Common use of TECHNICAL AND ORGANIZATION SECURITY MEASURES Clause in Contracts

TECHNICAL AND ORGANIZATION SECURITY MEASURES. 5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor and each Vendor Affiliate shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk. 5.2 In assessing the appropriate level of security, Vendor and each Vendor Affiliate shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach. Vendor shall take appropriate technical and organisational security measures to protect Personal Data against accidental loss or damage and unauthorised access, use, disclosure, alteration or destruction and to ensure the confidentiality, security, integrity, and availability of Personal Data. The measures to be undertaken by the Vendor shall include: a. The measures to securely dispose of Personal Data taking into account available technology so that such information cannot be practicably read or reconstructed; and b. Limiting access to Personal Data to Vendor Personnel: Vendor has taken reasonable steps to ensure the reliability of Vendor Personnel who are granted the minimum access level(s) to the Personal Data that are necessary to carry out their job role in performance of Vendor’s obligations under the Agreement; have been trained in the proper handling of Personal Data; are subject to written obligations of confidentiality in respect of Personal Data and only process Personal Data in accordance with Vendor’s instructions; and c. Implementing logging and auditing techniques for access to the Personal Data Vendor processes on behalf of the Company; and d. Encryption of all Personal Data Vendor processes on behalf of the Company where such processing takes place using laptops or other electronic portable devices; and e. The use of encryption of Personal Data as appropriate taking into account the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss alteration, unauthorised disclosure of, or access to Personal Data. Zycus undergoes SSAE16 SOC1, SOC2 Type II audit by third party to ensure adequate security and confidentiality for all Company and Vendor data on a yearly basis. Zycus may share such audit reports for review by the Company upon request. The Vendor shall regularly test, assess and evaluate the effectiveness of the technical and organisational security measures the Vendor has implemented. Upon Company’s written request, Vendor shall provide the Company with the results of the test, assessment and evaluation of the effectiveness of the technical and organisation measures Vendor has implemented including details of these measures which are sufficient to demonstrate compliance with Data Protection Laws.

TECHNICAL AND ORGANIZATION SECURITY MEASURES. 5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor and each Vendor Affiliate Processor shall in relation to the Company company name controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk. 5.2 . In assessing the appropriate level of security, Vendor and each Vendor Affiliate the Processor shall take account in particular of the risks that are presented by Processingprocessing, in particular from a Personal Data Breach. Vendor The Processor shall take appropriate technical and organisational organizational security measures to protect Personal Data against accidental loss or damage and unauthorised unauthorized access, use, disclosure, alteration or destruction and to ensure the confidentiality, security, integrity, and availability of Personal Data. The measures Measures to be undertaken by the Vendor Processor shall include: a. : The measures to securely dispose of Personal Data taking into account available technology so that such information cannot be practicably read or reconstructed; and b. reconstructed Limiting access to Personal Data to Vendor PersonnelProcessor personnel: Vendor Processor has taken reasonable steps to ensure the reliability of Vendor Personnel Processor personnel who are granted the minimum access level(s) to the Personal Data that are necessary to carry out their job role in performance of VendorProcessor’s obligations under the Agreementobligations; have been trained in the proper handling of Personal Data; are subject to written obligations of confidentiality in respect of Personal Data and only process Personal Data in accordance with Vendor’s instructions; and c. the given instructions Implementing logging and auditing techniques for access to the Personal Data Vendor personal data Processor processes on behalf of the Company; and d. company name controller Encryption of all Personal personal Data Vendor processes processed on behalf of the Company company name controller where such processing takes place using laptops or other electronic portable devices; and e. The use devices Use of encryption of Personal Data personal data as appropriate taking into account the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss alteration, unauthorised unauthorized disclosure of, or access to Personal Data. Zycus undergoes SSAE16 SOC1, SOC2 Type II audit by third party to ensure adequate security and confidentiality for all Company and Vendor data on a yearly basis. Zycus may share such audit reports for review by the Company upon requestpersonal data. The Vendor processor must have policies and procedures based on the ISO27001 framework. Processor shall regularly test, assess and evaluate the effectiveness of the technical and organisational organizational security measures the Vendor Processor has implemented. Upon Company’s company name controller written request, Vendor Processor shall provide the Company company name controller with the results of the test, assessment and evaluation of the effectiveness of the technical and organisation organization measures Vendor Processor has implemented including details of these measures which are sufficient to demonstrate compliance with Data Protection Laws.