Common use of Protection of Personal Data Clause in Contracts

Protection of Personal Data. The Company shall, in relation to Personal Data: fully comply with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with the written instructions given by IHiS and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.

Protection of Personal Data. As a result of this Agreement, Seller and Seller Parties may obtain certain information relating to identified or identifiable individuals (“Personal Data”), including but not limited to, from Apple on Apple’s or its affiliate(s)’ behalf and/or from Apple affiliates located in any jurisdiction. Seller shall have no right, title or interest in Personal Data obtained by it as a result of this Agreement. The Company shalldetails of the type of Personal Data and categories of data subjects shall be determined in a PO, statements of work or other contractual instruments executed in relation connection with this Agreement. Seller may only disclose Personal Data to third parties (including Seller Parties), who have a need to know and have signed agreements that require them to protect Personal Data in the same manner as detailed in this Agreement. Seller shall not engage any third party to perform any portion of the Services if such party may obtain or otherwise process Personal Data, without Apple’s prior written consent. Notwithstanding such consent, Seller shall not be relieved of any obligations under this Section and shall remain solely liable to Apple if the third party fails to fulfil its obligations with respect to Personal Data. Seller and Seller Parties shall: fully (i) comply with Apple’s or its affiliate’s reasonable instructions regarding Personal Data, unless otherwise required by applicable law, in which case, Seller shall promptly notify Apple of the applicable legal requirement before processing Personal Data, unless such applicable legal requirement prohibits such notification for public interest reasons; (ii) immediately inform Apple if, in its opinion, an instruction from Apple infringes Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or other applicable data protection laws; (iii) collect, access, maintain, use, process and transfer Personal Data solely for the purpose of performing Seller’s obligations under this Agreement; (iv) comply with all requirements of the PDPAapplicable laws, including the requirements concerning the collectionregulations and international accords or treaties pertaining to Personal Data; (v) take all appropriate legal, use organizational and disclosure technical measures to protect against unlawful and unauthorized processing of Personal Data; process and (vi) promptly notify Apple’s Privacy Counsel at xxxxxxx_xxxxxxxxxxxxx@xxxxx.xxx if it receives any requests from an individual with respect to Personal Data, including but not limited to, “opt-out” specifications, information access requests, information rectification requests and all like requests. Seller shall work with Apple to promptly and effectively handle such requests with respect to Personal Data, and only respond to any such requests if expressly authorized to do so by Apple. If Personal Data only in accordance with is transferred from the written instructions given European Economic Area or Switzerland to or by IHiS Seller and/or Seller Parties, as processor and/or sub-processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, have not determined as ensuring an adequate level of protection of personal data, then Seller shall either: (a) subscribe to such extent necessary and the appropriate legal instruments for the completion international transfer of data (such as the PurposeEU-U.S. Privacy Shield Framework); promptly deal with or (b) execute: (1) the Standard Contractual Clauses as approved by the European Commission; and (2) where relevant, the Swiss Transborder Data Flow Agreement; or (c) execute mutually agreeable contractual instruments or Binding Corporate Rules (BCR) as such BCR are approved by the relevant supervisory authority. Seller shall be liable for the damage caused to any enquiry from IHiS relating to the Companyindividual as a result of Seller’s processing of Personal Data; , where Seller has not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company complied with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; Section or expiry any applicable laws, regulations and international accords or termination of the NDAtreaties pertaining to Personal Data, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that where it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose acted outside or return of the documents and materials as aforesaid, the Company shall continue contrary to be bound by the undertakings set out in Clauses 3 and 4 abovelawful instructions from Apple.

Protection of Personal Data. Where any Personal Data are processed with respect to the Parties' rights and obligations under this Call Off Contract, the Parties agree that the Customer is the Data Controller and that the Supplier is the Data Processor. The Company Supplier shall, in relation to Personal Data: fully comply with all requirements of Process the PDPA, including the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with instructions from the written Customer (which may be specific instructions given or instructions of a general nature as set out in this Call Off Contract or as otherwise notified by IHiS the Customer to the Supplier during the Call Off Contract Period); Process the Personal Data only to the extent, and to in such extent manner, as is necessary and appropriate for the completion provision of the PurposeGoods and/or Services or as is required by Law or any Regulatory Body; promptly deal with any enquiry from IHiS relating implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the Company’s processing harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data; not obtain Approval in order to transfer or allow the Personal Data to be transferred outside any Sub-Contractors or Affiliates for the provision of Singaporethe Services; ensure that all Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 31; ensure that none of the Staff publish, disclose or divulge any of the Personal Data to any third party unless expressly instructed directed in writing to do so by the Customer; notify the Customer (within five (5) Working Days) if it receives: a request from a Data Subject to have access to that person's Personal Data; or authorised by IHiSa complaint or request relating to the Customer's obligations under the Data Protection Legislation; and provide all necessary co-operation the Customer with full cooperation and assistance (whether in relation to IHiS any complaint or otherwise) to allow request made, including by: providing the Customer with full details of the complaint or request; complying with a data access and/or correction of Personal request within the relevant timescales set out in the Data Protection Legislation and in accordance with the PDPA. Without prejudice to Clause 4.1 above, Customer's instructions; providing the Company ensure: that Customer with any Personal Data belonging it holds in relation to IHiS or its Affiliates which is held by a Data Subject (within the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer timescales required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiSCustomer); and it keeps itself appraised of providing the Customer with any information requested by the Customer; permit the Customer or the Customer Representative (subject to reasonable and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”appropriate confidentiality undertakings), to inspect and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clauseaudit, the Company hereby expressly acknowledges Supplier's data Processing activities (and/or those of its agents, subsidiaries and agrees that it has read the PDPA Documentation Sub-Contractors) and is aware of and will compensate IHiS for any and comply with all potential loss and damage caused to IHiS and/or its Affiliates arising from reasonable requests or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance directions by the Company Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion Call Off Contract; provide a written description of the Purposetechnical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Customer); receipt of and not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Call Off Commencement Date, the Supplier (or any Sub-Contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: the Supplier shall submit a written request from IHiS; or expiry or termination of for Variation to the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify Customer which shall be dealt with in writing to IHiS that it has complied accordance with the requirements of this Clause 5.1. Notwithstanding Variation Procedure and paragraphs (b) to (d) below; the completion of the Purpose or return of the documents and materials as aforesaid, the Company Supplier shall continue to be bound by the undertakings set out in its request for a Variation details of the following: the Personal Data which will be Processed and/or transferred outside the European Economic Area; the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; any Sub-Contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; in providing and evaluating the request for Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Government and Information Commissioner Office’s policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally but, for the avoidance of doubt, the Customer may, in its absolute discretion, refuse to grant Approval of such process and/or transfer any Personal Data outside the European Economic Area; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model Clauses 3 (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Call Off Contract or a separate data processing agreement between the parties; and 4 aboveprocuring that any Sub-Contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Customer on such terms as may be required by the Customer, which the Supplier acknowledges may include the incorporation of standard and/or model Clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation). The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). The Supplier shall, at all times during and after the Call Off Contract Period, indemnify the Customer and keep the Customer fully indemnified against all Losses incurred by, awarded against or agreed to be paid by the Customer at any time (whether before or after the making of a demand pursuant to the indemnity hereunder) arising from any breach of the Supplier's obligations under this Clause 31 except and to the extent that such liabilities have resulted directly from the Customer's instructions.

Protection of Personal Data. The Company shall, in relation to Personal Data: fully comply with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with the written instructions given by IHiS CGH and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS CGH relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiSCGH; and provide all necessary co-operation and assistance (whether to IHiS CGH or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS CGH or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS CGH in accordance with Clause 5 below; that IHiS CGH is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS CGH with such reports or information concerning such steps as and when requested by IHiSCGH); and it keeps itself appraised of any and all notices and circulars which IHiS CGH may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS CGH to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS CGH for any and all potential loss and damage caused to IHiS CGH and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS CGH reserves the right and the Company agrees that IHiS CGH may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiSCGH; or expiry or termination of the NDA, return to IHiS CGH all documents and materials (and all copies thereof) containing IHiS’ CGH’s Confidential Information or destroy the same, and certify in writing to IHiS CGH that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.

Protection of Personal Data. With respect to the parties' rights and obligations under this Agreement, the parties agree that the Authority is the Data Controller and that the Contractor is the Data Processor. The Company Contractor shall, in relation to Personal Data: fully comply with all requirements of Process the PDPA, including the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with instructions from the written Authority (which may be specific instructions given or instructions of a general nature as set out in this Agreement or as otherwise notified by IHiS the Authority to the Contractor during the term of this Agreement); Process the Personal Data only to the extent, and to in such extent manner, as is necessary and appropriate for the completion provision of the PurposeServices or as is required by Law or any Regulatory Body; promptly deal with any enquiry from IHiS relating implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the Company’s processing harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Contractor Personnel who have access to the Personal Data; not obtain prior written consent from the Authority in order to transfer or allow the Personal Data to be transferred any Sub-contractors or members of the Contractor’s group of companies for the provision of the Services; ensure that all Contractor Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 6; ensure that none of Contractor Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; notify the Authority (within [five] Working Days) if it receives: a request from a Data Subject to have access to that person's Personal Data; or a complaint or request relating to the Authority's obligations under the Data Protection Legislation; provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by: providing the Authority with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the Authority's instructions; providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and providing the Authority with any information requested by the Authority; permit the Authority (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 3 (Audits), the Contractor's data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Contractor is in full compliance with its obligations under this Agreement; provide a written description of the technical and organisational methods employed by the Contractor for processing Personal Data (within the timescales required by the Authority); and not Process Personal Data outside the European Economic Area without the prior written consent of Singaporethe Authority and, unless expressly instructed where the Authority consents to a transfer, to comply with: the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the Authority. The Contractor shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Legislation. FREEDOM OF INFORMATION The Contractor acknowledges that the Authority is subject to the requirements of the Code of Practice on Government Information, FOIA and the Environmental Information Regulations and shall assist and cooperate with the Authority to enable the Authority to comply with its Information disclosure obligations. The Contractor shall and shall procure that its Sub-contractors shall: transfer to the Authority all Requests for Information that it receives as soon as practicable and in any event within [two] Working Days of receiving a Request for Information; provide the Authority with a copy of all Information in its possession, or authorised by IHiSpower in the form that the Authority requires within [five] Working Days (or such other period as the Authority may specify) of the Authority's request; and provide all necessary co-operation assistance as reasonably requested by the Authority to enable the Authority to respond to the Request for Information within the time for compliance set out in section 10 of the FOIA or regulation 5 of the Environmental Information Regulations. The Authority shall be responsible for determining in its absolute discretion and assistance (notwithstanding any other provision in this Agreement or any other agreement whether to IHiS or otherwise) to allow access the Commercially Sensitive Information and/or correction of Personal Data any other Information is exempt from disclosure in accordance with the PDPAprovisions of the Code of Practice on Government Information, FOIA or the Environmental Information Regulations. Without prejudice In no event shall the Contractor respond directly to Clause 4.1 above, the Company ensure: that any Personal Data belonging a Request for Information unless expressly authorised to IHiS or its Affiliates which is held do so by the Company is protected against lossAuthority. The Contractor acknowledges that (notwithstanding the provisions of clause 8) the Authority may, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS acting in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) the Department of any unauthorised access, disclosure or other breach Constitutional Affairs’ Code of this Clause 4 and Practice on the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach Discharge of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised the Functions of any and all notices and circulars which IHiS may from time to time notify to Public Authorities under Part 1 of the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data Freedom of Information Act 2000 (“PDPA Documentationthe Code”), and be obliged under the FOIA, or the Environmental Information Regulations to perform its duties disclose information concerning the Contractor or discharge its liabilities the Services: in connection certain circumstances without consulting the Contractor; or following consultation with the Purpose in a manner which is consistent with the PDPA Documentation, Contractor and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.having taken their views into account;

Protection of Personal Data. The Company shall, in relation to Personal Data: fully comply with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with the written instructions given by IHiS AIC and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS AIC relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiSAIC; and provide all necessary co-operation and assistance (whether to IHiS AIC or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS AIC or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS AIC in accordance with Clause 5 below; that IHiS AIC is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS AIC with such reports or information concerning such steps as and when requested by IHiSAIC); and it keeps itself appraised of any and all notices and circulars which IHiS AIC may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS AIC to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS AIC for any and all potential loss and damage caused to IHiS AIC and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS AIC reserves the right and the Company agrees that IHiS AIC may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiSAIC; or expiry or termination of the NDA, return to IHiS AIC all documents and materials (and all copies thereof) containing IHiS’ AIC’s Confidential Information or destroy the same, and certify in writing to IHiS AIC that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.

Protection of Personal Data. The Company shall, Where any Personal Data are Processed in relation to Personal Data: fully comply connection with all requirements the exercise of the PDPAParties’ rights and obligations under this Call Off Contract, including the requirements concerning Parties acknowledge that the collection, use Customer is the Data Controller and disclosure of Personal Data; process that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the written instructions given by IHiS Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to such extent necessary and appropriate for the completion guard against unauthorised or unlawful Processing of the Purpose; promptly deal with any enquiry from IHiS relating Personal Data and/or accidental loss, destruction, or damage to the Company’s processing of Personal Data, including the measures as are set out in Clauses 36.1 (Security Requirements) and 36.2 (Protection of Customer Data); not disclose or transfer or allow the Personal Data to be transferred outside any third party or Supplier Personnel unless necessary for the provision of Singaporethe Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 36.6.2 and Clauses 36.1 (Security Requirements), 36.2 (Protection of Customer Data) and 36.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless expressly instructed directed in writing to do so by the Customer or authorised as otherwise permitted by IHiSthis Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide all necessary co-operation the Customer with full cooperation and assistance (whether within the timescales reasonably required by the Customer) in relation to IHiS any complaint, communication or otherwise) request made (as referred to allow access and/or correction at Clause 36.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 36.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in accordance with or to any country outside the PDPAEuropean Economic Area. Without prejudice The Supplier shall use its reasonable endeavours to Clause 4.1 above, assist the Company ensure: that any Personal Data belonging Customer to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection comply with any breach of this clause. Notwithstanding obligations under the DPA and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with shall not perform its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion Call Off Contract in such a way as to cause the Customer to breach any of the Purpose; receipt Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 abovesuch obligations.

Protection of Personal Data. The Company shall, in relation to Personal Data: fully comply with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with the written instructions given by IHiS CGH and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS CGH relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiSCGH; and provide all necessary co-operation and assistance (whether to IHiS CGH or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS CGH or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS CGH in accordance with Clause 5 below; that IHiS CGH is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS CGH with such reports or information concerning such steps as and when requested by IHiSCGH); and it keeps itself appraised of any and all notices and circulars which IHiS CGH may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS CGH to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS CGH for any and all potential loss and damage caused to IHiS CGH and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS CGH reserves the right and the Company agrees that IHiS CGH may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN seven (7) days of: completion of the Purpose; receipt of a written request from IHiSCGH; or expiry or termination of the NDA, return to IHiS CGH all documents and materials (and all copies thereof) containing IHiS’ CGH’s Confidential Information or destroy the same, and certify in writing to IHiS CGH that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.

Protection of Personal Data. As a result of this Agreement, Seller and Seller Parties may obtain certain information relating to identified or identifiable individuals ("Personal Data"), including but not limited to, from Apple on Apple’s or its affiliate(s)’ behalf and/or from Apple affiliates located in any jurisdiction. Seller shall have no right, title or interest in Personal Data obtained by it as a result of this Agreement. The Company shalldetails of the type of Personal Data and categories of data subjects shall be determined in a PO, statements of work or other contractual instruments executed in relation connection with this Agreement. Seller may only disclose Personal Data to third parties (including Seller Parties), who have a need to know and have signed agreements that require them to protect Personal Data in the same manner as detailed in this Agreement. Seller shall not engage any third party to perform any portion of the Services if such party may obtain or otherwise process Personal Data, without Apple’s prior written consent. Notwithstanding such consent, Seller shall not be relieved of any obligations under this Section and shall remain solely liable to Apple if the third party fails to fulfil its obligations with respect to Personal Data. Seller and Seller Parties shall: fully (i) comply with Apple’s or its affiliate’s reasonable instructions regarding Personal Data, unless otherwise required by applicable law, in which case, Seller shall promptly notify Apple of the applicable legal requirement before processing Personal Data, unless such applicable legal requirement prohibits such notification for public interest reasons; (ii) immediately inform Apple if, in its opinion, an instruction from Apple infringes Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or other applicable data protection laws; (iii) collect, access, maintain, use, process and transfer Personal Data solely for the purpose of performing Seller’s obligations under this Agreement; (iv) comply with all requirements of the PDPAapplicable laws, including the requirements concerning the collectionregulations and international accords or treaties pertaining to Personal Data; (v) take all appropriate legal, use organizational and disclosure technical measures to protect against unlawful and unauthorized processing of Personal Data; process and (vi) promptly notify Apple’s Privacy Counsel at xxxxxxx_xxxxxxxxxxxxx@xxxxx.xxx if it receives any requests from an individual with respect to Personal Data, including but not limited to, “opt-out” specifications, information access requests, information rectification requests and all like requests. Seller shall work with Apple to promptly and effectively handle such requests with respect to Personal Data, and only respond to any such requests if expressly authorized to do so by Apple. If Personal Data only in accordance with is transferred from the written instructions given European Economic Area or Switzerland to or by IHiS Seller and/or Seller Parties, as processor and/or sub-processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, have not determined as ensuring an adequate level of protection of personal data, then Seller shall either: (a) subscribe to such extent necessary and the appropriate legal instruments for the completion international transfer of data (such as the PurposeEU-U.S. Privacy Shield Framework); promptly deal with or (b) execute: (1) the Standard Contractual Clauses as approved by the European Commission; and (2) where relevant, the Swiss Transborder Data Flow Agreement; or (c) execute mutually agreeable contractual instruments or Binding Corporate Rules (BCR) as such BCR are approved by the relevant supervisory authority. Seller shall be liable for the damage caused to any enquiry from IHiS relating to the Companyindividual as a result of Seller’s processing of Personal Data; , where Seller has not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company complied with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; Section or expiry any applicable laws, regulations and international accords or termination of the NDAtreaties pertaining to Personal Data, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that where it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose acted outside or return of the documents and materials as aforesaid, the Company shall continue contrary to be bound by the undertakings set out in Clauses 3 and 4 abovelawful instructions from Apple.

Protection of Personal Data. The Company shall, in relation to Personal Data: Data:- ensure that it has, in relation to all Personal Data obtained and/or collected by it, fully comply complied with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure Personal Data Protection Act (No. 26 of Personal Data2012); process Personal Data only in accordance with the written instructions given by IHiS and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred transferred, outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPAPersonal Data Protection Xxx 0000. Without prejudice to Clause 4.1 above, the Company shall take all reasonable measures to ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned re-delivered to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertakeundertakes, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDAAgreement, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its the obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) seven days of: completion of the Purpose; or receipt of a written request from IHiS; or expiry or termination of the NDAAgreement, return to IHiS all documents and materials (and all copies thereof) containing the IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1sub-clause. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.

Protection of Personal Data. As a result of this Agreement, Seller and Seller Affiliates may obtain certain information relating to identified or identifiable individuals (“Personal Data”), including but not limited to, from Apple on Apple’s or its affiliate(s)’ behalf and/or from Apple affiliates located in any jurisdiction. Seller shall have no right, title or interest in Personal Data obtained by it as a result of this Agreement. The Company shalldetails of the type of Personal Data and categories of data subjects shall be determined in a PO, statements of work or other contractual instruments executed in relation connection with this Agreement. Seller may only disclose Personal Data to third parties (including Seller Affiliates), who have a need to know and have signed agreements that require them to protect Personal Data in the same manner as detailed in this Agreement. Seller shall not engage any third party to perform any portion of the Services if such party may obtain or otherwise process Personal Data, without Apple’s prior written consent. Notwithstanding such consent, Seller shall not be relieved of any obligations under this Section and shall remain solely liable to Apple if the third party fails to fulfil its obligations with respect to Personal Data. Seller and Seller Affiliates shall: fully (i) comply with Apple’s or its affiliate’s reasonable instructions regarding Personal Data, unless otherwise required by applicable law, in which case, Seller shall promptly notify Apple of the applicable legal requirement before processing Personal Data, unless such applicable legal requirement prohibits such notification for public interest reasons; (ii) immediately inform Apple if, in its opinion, an instruction from Apple infringes Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or other applicable data protection laws; (iii) collect, access, maintain, use, process and transfer Personal Data solely for the purpose of performing Seller’s obligations under this Agreement; (iv) comply with all requirements of the PDPAapplicable laws, including the requirements concerning the collectionregulations and international accords or treaties pertaining to Personal Data; (v) take all appropriate legal, use organizational and disclosure technical measures to protect against unlawful and unauthorized processing of Personal Data; process and (vi) promptly notify Apple’s Privacy Counsel at xxxxxxx_xxxxxxxxxxxxx@xxxxx.xxx if it receives any requests from an individual with respect to Personal Data, including but not limited to, “opt-out” specifications, information access requests, information rectification requests and all like requests. Seller shall work with Apple to promptly and effectively handle such requests with respect to Personal Data, and only respond to any such requests if expressly authorized to do so by Apple. If Personal Data only in accordance with is transferred from the written instructions given European Economic Area or Switzerland to or by IHiS Seller and/or Seller Affiliates, as processor and/or sub-processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, have not determined as ensuring an adequate level of protection of personal data, then Seller shall either: (a) subscribe to such extent necessary and the appropriate legal instruments for the completion international transfer of data (such as the PurposeEU-U.S. Privacy Shield Framework); promptly deal with or (b) execute: (1) the Standard Contractual Clauses as approved by the European Commission; and (2) where relevant, the Swiss Transborder Data Flow Agreement; or (c) execute mutually agreeable contractual instruments or Binding Corporate Rules (BCR) as such BCR are approved by the relevant supervisory authority. Seller shall be liable for the damage caused to any enquiry from IHiS relating to the Companyindividual as a result of Seller’s processing of Personal Data; , where Seller has not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company complied with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; Section or expiry any applicable laws, regulations and international accords or termination of the NDAtreaties pertaining to Personal Data, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that where it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose acted outside or return of the documents and materials as aforesaid, the Company shall continue contrary to be bound by the undertakings set out in Clauses 3 and 4 abovelawful instructions from Apple.

Protection of Personal Data. The Company shall, in relation to Personal Data: Data:- ensure that it has, in relation to all Personal Data obtained and/or collected by it, fully comply complied with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure Personal Data Protection Act (No. 26 of Personal Data2012); process Personal Data only in accordance with the written instructions given by IHiS and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred transferred, outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPAPersonal Data Protection Act 2012. Without prejudice to Clause 4.1 above, the Company shall take all reasonable measures to ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned re-delivered to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertakeundertakes, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDAAgreement, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its the obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) seven days of: completion of the Purpose; or receipt of a written request from IHiS; or expiry or termination of the NDAAgreement, return to IHiS all documents and materials (and all copies thereof) containing the IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1sub-clause. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.

Protection of Personal Data. The Company shall, in relation to Personal Data: fully comply with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with the written instructions given by IHiS and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN seven (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.

Protection of Personal Data. As a result of this Agreement, Seller and Seller Parties may obtain certain information relating to identified or identifiable individuals (“Personal Data”), including but not limited to, from ACWN on ACWN’s or its affiliate(s)’ behalf and/or from ACWN affiliates located in any jurisdiction. Seller shall have no right, title or interest in Personal Data obtained by it as a result of this Agreement. The Company shalldetails of the type of Personal Data and categories of data subjects shall be determined in a PO, statements of work or other contractual instruments executed in relation connection with this Agreement. Seller may only disclose Personal Data to third parties (including Seller Parties), who have a need to know and have signed agreements that require them to protect Personal Data in the same manner as detailed in this Agreement. Seller shall not engage any third party to perform any portion of the Services if such party may obtain or otherwise process Personal Data, without ACWN’s prior written consent. Notwithstanding such consent, Seller shall not be relieved of any obligations under this Section and shall remain solely liable to ACWN if the third party fails to fulfil its obligations with respect to Personal Data. Seller and Seller Parties shall: fully (i) comply with ACWN’s or its affiliate’s reasonable instructions regarding Personal Data, unless otherwise required by applicable law, in which case, Seller shall promptly notify ACWN of the applicable legal requirement before processing Personal Data, unless such applicable legal requirement prohibits such notification for public interest reasons; (ii) immediately inform ACWN if, in its opinion, an instruction from ACWN infringes Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or other applicable data protection laws; (iii) collect, access, maintain, use, process and transfer Personal Data solely for the purpose of performing Seller’s obligations under this Agreement; (iv) comply with all requirements of the PDPAapplicable laws, including the requirements concerning the collectionregulations and international accords or treaties pertaining to Personal Data; (v) take all appropriate legal, use organizational and disclosure technical measures to protect against unlawful and unauthorized processing of Personal Data; process and (vi) promptly notify ACWN’s Privacy Counsel at xxxxxxx_xxxxxxxxxxxxx@xxxxx.xxx if it receives any requests from an individual with respect to Personal Data, including but not limited to, “opt-out” specifications, information access requests, information rectification requests and all like requests. Seller shall work with ACWN to promptly and effectively handle such requests with respect to Personal Data, and only respond to any such requests if expressly authorized to do so by ACWN. If Personal Data only in accordance with is transferred from the written instructions given European Economic Area or Switzerland to or by IHiS Seller and/or Seller Parties, as processor and/or sub-processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, have not determined as ensuring an adequate level of protection of personal data, then Seller shall either: (a) subscribe to such extent necessary and the appropriate legal instruments for the completion international transfer of data (such as the PurposeEU-U.S. Privacy Shield Framework); promptly deal with or (b) execute: (1) the Standard Contractual Clauses as approved by the European Commission; and (2) where relevant, the Swiss Transborder Data Flow Agreement; or (c) execute mutually agreeable contractual instruments or Binding Corporate Rules (BCR) as such BCR are approved by the relevant supervisory authority. Seller shall be liable for the damage caused to any enquiry from IHiS relating to the Companyindividual as a result of Seller’s processing of Personal Data; , where Seller has not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company complied with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; Section or expiry any applicable laws, regulations and international accords or termination of the NDAtreaties pertaining to Personal Data, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that where it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose acted outside or return of the documents and materials as aforesaid, the Company shall continue contrary to be bound by the undertakings set out in Clauses 3 and 4 abovelawful instructions from ACWN.

Protection of Personal Data. The Company shallService Provider undertakes to guarantee the secrecy, security and confidentiality of personal data as defined by Law No. 09-08 on the protection of individuals with regard to the processing of personal data communicated to him by the Client in the context of this Contract and / or of which he may have become aware of it during the execution of this Contract (the "Data"). For this purpose, the Service Provider undertakes to:  take all necessary precautions, in relation order to Personal Data: fully comply with all requirements preserve the security of the PDPAData, in particular to prevent them from being deformed, damaged and prevent any access not previously authorized by the Client;  treat the Data only within the framework of instructions and authorization received from the Client;  treat the Data exclusively and exclusively within and under this Contract;  not to use the services of a subcontractor, except that the latter is previously and expressly authorized by the Client and acts under the responsibility and control of the Service Provider. This subcontracting must be carried out under a contract incorporating the provisions of this article and submitted to the prior approval of the Client and to ensure compliance with the obligations subscribed by the Service Provider. It is the sole responsibility of the Service Provider to ensure that the subcontractor provides sufficient guarantees to ensure the implementation of the obligations to which the Service Provider has committed;  respect its obligation of secrecy, security and confidentiality, during all maintenance and remote maintenance operations, carried out within the Service Provider's premises or any other company involved in the processing;  take all security measures, including physical and logical, to ensure the requirements concerning preservation and integrity of the collection, use and disclosure of Personal processed Data; process Personal  implement appropriate technical and organizational measures to protect the Data only against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, as well as any other form of unlawful processing;  take all measures to prevent misuse, malicious or fraudulent use of the Data processed;  at the expiration or termination of this Contract for any reason whatsoever, destroy the Data and computerized or manual files or any medium on which the Data appears. In addition, the Services Provider is prohibited from:  to disclose, in accordance any form whatsoever, all or part of the Data as well as the computerized or manual files or any medium on which the Data appears;  to use all or part of the Data as well as the computerized or manual files or any medium on which the Data appear, on its behalf or on behalf of third parties, for professional, personal or private purposes other than those defined in this Contract ;  to take copy or store, in whatever form and purpose, all or part of the Data as well as the computerized or manual files or any medium on which the Data appears. In addition, the Service Provider undertakes:  at the Client's first request to provide evidence, that he has the organizational and technical means to ensure compliance with his obligations under this article;  to cooperate with the written instructions given Client in all circumstances likely to affect the respect by IHiS and the Service Provider of his obligations under this article;  to such extent necessary and appropriate for inform the completion Client immediately in case of loss or alteration of all or part of the Purpose; promptly deal with Data or any enquiry from IHiS relating to event affecting the Company’s processing security and / or confidentiality of Personal all or part of the Data; not transfer  to enable the Client or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held person authorized by the Company latter and provided that this person is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; thatnot a competitor of the Service Provider, to the extent carry out any audit to verify that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company Service Provider complies with its obligations under this Clause 4article. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return Service Provider undertakes to IHiS all documents cooperate in good faith and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied without reservation with the requirements auditors as soon as it is notified of this Clause 5.1. Notwithstanding the completion of an audit;  to implement at its expense and without delay any corrective measures outlined in the Purpose or return audit report;  to inform the Client as soon as he becomes aware of a control of the documents CNDP. The Service Provider acknowledges that in the event of a breach of its obligations as defined in this article:  that his responsibility may be criminally liable;  that he may be held liable to the Client for any damage that may be caused as a result of the breach, as well as for the payment of compensation for the damage suffered;  that the Client may terminate this Contract immediately and materials as aforesaid, without compensation in favor of the Company shall continue Service Provider without prejudice to be bound damages to which he could claim. The Service Provider undertakes to respect and to enforce the respect of all the obligations mentioned in this article by the undertakings set out in Clauses 3 its management and 4 abovepersonnel.

Protection of Personal Data. As a result of this Agreement, Seller and Seller Parties may obtain certain information relating to identified or identifiable individuals (“Personal Data”), including but not limited to, from Platypus on Platypus’s or its affiliate(s)’ behalf and/or from Platypus affiliates located in any jurisdiction. Seller shall have no right, title or interest in Personal Data obtained by it as a result of this Agreement. The Company shalldetails of the type of Personal Data and categories of data subjects shall be determined in a PO, statements of work or other contractual instruments executed in relation connection with this Agreement. Seller may only disclose Personal Data to third parties (including Seller Parties), who have a need to know and have signed agreements that require them to protect Personal Data in the same manner as detailed in this Agreement. Seller shall not engage any third party to perform any portion of the Services if such party may obtain or otherwise process Personal Data, without Platypus’s prior written consent. Notwithstanding such consent, Seller shall not be relieved of any obligations under this Section and shall remain solely liable to Platypus if the third party fails to fulfil its obligations with respect to Personal Data. Seller and Seller Parties shall: fully (i) comply with Platypus’s or its affiliate’s reasonable instructions regarding Personal Data, unless otherwise required by applicable law, in which case, Seller shall promptly notify Platypus of the applicable legal requirement before processing Personal Data, unless such applicable legal requirement prohibits such notification for public interest reasons; (ii) immediately inform Platypus if, in its opinion, an instruction from Platypus infringes Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or other applicable data protection laws; (iii) collect, access, maintain, use, process and transfer Personal Data solely for the purpose of performing Seller’s obligations under this Agreement; (iv) comply with all requirements of the PDPAapplicable laws, including the requirements concerning the collectionregulations and international accords or treaties pertaining to Personal Data; (v) take all appropriate legal, use organizational and disclosure technical measures to protect against unlawful and unauthorized processing of Personal Data; process and (vi) promptly notify Platypus’s Privacy Counsel at xxxxxxx_xxxxxxxxxxxxx@xxxxx.xxx if it receives any requests from an individual with respect to Personal Data, including but not limited to, “opt-out” specifications, information access requests, information rectification requests and all like requests. Seller shall work with Platypus to promptly and effectively handle such requests with respect to Personal Data, and only respond to any such requests if expressly authorized to do so by Platypus. If Personal Data only in accordance with is transferred from the written instructions given European Economic Area or Switzerland to or by IHiS Seller and/or Seller Parties, as processor and/or sub-processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, have not determined as ensuring an adequate level of protection of personal data, then Seller shall either: (a) subscribe to such extent necessary and the appropriate legal instruments for the completion international transfer of data (such as the PurposeEU-U.S. Privacy Shield Framework); promptly deal with or (b) execute: (1) the Standard Contractual Clauses as approved by the European Commission; and (2) where relevant, the Swiss Transborder Data Flow Agreement; or (c) execute mutually agreeable contractual instruments or Binding Corporate Rules (BCR) as such BCR are approved by the relevant supervisory authority. Seller shall be liable for the damage caused to any enquiry from IHiS relating to the Companyindividual as a result of Seller’s processing of Personal Data; , where Seller has not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company complied with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; Section or expiry any applicable laws, regulations and international accords or termination of the NDAtreaties pertaining to Personal Data, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that where it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose acted outside or return of the documents and materials as aforesaid, the Company shall continue contrary to be bound by the undertakings set out in Clauses 3 and 4 abovelawful instructions from Platypus.

Protection of Personal Data. As a result of this Agreement, Seller and Seller Parties may obtain certain information relating to identified or identifiable individuals (“Personal Data”), including but not limited to, from Apple on Apple’s or its affiliate(s)’ behalf and/or from Apple affiliates located in any jurisdiction. Seller shall have no right, title or interest in Personal Data obtained by it as a result of this Agreement. The Company shalldetails of the type of Personal Data and categories of data subjects shall be determined in a PO, statements of work or other contractual instruments executed in relation connection with this Agreement. Seller may only disclose Personal Data to third parties (including Seller Parties), who have a need to know and have signed agreements that require them to protect Personal Data in the same manner as detailed in this Agreement. Seller shall not engage any third party to perform any portion of the Services if such party may obtain or otherwise process Personal Data, without Apple’s prior written consent. Notwithstanding such consent, Seller shall not be relieved of any obligations under this Section and shall remain solely liable to Apple if the third party fails to fulfil its obligations with respect to Personal Data. Seller and Seller Parties shall: fully (i) comply with Apple’s or its affiliate’s reasonable instructions regarding Personal Data, unless otherwise required by applicable law, in which case, Seller shall promptly notify Apple of the applicable legal requirement before processing Personal Data, unless such applicable legal requirement prohibits such notification for public interest reasons; (ii) immediately inform Apple if, in its opinion, an instruction from Apple infringes Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or other applicable data protection laws; (iii) collect, access, maintain, use, process and transfer Personal Data solely for the purpose of performing Seller’s obligations under this Agreement; (iv) comply with all requirements of the PDPAapplicable laws, including the requirements concerning the collection, use regulations and disclosure of international accords or treaties pertaining to Personal Data; process Personal Data only in accordance with the written instructions given by IHiS (v) take all appropriate legal, organizational and technical measures to such extent necessary protect against unlawful and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s unauthorized processing of Personal Data; and (vi) promptly notify Apple’s Privacy Counsel at xxxxxxx_xxxxxxxxxxxxx@xxxxx.xxx if it receives any requests from an individual with respect to Personal Data, including but not transfer or allow the limited to, “opt-out” specifications, information access requests, information rectification requests and all like requests. Seller shall work with Apple to promptly and effectively handle such requests with respect to Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuseData, and that only authorised personnel have access respond to that Personal Data; that, any such requests if expressly authorized to the extent that the do so by Apple. If Personal Data is no longer required transferred from the European Economic Area or Switzerland to or by Seller and/or Seller Parties, as processor and/or sub-processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, have not determined as ensuring an adequate level of protection of personal data, then Seller shall either: (a) subscribe to the appropriate legal instruments for the international transfer of data (such as the EU- U.S. Privacy Shield Framework); or (b) execute: (1) the Standard Contractual Clauses as approved by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS)European Commission; and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause2) where relevant, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion of the PurposeSwiss Transborder Data Flow Agreement; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.or

Protection of Personal Data. The Company shallWith respect to the parties'’ rights and obligations under this Contract and each Access Agreement, the parties agree that (a) each LAthe CUSTOMER is the Data Controller in relation to Personal Data: fully comply with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure respect of Personal Data; process Data attributable to functions exercisable by that LA CUSTOMER and (b) that the SERVICE PROVIDER is the Data Processor. The SERVICE PROVIDER shall: Pprocess the Personal Data only in accordance with instructions from the written relevant LA CUSTOMER (which may be specific instructions given or instructions of a general nature as set out in this Contract, the applicable Access Agreement or as otherwise notified by IHiS the LA CUSTOMER to the SERVICE PROVIDER during the Term); Pprocess the Personal Data only to the extent, and to in such extent manner, as is necessary and appropriate for the completion provision of the PurposeOrdered Software Application Solutions or as is required by Law or any Regulatory Body; promptly deal with any enquiry from IHiS relating implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the Company’s processing harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; take reasonable steps to ensure the reliability of any SERVICE PROVIDER Personnel who have access to the Personal Data; not obtain prior written consent from each LAthe CUSTOMER in order to transfer or allow the Personal Data attributable to be transferred outside functions exercisable by that LA CUSTOMER to any Sub-Contractors or Affiliates for the provision of Singapore, unless expressly instructed or authorised by IHiSthe Ordered Software Application Solutions; and provide ensure that all necessary co-operation and assistance (whether SERVICE PROVIDER Personnel required to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by are informed of the Company for legal or business purposes, that confidential nature of the Personal Data is destroyed or returned to IHiS and comply with the obligations set out in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS)14; and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach ensure that none of the same. For SERVICE PROVIDER Personnel publish, disclose or divulge any of the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for Personal Data attributable to functions exercisable by any and all potential loss and damage caused LA CUSTOMER to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify unless directed in writing to IHiS do so by that LAe CUSTOMER; notify each LAthe CUSTOMER (within five (5) Working Days) if it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.receives:

Protection of Personal Data. The Company shall, in relation to Personal Data: fully comply with all requirements THINGS SOLVER will maintain appropriate technical and organisation measures for protection of the PDPAsecurity, including the requirements concerning the collectionconfidentiality and integrity of Customer Data which will include, use and but will not be limited to, measures designed to prevent unauthorized access to or disclosure of Personal Customer Data; process Personal Data only . The terms of the personal data processing are specified at legal.thingsolver/data/processing/agreement.pdf (DPA). New release: New version of the services or its component will be provided to the Customer at no charge in accordance with THINGS SOLVER internal new release distribution plan. In the written instructions given event that the delivery of a new version requires provision of integration services, the costs of these services shall be charged to Customer by IHiS Things Solver subsequently, based on the special agreement or Purchase Order, which shall be signed by the Parties. CUSTOMER OBLIGATIONS Customer hereby undertakes to: • use the Services only in compliance with this Agreement and applicable laws and government regulations; • not to such extent necessary and appropriate for the completion make copies of the Purposereceived documentation except for its own needs without the prior consent of the THINGS SOLVER; promptly deal • perform all obligations under this Agreement in professional manner; • notify the THINGS SOLVER in writing within 15 days from the day of the occurrence of any changes that may be relevant for business cooperation. If the Customer does not act in compliance with this point, and the THINGS SOLVER suffers damage as a result, the Customer is obliged to fully compensate him; • use the Services exclusively for its own needs, i.e. that it cannot transfer its right of use to third parties; • report any enquiry from IHiS relating issue in the operation of the Services to the Company’s processing responsible person of Personal Data; not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, THINGS SOLVER as soon as reasonably practicablepossible; • notify the THINGS SOLVER of changes in the name, all steps to prevent further unauthorised accesstitle, disclosure address, status, as well as equipment or other breach services installed on its side which have influence on the THINGS SOLVER’s operations; • comply with the THINGS XXXXXX's instructions regarding the use of this clause (including providing IHiS with such reports or information concerning such steps Services; • Ensure for the conditions necessary for the performance of the Agreement, as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify well as access to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), information and resources necessary and to perform appoint from among its duties or discharge its liabilities in connection employees the persons who will collaborate with the Purpose THING SOLVERS’s representatives under the Agreement and applicable Purchase Order; • Timely pay the invoices issued by the THINGS SOLVER under the conditions of the Agreement; • to inform the THINGS SOLVER in a timely manner which is consistent with of all facts and changes in circumstances that significantly affect or could affect the PDPA Documentation, and will not cause IHiS to be in breach fulfilment of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. RETURN OF CONFIDENTIAL INFORMATION The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 abovecontractual obligations.