1) notify Customer of the Security Incident and provide Customer with detailed information about the Security Incident; (2) investigate the cause of the Security Incident; and (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident. Notification(s) of Security Incidents will be delivered to Customer one or more of Customer’s administrators by any means R3 selects, including via email. It is Customer’s sole responsibility to ensure that R3 has Customer’s administrators maintain accurate contact information for delivery of such notificationson each applicable Service portal. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident, but R3 shall give Customer such assistance as Customer reasonably requests and R3 is reasonably able to provide in relation to the performance of any such third party notification obligations which arise as a result of a breach by R3 of this Addendum. R3’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by R3 of any fault or liability with respect to the Security Incident. Customer must notify R3 promptly about any possible misuse of its accounts or authentication credentials or any security incident related to a Product or Service. Data Transfers and Location Personal Customer Personal Data that R3 processes about the Customer may be transferred to, and stored and processed in, the United States or any other country in which R3 or its Affiliates affiliates or sub-contractors (“Subprocessors”) with access to Personal Customer Personal Data operate. Customer appoints R3 to perform any such transfer of Personal Customer Personal Data to any such country and to store and process Personal Customer Personal Data to provide the Products and Services. All transfers of Personal Customer Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.