Common use of Processing operations Clause in Contracts

Processing operations. The Personal Data transferred will be subject to the following basic processing activities: ● Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the Controller’s instructions. The Processor processes Personal Data only on behalf of the Controller. ● Processing operations include but are not limited to: provision of training courses, risk assessment questionnaires and learning management services to employees, contractors and users of the Services to monitor and evaluate risk assessment in the workplace in compliance with rules and regulations applicable to the Controller’s business. These operations relate to all aspects of Personal Data processed. ● Technical support, issue diagnosis and error correction to ensure the efficient and proper running of the systems and to identify, analyse and resolve technical issues both generally in the provision of the Services and specifically in answer to a Controller query. This operation may relate to all aspects of Personal Data processed but will be limited to metadata where possible. ● Virus, anti-spam and Malware checking in accordance with the Services provided. This operation relates to all aspects of Personal Data processed. ● URL scanning for the purposes of the provision of targeted threat protection and similar service which may be provided under the Agreement. This operation relates to attachments and links in emails and will relates to any Personal Data within those attachments or links which could include all categories of Personal Data. Exhibit B Technical and Organisational Security Measures The Processor utilises third party data centres that maintain current ISO 27001 certifications and/or SSAE 16 SOC 1 Type II or SOC 2 Attestation Reports. The Processor will not utilise third party data centres that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations. Upon the Controller’s written request (no more than once in any 12 month period), the Processor shall provide within a reasonable time, a copy of the most recently completed certification and/or attestation reports (to the extent that to do so does not prejudice the overall security of the Services). Any audit report submitted to the Controller shall be treated as Confidential Information and subject to the confidentiality provisions of the Agreement between the parties. The following descriptions provide an overview of the technical and organisational security measures implemented. It should be noted however that, in some circumstances, in order to protect the integrity of the security measures and in the context of data security, detailed descriptions may not be available, however additional information regarding technical and organisational measures may be found in the Security Policy. It’s acknowledged and agreed that the Security Policy and the technical and organisational measures described therein will be updated and amended from time to time, at the sole discretion of the Processor. Notwithstanding the foregoing, the technical and organisational measures will not fall short of those measures described in the Security Policy in any material, detrimental way.

Processing operations. The Personal Data transferred will be subject to the following basic processing activities: ● • Personal Data will be processed to the extent necessary to provide the Services Products in accordance with both the Agreement MSA and the Controller’s instructions. The Processor processes Personal Data only on behalf of the Controller. ● • Processing operations include but are not limited to: provision management of training coursesemployees and intermediaries, risk assessment questionnaires monitoring of the workplace, client management, appraisals, performance reviews, feedback, objectives and learning personal development tracking, making comments and updates on these, management services to of lists of employees, contractors intermediaries and users of the Services other users, providing support to monitor user and evaluate risk assessment in the workplace in compliance with rules and regulations applicable to the Controller’s businessother HR functions. These operations relate to all aspects of Personal Data processed. ● • Technical support, issue diagnosis and error correction to ensure the efficient and proper running of the systems and to identify, analyse and resolve technical issues both generally in the provision of the Services Products and specifically in answer to a Controller query. This operation may relate to all aspects of Personal Data processed but will be limited to metadata where possible. ● • Virus, anti-spam and Malware checking in accordance with the Services Products provided. This operation relates to all aspects of Personal Data processed. ● • URL scanning for the purposes of the provision of targeted threat protection and similar service which may be provided under the AgreementMSA. This operation relates to attachments and links in emails and will relates to any Personal Data within those attachments or links which could include all categories of Personal Data. Exhibit B Technical and Organisational Security Measures The Processor utilises third party data centres that maintain current ISO 27001 certifications and/or SSAE 16 SOC 1 Type II or SOC 2 Attestation Reports. The Processor will not utilise third party data centres that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations. Upon the Controller’s written request (no more than once in any 12 month period), the Processor shall provide within a reasonable time, a copy of the most recently completed certification and/or attestation reports (to the extent that to do so does not prejudice the overall security of the ServicesProducts). Any audit report submitted to the Controller shall be treated as Confidential Information and subject to the confidentiality provisions of the Agreement MSA between the parties. The following descriptions provide an overview of the technical and organisational security measures implemented. It should be noted however that, in some circumstances, in order to protect the integrity of the security measures and in the context of data security, detailed descriptions may not be available, however additional information regarding technical and organisational measures may be found in the Security Policy. It’s acknowledged and agreed that the Security Policy and the technical and organisational measures described therein will be updated and amended from time to time, at the sole discretion of the Processor. Notwithstanding the foregoing, the technical and organisational measures will not fall short of those measures described in the Security Policy in any material, detrimental way.