Common use of Supplier shall Clause in Contracts

Supplier shall. (a) comply with all applicable Data Privacy Laws and promptly notify ▇▇▇▇▇▇▇ Aerospace in writing if Supplier believes that collecting or processing ▇▇▇▇▇▇▇ Aerospace Personal Data violates Data Privacy Laws; (b) only collect, access, use, or share ▇▇▇▇▇▇▇ Aerospace Personal Data, or transfer ▇▇▇▇▇▇▇ Aerospace Personal Data to authorized third parties, in performance of its obligations under the Agreement, in conformance with ▇▇▇▇▇▇▇ Aerospace’s instructions, or to comply with legal obligations. Supplier will not make any secondary or other use (e.g., for the purpose of data mining) of ▇▇▇▇▇▇▇ Aerospace Personal Data except (i) as expressly authorized in writing by ▇▇▇▇▇▇▇ Aerospace , (ii) as required by law; (c) not share with, transfer to, disclose or provide access to ▇▇▇▇▇▇▇ Aerospace Personal Data to any third party except to provide services under the Agreement or as required by law. If Supplier does share, transfer, disclose or provide access to ▇▇▇▇▇▇▇ Aerospace Personal Data to a subcontractor or sub-processor, it shall: (i) be responsible for the acts and omissions of any subcontractor, sub-processor, or other such third party, that processes (within the meaning of the applicable Data Privacy Laws) ▇▇▇▇▇▇▇ Aerospace Personal Data on Supplier’s behalf in the same manner and to the same extent as it is responsible for its own acts and omissions with respect to such ▇▇▇▇▇▇▇ Aerospace Personal Data; (ii) ensure such third party is bound by a written agreement that contains the same or equivalent obligations and protections as those set forth in this Section; and (iii) only share, transfer, disclose or provide access to a third party to the extent that such conduct is compliant with applicable Data Privacy Laws; This section (c) does not address sharing with, or transferring, disclosing, or providing access to, one or more government entities pursuant to a legal obligation. Such conduct shall be done in a manner intended to protect and limit the sharing of ▇▇▇▇▇▇▇ Personal Information to the extent reasonably and legally permissible; (d) not appoint (or disclose any Company Personal Data to) any sub-processor unless required or authorized by the Company; the authorization is deemed to be granted for the sub-processors listed in Attachment 3; (e) take commercially reasonable steps to ensure the reliability of Supplier’s employees, agents, representatives, subcontractors, subcontractor employees, or any other person used by Supplier (collectively, “Supplier Personnel”) who have access to the ▇▇▇▇▇▇▇ Aerospace Personal Data and ensure that such access is on a need-to-know basis including the establishment of confidentiality agreements as appropriate, and ensure that Supplier Personnel are obligated to maintain the confidentiality of ▇▇▇▇▇▇▇ Aerospace Personal Data, such as through a confidentiality agreement or by application of company policy, relevant law or regulation; (f) upon request, permit ▇▇▇▇▇▇▇ Aerospace to hire third party external auditors to verify Supplier and third party compliance with their obligations under the Agreement and/or Order. Additionally, upon request, Supplier shall provide ▇▇▇▇▇▇▇ Aerospace with any audit reports issued under ISO 27001, ISO 29100, SSAE 16 (or SAS 70), SSAE 18, SOC 2, or ISAE 3402 that covers ▇▇▇▇▇▇▇ Aerospace Personal Information; (g) maintain reasonable and appropriate technical, physical, and administrative safeguards intended to protect ▇▇▇▇▇▇▇ Aerospace Personal Data. These measures will include reasonable restrictions upon physical access to any locations containing ▇▇▇▇▇▇▇ Aerospace Personal Data, such as the storage of such records in locked facilities, storage areas, or containers. Supplier must periodically re-evaluate the measures adopted to ensure that they remain reasonable and appropriate; (h) provide ▇▇▇▇▇▇▇ with commercially reasonably assistance in: (i) deleting ▇▇▇▇▇▇▇ Personal Information upon request by a data subject or legal representative where appropriate; and (ii) managing requests from data subjects that wish to opt-out when applicable; (i) retain ▇▇▇▇▇▇▇ Personal Information only for as long as required and thereafter ▇▇▇▇▇ ▇▇▇▇▇▇▇ Personal Information unless otherwise required to retain the data by applicable law; (j) immediately advise ▇▇▇▇▇▇▇ Aerospace in writing if it receives or learns of any: (i) complaint or allegation indicating a violation of Data Privacy Laws regarding ▇▇▇▇▇▇▇ Aerospace Personal Data; (ii) request from one or more individuals seeking to access, correct, or delete ▇▇▇▇▇▇▇ Aerospace Personal Data; and (iii) regulatory request for, subpoena, search warrant, or other legal, regulatory, administrative, or governmental process seeking ▇▇▇▇▇▇▇ Aerospace Personal Data (collectively, “Data Privacy Matters”). If Supplier learns of any Data Privacy Matter, Supplier shall, in addition to notifying ▇▇▇▇▇▇▇ Aerospace in writing, provide reasonable assistance to ▇▇▇▇▇▇▇ Aerospace, including by cooperating with ▇▇▇▇▇▇▇ Aerospace in investigating the Data Privacy Matter, providing relevant information to ▇▇▇▇▇▇▇ Aerospace, assisting in the preparation of a response, implementing a remedy, and/or cooperating in the conduct of and defending against any claim, court or regulatory proceedings. Supplier shall use commercially and legally reasonable efforts to limit the nature and scope of any required disclosure to the minimum amount of ▇▇▇▇▇▇▇ Aerospace Personal Information required to comply with applicable law. Unless prevented by applicable law, Supplier shall provide ▇▇▇▇▇▇▇ Aerospace with advance written notice of any Data Privacy Matters sufficient to allow ▇▇▇▇▇▇▇ to contest any legal, regulatory, administrative, or other governmental processes; and (k) provide written notice to ▇▇▇▇▇▇▇ Aerospace as soon as possible and, whenever possible, in forty-eight (48) hours, of any actual or reasonably suspected incident of accidental or unlawful destruction or accidental loss, alteration, unauthorized or accidental disclosure of or access to ▇▇▇▇▇▇▇ Aerospace Personal Data of which it becomes aware (a “Security Breach”). Where the Security Breach (i) involves data on the Supplier’s networks or systems; or (ii) is the fault of the Supplier, then Supplier shall be responsible for the investigation and remediation of the Security Breach. Notwithstanding the foregoing, Supplier shall obtain ▇▇▇▇▇▇▇’▇ prior written consent before making any notification to a regulator, the public, other customers, or affected individuals that identifies ▇▇▇▇▇▇▇ Aerospace, except where Supplier makes a diligent effort to obtain ▇▇▇▇▇▇▇ Aerospace’s consent and Supplier is required to make a notification pursuant to a legal obligation.

Supplier shall. (a) comply with all applicable Data Privacy Laws and promptly notify ▇▇▇▇▇▇▇ Aerospace in writing if Supplier believes that collecting or processing ▇▇▇▇▇▇▇ Aerospace Personal Data violates Data Privacy Laws; (b) only collect, access, use, or share ▇▇▇▇▇▇▇ Aerospace Personal Data, or transfer ▇▇▇▇▇▇▇ Aerospace Personal Data to authorized third parties, in performance of its obligations under the Agreement, in conformance with ▇▇▇▇▇▇▇ Aerospace’s instructions, or to comply with legal obligations. Supplier will not make any secondary or other use (e.g., for the purpose of data mining) of ▇▇▇▇▇▇▇ Aerospace Personal Data except (i) as expressly authorized in writing by ▇▇▇▇▇▇▇ Aerospace , (ii) as required by law; (c) not share with, transfer to, disclose or provide access to ▇▇▇▇▇▇▇ Aerospace Personal Data to any third party except to provide services under the Agreement or as required by law. If Supplier does share, transfer, disclose or provide access to ▇▇▇▇▇▇▇ Aerospace Personal Data to a subcontractor or sub-processor, it shall: (i) be responsible for the acts and omissions of any subcontractor, sub-processor, or other such third party, that processes (within the meaning of the applicable Data Privacy Laws) ▇▇▇▇▇▇▇ Aerospace Personal Data on Supplier’s behalf in the same manner and to the same extent as it is responsible for its own acts and omissions with respect to such ▇▇▇▇▇▇▇ Aerospace Personal Data; (ii) ensure such third party is bound by a written agreement that contains the same or equivalent obligations and protections as those set forth in this Section; and (iii) only share, transfer, disclose or provide access to a third party to the extent that such conduct is compliant with applicable Data Privacy Laws; This section (c) does not address sharing with, or transferring, disclosing, or providing access to, one or more government entities pursuant to a legal obligation. Such conduct shall be done in a manner intended to protect and limit the sharing of ▇▇▇▇▇▇▇ Personal Information to the extent reasonably and legally permissible; (d) not appoint (or disclose any Company Personal Data to) any sub-processor unless required or authorized by the Company; the authorization is deemed to be granted for the sub-processors listed in Attachment Appendix 3; (e) take commercially reasonable steps to ensure the reliability of Supplier’s employees, agents, representatives, subcontractors, subcontractor employees, or any other person used by Supplier (collectively, “Supplier Personnel”) who have access to the ▇▇▇▇▇▇▇ Aerospace Personal Data and ensure that such access is on a need-to-know basis including the establishment of confidentiality agreements as appropriate, and ensure that Supplier Personnel are obligated to maintain the confidentiality of ▇▇▇▇▇▇▇ Aerospace Personal Data, such as through a confidentiality agreement or by application of company policy, relevant law or regulation; (f) upon request, permit ▇▇▇▇▇▇▇ Aerospace to hire third party external auditors to verify Supplier and third party compliance with their obligations under the Agreement and/or Order. Additionally, upon request, Supplier shall provide ▇▇▇▇▇▇▇ Aerospace with any audit reports issued under ISO 27001, ISO 29100, SSAE 16 (or SAS 70), SSAE 18, SOC 2, or ISAE 3402 that covers ▇▇▇▇▇▇▇ Aerospace Personal Information; (g) maintain reasonable and appropriate technical, physical, and administrative safeguards intended to protect ▇▇▇▇▇▇▇ Aerospace Personal Data. These measures will include reasonable restrictions upon physical access to any locations containing ▇▇▇▇▇▇▇ Aerospace Personal Data, such as the storage of such records in locked facilities, storage areas, or containers. Supplier must periodically re-evaluate the measures adopted to ensure that they remain reasonable and appropriate; (h) provide ▇▇▇▇▇▇▇ with commercially reasonably assistance in: (i) deleting ▇▇▇▇▇▇▇ Personal Information upon request by a data subject or legal representative where appropriate; and (ii) managing requests from data subjects that wish to opt-out when applicable; (i) retain ▇▇▇▇▇▇▇ Personal Information only for as long as required and thereafter ▇▇▇▇▇ ▇▇▇▇▇▇▇ Personal Information unless otherwise required to retain the data by applicable law; (j) immediately advise ▇▇▇▇▇▇▇ Aerospace in writing if it receives or learns of any: (i) complaint or allegation indicating a violation of Data Privacy Laws regarding ▇▇▇▇▇▇▇ Aerospace Personal Data; (ii) request from one or more individuals seeking to access, correct, or delete ▇▇▇▇▇▇▇ Aerospace Personal Data; and (iii) regulatory request for, subpoena, search warrant, or other legal, regulatory, administrative, or governmental process seeking ▇▇▇▇▇▇▇ Aerospace Personal Data (collectively, “Data Privacy Matters”). If Supplier learns of any Data Privacy Matter, Supplier shall, in addition to notifying ▇▇▇▇▇▇▇ Aerospace in writing, provide reasonable assistance to ▇▇▇▇▇▇▇ Aerospace, including by cooperating with ▇▇▇▇▇▇▇ Aerospace in investigating the Data Privacy Matter, providing relevant information to ▇▇▇▇▇▇▇ Aerospace, assisting in the preparation of a response, implementing a remedy, and/or cooperating in the conduct of and defending against any claim, court or regulatory proceedings. Supplier shall use commercially and legally reasonable efforts to limit the nature and scope of any required disclosure to the minimum amount of ▇▇▇▇▇▇▇ Aerospace Personal Information required to comply with applicable law. Unless prevented by applicable law, Supplier shall provide ▇▇▇▇▇▇▇ Aerospace with advance written notice of any Data Privacy Matters sufficient to allow ▇▇▇▇▇▇▇ to contest any legal, regulatory, administrative, or other governmental processes; and (k) provide written notice to ▇▇▇▇▇▇▇ Aerospace as soon as possible and, whenever possible, possible in forty-forty- eight (48) hours, of any actual or reasonably suspected incident of accidental or unlawful destruction or accidental loss, alteration, unauthorized or accidental disclosure of or access to ▇▇▇▇▇▇▇ Aerospace Personal Data Information of which it becomes aware (a “Security Breach”). Supplier shall take all reasonable measures to contain and remedy the Security Breach, wherever possible; provide ▇▇▇▇▇▇▇ with information regarding the investigation and remediation of the Security Breach, unless restricted by law; not make any notification, announcement or publish or otherwise authorize any broadcast of any notice or information about a Security Breach (a “Breach Notice”) without the prior written consent of and prior written approval by ▇▇▇▇▇▇▇ of the content, media and timing of the Breach Notice (if any), unless required to do so by law or court order; and even where required to do so by law or court order, make all reasonable efforts to coordinate with ▇▇▇▇▇▇▇ prior to providing any Breach Notice. Where the Security Breach (ia) involves data on the Supplier’s networks or systems; or systems or (iib) is the fault of the Supplier, then Supplier shall be responsible for will, at the investigation and remediation request of the Security Breach. Notwithstanding the foregoing, Supplier shall obtain ▇▇▇▇▇▇▇’▇ prior written consent before making any , pay for the costs of remediation, provide notification to a regulatorimpacted individuals, and to the publicextent applicable, other customers, or affected individuals that identifies ▇▇▇▇▇▇▇ Aerospace, except where Supplier makes a diligent effort to obtain ▇▇▇▇▇▇▇ Aerospace’s consent and Supplier is required to make a notification pursuant to a legal obligationprovide theft monitoring services.