Common use of Security of processing Clause in Contracts

Security of processing. The level of security shall take into account: • that the personal data does not involve special categories of personal data, personal data of minors, or other personal data requiring special protection under the governing law • that the Master Data is the point of reference to end-users agreed upon information • the case where the Master Agreement may already describe that the Data Processor should establish a high level of data security The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed upon) level of data security appropriate to the risk. The Data Processor should, however, in any event, and as a minimum, implement the following security measures agreed upon with the Data Controller (based on the risk assessment performed by the Data Controller): • End-user passwords must be protected by using specialised hashing functions like Argon2, BCrypt or PBKDF2 to prevent Rainbow Table attacks • Passwords in clear text must not be transferred over the internet • Master Data should be separated from product data • The Data Processor must be able to restore personal data from a backup on a daily basis • Changes to Master Data should be logged • Employees with access to personal data must have signed a confidentiality agreement • Access to Master Data is granted to employees in accordance with Appendix A • Data transfer of personal data over the internet to the Data Processor’s Services should be per- formed securely (using HTTPS/TLS) • The Data Processor must validate system integrity and security of updates to the Services made available • The Data Processor must employ continuous self-evaluation to evaluate the organizational and technical measures used to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services

Security of processing. The level of security shall take into account: • that the personal data does not involve special categories of personal data, personal data of minors, or other personal data requiring special protection under the governing law • that the Master Data is the point of reference to end-users agreed upon information • the case where the Master Agreement may already describe that the Data Processor should establish a high level of The data security The Data Processor processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational organizational security measures that are to be applied to create the necessary nec- xxxxxx (and agreed upon) level of data security appropriate in relation to the risk. The Data Processor data processor should, however, in any event, and as a minimum, implement the following follow- ing security measures agreed upon with the Data Controller data controller (based on the risk assessment performed by the Data Controllerdata controller): • End-user passwords must be protected by using specialised hashing functions like Argon2, BCrypt or PBKDF2 to prevent Rainbow Table attacks • Passwords in clear text must not be transferred over the internet • Master Data should be separated from product data • The Data Processor data processor must be able to restore personal data from a daily performed backup on a daily basis • Changes to Master Data should be logged • Employees with access to personal data must have signed a confidentiality agreement agree- ment • Access to Master Data is granted to employees in accordance with Appendix A • Data transfer of personal data over the internet to the Data Processordata processor’s Services should be per- formed performed securely (using HTTPS/TLS) • The Data Processor data processor must validate system integrity and security of updates to the Services Ser- vices made available • The Data Processor data processor must employ continuous self-evaluation to evaluate the organizational organiza- tional and technical measures used to ensure ongoing confidentiality, integrity, availabilityavail- ability, and resilience of processing systems and services

Security of processing. The level of security shall take into account: • that the personal data does not involve special categories of personal data, personal data of minors, or other personal data requiring special protection under the governing law • that the Master Data is the point of reference to end-users agreed upon information • the case where the Master Agreement may already describe that the Data Processor should establish a high level of data security The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed upon) level of data security appropriate to the risk. The Data Processor should, however, in any event, and as a minimum, implement the following security measures agreed upon with the Data Controller (based on the risk assessment performed by the Data Controller): • End-user passwords must be protected by using specialised hashing functions like Argon2Ar- gon2, BCrypt or PBKDF2 to prevent Rainbow Table attacks • Passwords in clear text must not be transferred over the internet • Master Data should be separated from product data • The Data Processor must be able to restore personal data from a backup on a daily basis • Changes to Master Data should be logged • Employees with access to personal data must have signed a confidentiality agreement • Access to Master Data is granted to employees in accordance with Appendix A • Data transfer of personal data over the internet to the Data Processor’s Services should be per- formed performed securely (using HTTPS/TLS) • The Data Processor must validate system integrity and security of updates to the Services made available • The Data Processor must employ continuous self-evaluation to evaluate the organizational and technical measures used to ensure ongoing confidentiality, integrity, availability, availability and resilience of processing systems and services

Security of processing. The level of security shall take into account: • that the personal data does not involve special categories of personal data, personal data of minors, minors or other personal data requiring special protection under protected by the governing law • that the Master Data is the point of reference to end-end users agreed upon information • the case where that the Master Agreement may already describe that the Data Processor should establish a high level of data security The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed uponagreed) level of data security appropriate to the risk. The Data Processor should, however, should however – in any event, event and as at a minimum, minimum – implement the following security measures that have been agreed upon with the Data Controller (based on the risk assessment performed by the Data Controller): : • End-End user passwords must be are protected by using specialised hashing functions like Argon2, BCrypt or PBKDF2 to prevent Rainbow Table attacks • Passwords in clear text must not be transferred over the internet • Master Data should be separated from product data data. • The Data Processor must be able to restore personal data from a backup on a daily basis • Changes to Change of Master Data should be logged • Employees with access to personal data must have signed a confidentiality agreement • Access to Master Data is granted to employees in accordance with Appendix A • Data transfer of personal data over the internet to the online services and products pro- vided by the Data Processor’s Services Processor should be per- formed performed securely (using HTTPS/TLS) • The Data Processor must validate system integrity and security of updates to the Services services and products made available • The Data Processor must employ continuous self-evaluation to evaluate the organizational and technical measures used to ensure ongoing confidentiality, integrity, availability, availability and resilience resili- ence of processing systems and services

Security of processing. The level of security shall take into account: • that the personal data does not involve special categories of personal data, personal data of minors, or other personal data requiring special protection under the governing law • that the Master Data is the point of reference to end-users agreed upon information • the case where the Master Agreement may already describe that the Data Processor should establish a high level of data security The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed upon) level of data security appropriate in relation to the risk. The Data Processor should, however, in any event, and as a minimum, implement the following security measures agreed upon with the Data Controller (based on the risk assessment performed by the Data Controller): • End-user passwords must be protected by using specialised hashing functions like Argon2, BCrypt or PBKDF2 to prevent Rainbow Table attacks • Passwords in clear text must not be transferred over the internet • Master Data should be separated from product data • The Data Processor must be able to restore personal data from a backup on a daily basis • Changes to Master Data should be logged • Employees with access to personal data must have signed a confidentiality agreement • Access to Master Data is granted to employees in accordance with Appendix A • Data transfer of personal data over the internet to the Data Processor’s Services should be per- formed securely (using HTTPS/TLS) • The Data Processor must validate system integrity and security of updates to the Services made available • The Data Processor must employ continuous self-evaluation to evaluate the organizational and technical measures used to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services

Security of processing. The level of security shall take into account: • account that the personal data processing does not involve a large volume of personal data and a minimum of (if any) personal data as defined in Article 9 GDPR on ‘special categories of personal data, ’. The parties agree that a security level in compliance with article 32 is sufficient in order to protect the personal data of minors, or other personal processed. The data requiring special protection under the governing law • that the Master Data is the point of reference to end-users agreed upon information • the case where the Master Agreement may already describe that the Data Processor should establish a high level of data security The Data Processor processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary neces- sary (and agreed uponagreed) level of data security appropriate to the risksecurity. The Data Processor should, however, data processor shall however – in any event, event and as at a minimum, minimum – implement the following security measures that have been agreed upon with the data con- troller: Access control of processing areas Data Controller (based on the risk assessment performed by the Data Controller): • End-user passwords must be protected by using specialised hashing functions like Argon2, BCrypt or PBKDF2 processor implements suitable measures in order to prevent Rainbow Table attacks unauthorized persons from gaining access to the data processing equipment (namely telephones, database and applica- tion servers and related hardware) where the personal data are processed or used, includ- ing: • Passwords in clear text must establishing security areas; • protection and restriction of access paths; • establishing access authorizations for employees and third parties; and • the data center where personal data are hosted is secured by appropriate security measures. Access control to data processing systems Data processor implements suitable measures to prevent their data processing systems from being accessed or used by unauthorized persons, including: • use of adequate encryption technologies, • identification of the terminal and/or the terminal user to the data processor and pro- cessing systems, • automatic temporary lock-out of user terminal if left idle, identification and password required to reopen; and • all access to data content is logged, monitored, and tracked. Access control to use specific areas of data processing systems Data processor commits that the persons entitled to use their data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization) and that personal data cannot be transferred over read, copied or modified or removed without authorization. This shall be accomplished by various measures including: SynergyXR – Company ID: DK31177626 – Silkeborgvej 261-263 – 0000 Xxxxxxxx - Xxxxxxx personal data, • allocation of individual terminals and /or terminal user, and identification characteris- tics exclusive to specific functions, • monitoring capability in respect of individuals who delete, add or modify the internet personal data, • Master release of data only to authorized persons, including allocation of differentiated ac- cess rights and roles, • use of adequate encryption technologies, and • control of files, and controlled destruction of data. Availability control Data should be separated processor implements suitable measures to ensure that personal data are protected from product data accidental destruction or loss, including: • The infrastructure redundancy, • backup is stored at an alternative site and available for restore in case of failure of the primary system. Transmission control Data Processor must be able processor implements suitable measures to restore prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by various measures including: • use of adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travels; and • as far as possible, all data transmissions are logged, monitored and tracked. Input control Data processor implements suitable input control measures, including: • an authorization policy for the input, reading, alteration and deletion of data; • authentication of the authorized personnel, • utilization of unique authentication credentials or passwords, • providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are kept locked, • automatic log-off of user ID's that have not been used for a backup on a daily basis substantial period of time, • Changes proof established within data processor’s organization of the input authorization, and • electronic recording of entries. Separation of processing for different purposes Data processor implements suitable measures to Master Data should ensure that data collected for different pur- poses can be logged processed separately, including: • Employees with access to personal data must have signed a confidentiality agreement is separated through application security for the appropriate users, • Access to Master modules within the data processor’s database separate which data is used for which purpose, i.e. by functionality and function, and • interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately. SynergyXR – Company ID: DK31177626 – Silkeborgvej 261-263 – 0000 Xxxxxxxx - Xxxxxxx Data is granted to employees processor will keep documentation of technical and organizational measures in accordance with Appendix A • case of audits and for the conservation of evidence. Data transfer of personal data over the internet to the Data Processor’s Services should be per- formed securely (using HTTPS/TLS) • The Data Processor must validate system integrity and security of updates to the Services made available • The Data Processor must employ continuous self-evaluation to evaluate the organizational and technical measures used processor shall take reasonable steps to ensure ongoing confidentiality, integrity, availabilitythat persons employed by it, and resilience other persons at the place of processing systems work concerned, are aware of and servicescomply with the technical and organizational measures set forth in this xxxxx- xxx C.2.

Security of processing. The level of security shall take into account: • that the personal data does not involve special categories of personal data, personal data of minors, or other personal data requiring special protection under the governing law • that the Master Data is the point of reference to end-users agreed upon information • the case where the Master Agreement may already describe that the Data Processor should establish a high level of data security The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed upon) level of data security appropriate to the risk. The Data Processor should, however, in any event, and as a minimum, implement the following security measures agreed upon with the Data Controller (based on the risk assessment performed by the Data Controller): • End-user passwords must be protected by using specialised hashing functions like Argon2Ar- gon2, BCrypt or PBKDF2 to prevent Rainbow Table attacks • Passwords in clear text must not be transferred over the internet • Master Data should be separated from product data • The Data Processor must be able to restore personal data from a backup on a daily basis • Changes to Master Data should be logged • Employees with access to personal data must have signed a confidentiality agreement • Access to Master Data is granted to employees in accordance with Appendix A • Data transfer of personal data over the internet to the Data Processor’s Services should be per- formed performed securely (using HTTPS/TLS) • The Data Processor must validate system integrity and security of updates to the Services made available • The Data Processor must employ continuous self-evaluation to evaluate the organizational and technical measures used to ensure ongoing confidentiality, integrity, availability, availability and resilience of processing systems and services