Common use of Access Control to Use Specific Areas of Data Processing Systems Clause in Contracts

Access Control to Use Specific Areas of Data Processing Systems. Data processor commits that the persons entitled to use its data processing system are only able to access the data within the scope and to the extent covered by its access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished by: ● staff policies in respect of access rights to the personal data; ● allocation of individual terminals and/or terminal user; ● as far as possible, monitoring capability in respect of individuals who delete, add or modify the personal data and regular update of authorization profiles; ● release of data to only authorized persons; ● policies controlling the retention of backup copies; and ● as far as possible, use of state of the art encryption technologies. Transmission Control Data processor implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by: ● use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels; ● as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data processor implements suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed. This is accomplished by: ● authentication of the authorized personnel; individual authentication credentials such as user IDs that, once assigned, cannot be re-assigned to another person (including subsequently) ● utilization of user codes (passwords) of at least eight characters or the system maximum permitted number and modification at first use; ● following a policy according to which all staff of Data processor who have access to personal data processed for Customers shall reset their AD passwords at a minimum once per year; ● providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked; ● automatic log-off of user ID's (requirement to re-enter password to use the relevant work station) that have not been used for a substantial period of time; and ● electronic recording of entries. Job Control Data processor ensures that personal data may only be processed in accordance with written instructions issued by exporter. This is accomplished by: ● binding policies and procedures for Data processor's employees, subject to Data Exporters' review and approval. Data processor ensures that if security measures are adopted through external entities it obtains written description of the activities performed that guarantees compliance of the measures adopted with this document. Data processor further implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with relevant system administrators' identification details assigned and providing it promptly to data controller upon request. Availability Control Data processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by: ● infrastructure redundancy to ensure data access is restored within seven days and backup performed at least weekly; ● regular check of all the implemented and herein described security measures; ● any detected security incident is recorded, alongside the followed data recovery procedures, and the identification of the person who carried them out; and ● disaster recovery plans. Data processor system administrators (if any): Data processor implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with system administrators' identification details (e.g. name, surname, function or organizational area) and tasks assigned and providing it promptly to data exporter upon request. Appendix 3: List of Sub-Processors Sub-Processor Name Address Safeguards acc. to Art. 44 - 50 GDPR 10Duke Software Ltd. Uutistie 3 C, 01770 Vantaa, Finland Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Amazon Web Services, Inc. 000 Xxxxx Xxxxxx N., Seattle, WA 98109, USA Data Processing Agreement Docebo Spa a Socio Unico VIA XXXXXXXXXX XXXXXXX 25, MILANO Milan,20145 Italy Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Domo Inc. 000 Xxxx Xxxx Xxxxxx Xxxxx Data Processing Agreement; European Commission standard contractual clauses 2010/87/EU eCraft Oy Ab Säterinportti, Linnoitustie 0X, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Google, Inc. 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, XX 00000, XXX Data Processing Agreement Microsoft Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement Nixu Corporation Keilaranta 00, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Siili Solutions Oyj Xxxxxxxxxxxxx 00, 00000 Xxxxxxxx, Xxxxxxx Data Processing Agreement Snowflake Computing Inc. 000 Xxxxx Xxxxxxxxx Xxxxxx #100, San Mateo, CA 94401 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Trimble Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU

Access Control to Use Specific Areas of Data Processing Systems. Data processor commits that the persons entitled to use its data processing system are only able to access the data within the scope and to the extent covered by its access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished by: ● staff policies in respect of access rights to the personal data; ● allocation of individual terminals and/or terminal user; ● as far as possible, monitoring capability in respect of individuals who delete, add or modify the personal data and regular update of authorization profiles; ● release of data to only authorized persons; ● policies controlling the retention of backup copies; and ● as far as possible, use of state of the art encryption technologies. Transmission Control Data processor implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by: ● use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels; ● as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data processor implements suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed. This is accomplished by: ● authentication of the authorized personnel; individual authentication credentials such as user IDs that, once assigned, cannot be re-assigned to another person (including subsequently) ● utilization of user codes (passwords) of at least eight characters or the system maximum permitted number and modification at first use; ● following a policy according to which all staff of Data processor who have access to personal data processed for Customers shall reset their AD passwords at a minimum once per year; ● providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked; ● automatic log-off of user ID's (requirement to re-enter password to use the relevant work station) that have not been used for a substantial period of time; and ● electronic recording of entries. Job Control Data processor ensures that personal data may only be processed in accordance with written instructions issued by exporter. This is accomplished by: ● binding policies and procedures for Data processor's employees, subject to Data Exporters' review and approval. Data processor ensures that if security measures are adopted through external entities it obtains written description of the activities performed that guarantees compliance of the measures adopted with this document. Data processor further implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with relevant system administrators' identification details assigned and providing it promptly to data controller upon request. Availability Control Data processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by: ● infrastructure redundancy to ensure data access is restored within seven days and backup performed at least weekly; ● regular check of all the implemented and herein described security measures; ● any detected security incident is recorded, alongside the followed data recovery procedures, and the identification of the person who carried them out; and ● disaster recovery plans. Data processor system administrators (if any): Data processor implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with system administrators' identification details (e.g. name, surname, function or organizational area) and tasks assigned and providing it promptly to data exporter upon request. Appendix 3: List of Sub-Processors Sub-Processor Name Address Safeguards acc. to Art. 44 - 50 GDPR 10Duke Software Ltd. Uutistie 3 CXxxxxxxx 0 X, 01770 Vantaa00000 Xxxxxx, Finland Xxxxxxx Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Amazon Web Services, Inc. 000 Xxxxx Xxxxxx N., Seattle, WA 98109, USA Data Processing Agreement Docebo Spa a Socio Unico VIA XXX XXXXXXXXXX XXXXXXX 25, MILANO Milan,20145 Italy Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Domo Inc. 000 Xxxx Xxxx Xxxxxx Xxxxx Data Processing Agreement; European Commission standard contractual clauses 2010/87/EU eCraft Oy Ab SäterinporttiXxxxxxxxxxxxx, Linnoitustie Xxxxxxxxxxxx 0X, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Google, Inc. 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, XX 00000, XXX Data Processing Agreement Microsoft Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement Nixu Corporation Keilaranta Xxxxxxxxxx 00, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Siili Solutions Oyj Xxxxxxxxxxxxx 00, 00000 Xxxxxxxx, Xxxxxxx Data Processing Agreement Snowflake Computing Inc. 000 Xxxxx Xxxxxxxxx Xxxxxx #100, San Mateo, CA 94401 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Trimble Xxxxxxx Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU

Access Control to Use Specific Areas of Data Processing Systems. Data processor commits Databricks implements suitable measures designed to restrict use of its systems so that the persons entitled certain data is subject to use its data processing system are only able to additional access the data within the scope and to the extent covered permissions (e.g., by its access permission (user or specific authorization) and that personal data Customer Personal Data cannot be read, copied or copied, modified or removed without authorization. This shall be is accomplished by: ● - implementation and maintenance of staff policies in respect of each staff member's access rights to the personal dataCustomer Personal Data; ● - allocation of individual terminals client machines and/or terminal userusers to specific functions; ● as far as possible, - monitoring capability in respect of individuals who delete, add or modify the personal data and regular update Customer Personal Data - conducting audits, at least yearly, of authorization profiles; ● - procedures limiting the release of data Customer Personal Data only to only authorized persons; ● policies controlling the - implementation and maintenance of data retention of backup copiespolicies; and ● as far as possible, - use of state of the art industry standard encryption technologies. Transmission Control Data processor Databricks implements suitable measures designed to prevent the personal data Customer Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by: ● - use of state-of-the-art industry standard firewall and encryption technologies to protect the gateways and pipelines through which the data while it travels; ● as far as possible, all and - logging and monitoring of data transmissions are logged, monitored and trackedtransmissions. Input Control Data processor Databricks implements suitable measures designed to ensure that it is possible to check and establish whether and by whom personal data have Customer Personal Data has been input into data processing systems or removedremoved from systems. This is accomplished by: ● - maintenance of an authorization policy for the input of data, and for the reading, alteration and deletion of stored data; - authentication of the authorized personnel; - requiring individual authentication credentials such as user IDs that, once assigned, canare not be re-re- assigned to another person (person; - use of protective measures for any data input into Databricks systems, including subsequently) ● the reading, alteration and deletion of stored data; - utilization of user codes credentials (passwords) of at least eight characters (or the system maximum permitted number if less than eight) and modification at first useuse and thereafter at least every 90 days; ● following a policy according to which all staff of Data processor who have access to personal data processed for Customers shall reset their AD passwords at a minimum once per year; ● - providing that entries to its cloud provider data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked; ● - automatic log-off of user ID's IDs (requirement to requiring re-enter entry of the user’s password to use the relevant work stationworkstation) that have not been used for a substantial period of time; - automatic deactivation of user authentication credentials (such as user IDs) in case the person is disqualified from accessing Customer Personal Data or in case of non-use for a substantial period of time (at least six months), except for those authorized solely for technical management; and ● - electronic recording of entries. Job Control Databricks implements suitable measures designed to ensure that Customer Personal Data processor ensures that personal data may only be processed in accordance with written instructions issued by exporterCustomer. This is accomplished by: ● - binding policies and procedures for Data processor's Databricks' employees, subject to Data Exporters' review and approval. Data processor ensures that if security measures are adopted through ; - maintaining agreements with external entities it obtains written description responsible for the protection or processing of the activities performed Customer Personal Data hereunder that guarantees require substantial compliance of with the measures adopted with this document. Data processor further implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● described hereunder; - individual appointment of system administrators; ● - adoption of suitable measures to register and maintain system administrators' access logs and keep them secure, accurate and unmodified for at least six monthslogs; and ● keeping an updated list with relevant - yearly audits of system administrators' identification details activity to assess compliance with assigned tasks, the instructions received by Databricks and providing it promptly to data controller upon request. Availability Control Data processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by: ● infrastructure redundancy to ensure data access is restored within seven days and backup performed at least weekly; ● regular check of all the implemented and herein described security measures; ● any detected security incident is recorded, alongside the followed data recovery procedures, and the identification of the person who carried them outapplicable laws; and ● disaster recovery plans. Data processor system administrators (if any): Data processor implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● - keeping an updated list with system administrators' identification details (e.g. name, surname, function or organizational area) and tasks assigned and assigned. Availability Control Databricks implements suitable measures designed to ensure that Customer Personal Data is protected from accidental destruction or loss. This is accomplished by: - enabling Customer to backup Customer’s data by providing it promptly to infrastructure redundancy options (e.g., data exporter upon request. Appendix 3: List of Sub-Processors Sub-Processor Name Address Safeguards acc. to Art. 44 - 50 GDPR 10Duke Software Ltd. Uutistie 3 C, 01770 Vantaa, Finland Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU versioning within Amazon Web Services) to ensure data access is restorable on demand; and - requiring that the Customer authorize the restoration of backups (if any), Inc. 000 Xxxxx Xxxxxx N., Seattle, WA 98109, USA Data Processing Agreement Docebo Spa a Socio Unico VIA XXXXXXXXXX XXXXXXX 25, MILANO Milan,20145 Italy Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Domo Inc. 000 Xxxx Xxxx Xxxxxx Xxxxx Data Processing Agreement; European Commission standard contractual clauses 2010/87/EU eCraft Oy Ab Säterinportti, Linnoitustie 0X, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Google, Inc. 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, XX 00000, XXX Data Processing Agreement Microsoft Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement Nixu Corporation Keilaranta 00, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Siili Solutions Oyj Xxxxxxxxxxxxx 00, 00000 Xxxxxxxx, Xxxxxxx Data Processing Agreement Snowflake Computing Inc. 000 Xxxxx Xxxxxxxxx Xxxxxx #100, San Mateo, CA 94401 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Trimble Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EUheld by Databricks. ANNEX C Standard Contractual Clauses (processors) THE PARTIES HAVE AGREED on the following Contractual Clauses (the "Clauses") in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Access Control to Use Specific Areas of Data Processing Systems. Data processor commits You commit that the persons entitled to personnel that may use its your data processing system are only able to access the data within the scope and to the extent covered by its access permission (authorization) their role’s authorization and that personal data Shared Personal Data cannot be read, copied or copied, modified or removed without authorization. This shall be is accomplished byby various measures including: ● staff • employee policies in respect of and training on each employee’s access rights to the personal dataShared Personal Data; ● • allocation of individual terminals and/or terminal userusers and identification characteristics exclusive to specific functions; ● as far as possible, • monitoring capability in respect of for individuals who delete, add add, or modify the personal data and regular update of authorization profilesShared Personal Data; ● • release of data only to only authorized persons, including allocation of differentiated access rights and roles; ● policies controlling the retention • use of backup copiesindustry standard encryption technologies, including for data at rest and in-transit; and ● as far as possible• control of files, use controlled and documented destruction of state data. Availability Control You have implemented and will maintain reasonable and appropriate measures to ensure that Shared Personal Data is protected from accidental destruction or loss, including: • infrastructure redundancy; and • backup is stored at an alternative site and available for restore in case of failure of the art encryption technologiesprimary system. Transmission Control Data processor implements suitable You have implemented and will maintain reasonable and appropriate measures to prevent the personal data Shared Personal Data from being read, copied, altered altered, or deleted by unauthorized parties during the its transmission thereof or during the transport of the data media. This is accomplished byby various measures including: ● • use of state-of-the-art firewall industry standard firewall, VPN, and encryption technologies to protect the gateways and pipelines through which the data travels; ● • highly confidential employee data is encrypted within the system; • providing user alert upon incomplete transfer of data (end to end check); and • as far as possible, all data transmissions are logged, monitored monitored, and tracked. Input Control Data processor implements suitable measures to ensure that it is possible to check You have implemented and establish whether will maintain reasonable and by whom personal data have been appropriate input into data processing systems or removed. This is accomplished bycontrol measures, including: ● • an authorization policy for the input, reading, alteration, and deletion of data; • authentication of the authorized personnel; individual • protective measures for the data input into memory, as well as for the reading, alteration, and deletion of stored data; • utilization of unique authentication credentials such as user IDs that, once assigned, cannot be re-assigned to another person (including subsequently) ● utilization of user or codes (passwords) of at least eight characters or the system maximum permitted number and modification at first use); ● following a policy according to which all staff of Data processor who have access to personal data processed for Customers shall reset their AD passwords at a minimum once per year; ● • providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being kept locked; ● • automatic log-off of user ID's (requirement to re-enter password to use the relevant work station) that have not been used for a substantial period of time; • proof established within Developer’s organization of the input authorization; and ● • electronic recording of entries. Job Control Data processor ensures that personal data may only be processed in accordance with written instructions issued by exporter. This is accomplished by: ● binding policies and procedures for Data processor's employees, subject to Data Exporters' review and approval. Data processor ensures that if security measures are adopted through external entities it obtains written description of the activities performed that guarantees compliance of the measures adopted with this document. Data processor further implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with relevant system administrators' identification details assigned and providing it promptly to data controller upon request. Availability Control Data processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by: ● infrastructure redundancy to ensure data access is restored within seven days and backup performed at least weekly; ● regular check of all the implemented and herein described security measures; ● any detected security incident is recorded, alongside the followed data recovery procedures, and the identification of the person who carried them out; and ● disaster recovery plans. Data processor system administrators (if any): Data processor implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with system administrators' identification details (e.g. name, surname, function or organizational area) and tasks assigned and providing it promptly to data exporter upon request. Appendix 3: List of Sub-Processors Sub-Processor Name Address Safeguards acc. to Art. 44 - 50 GDPR 10Duke Software Ltd. Uutistie 3 C, 01770 Vantaa, Finland Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Amazon Web Services, Inc. 000 Xxxxx Xxxxxx N., Seattle, WA 98109, USA Data Processing Agreement Docebo Spa a Socio Unico VIA XXXXXXXXXX XXXXXXX 25, MILANO Milan,20145 Italy Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Domo Inc. 000 Xxxx Xxxx Xxxxxx Xxxxx Data Processing Agreement; European Commission standard contractual clauses 2010/87/EU eCraft Oy Ab Säterinportti, Linnoitustie 0X, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Google, Inc. 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, XX 00000, XXX Data Processing Agreement Microsoft Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement Nixu Corporation Keilaranta 00, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Siili Solutions Oyj Xxxxxxxxxxxxx 00, 00000 Xxxxxxxx, Xxxxxxx Data Processing Agreement Snowflake Computing Inc. 000 Xxxxx Xxxxxxxxx Xxxxxx #100, San Mateo, CA 94401 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Trimble Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU.

Access Control to Use Specific Areas of Data Processing Systems. Data processor Trimble commits that the persons entitled to use its data processing system are only able to access the data within the scope and to the extent covered by its access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished by: ● - staff policies in respect of each staff member's access rights to the personal data; ● - allocation of individual terminals and/or terminal user, and identification characteristics exclusive to specific functions; ● as far as possible, - monitoring capability in respect of individuals who delete, add or modify the personal data and regular at least yearly monitoring and update of authorization profiles; ● - release of data to only authorized persons; ● - policies controlling the retention of backup copies; and ● as far as possible, - use of state of the art encryption technologies. Transmission Control Data processor Trimble implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by: ● - use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels; ● - as far as possible, all data transmissions are logged, monitored and tracked; and - monitoring of the completeness and correctness of the transfer of data (end-to-end check). Input Control Data processor Trimble implements suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed. This is accomplished by: ● - an authorization policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data; - authentication of the authorized personnel; individual authentication credentials such as user IDs that, once assigned, cannot be re-assigned to another person (including subsequently) ● ); - protective measures for the data input into memory, as well as for the reading, alteration and deletion of stored data; - utilization of user codes (passwords) of at least eight characters or the system maximum permitted number and modification at first useuse and thereafter at least every 90 days in case of processing of sensitive data; ● - following a policy according to which all staff of Data processor Trimble who have access to personal data processed for Customers Customer and its Authorized Affiliates shall reset their AD passwords at a minimum once per yearin a 180 day period; ● - providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked; ● - automatic log-off of user ID's (requirement to re-enter password to use the relevant work station) that have not been used for a substantial period of time; - automatic deactivation of user authentication credentials (such as user IDs) in case the person is disqualified from accessing personal data or in case of non use for a substantial period of time (at least six months), except for those authorized solely for technical management; - proof established within Xxxxxxx'x organization of the input authorization; and ● - electronic recording of entries. Job Control Data processor Trimble ensures that personal data may only be processed in accordance with written instructions issued by exporterController. This is accomplished by: ● - binding policies and procedures for Data processor's Xxxxxxx'x employees, subject to Data ExportersCustomer and its Authorized Affiliates' review and approval. Data processor Trimble ensures that if security measures are adopted through external entities it obtains written description of the activities performed that guarantees compliance of the measures adopted with this document. Data processor Trimble further implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● - individual appointment of system administrators; ● - adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with relevant - yearly audits of system administrators' identification details activity to assess compliance with assigned tasks, the instructions received by Processor and providing it promptly to data controller upon request. Availability Control Data processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by: ● infrastructure redundancy to ensure data access is restored within seven days and backup performed at least weekly; ● regular check of all the implemented and herein described security measures; ● any detected security incident is recorded, alongside the followed data recovery procedures, and the identification of the person who carried them outapplicable laws; and ● disaster recovery plans. Data processor system administrators (if any): Data processor implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● - keeping an updated list with system administrators' identification details (e.g. name, surname, function or organizational area) and tasks assigned and providing it promptly to data exporter Customer and its Authorized Affiliates upon request. Appendix 3Availability Control Trimble implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by: List - infrastructure redundancy to ensure data access is restored within seven days and backup performed at least weekly; - only the Customer and its Authorized Affiliates may authorize the recovery of Subbackups (if any) or the movement of data outside of the location where the physical database is held, and security measures will be adopted to avoid loss or unauthorized access to data, when moved; - regular check of all the implemented and herein described security measures at least every six months; - backup tapes are only re-Processors Subused if information previously contained is not intelligible and cannot be re-constructed by any technical means; other removable media is destroyed or made unusable if not used; and - any detected security incident is recorded, alongside the followed data recovery procedures, and the identification of the person who carried them out. Separation of processing for different purposes Trimble implements suitable measures to ensure that data collected for different purposes can be processed separately. This is accomplished by: - access to data is separated through application security for the appropriate users; - modules within Xxxxxxx'x database separate which data is used for which purpose, i.e. by functionality and function; and - at the database level, data is stored in different areas, separated per module or function they support; and - interfaces, batch processes and reports are designed for only specific purposes and functions, so data collected for specific purposes is processed separately. Trimble system administrators (if any): Trimble implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: - individual appointment of system administrators; - adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; - continuous audits of system administrators' activity to assess compliance with assigned tasks, the instructions received by Processor Name Address Safeguards accand applicable laws; and - keeping an updated list with system administrators' identification details (e.g. name, surname, function or organizational area) and tasks assigned and providing it promptly to Customer and its Authorized Affiliate upon request. SCHEDULE 3 – STANDARD CONTRACTUAL CLAUSES (Processors) In addition to Art. 44 - 50 GDPR 10Duke Software Ltd. Uutistie 3 Cthe Standard Contractual Clauses set forth below, 01770 Vantaa, Finland Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Amazon Web Services, Inc. 000 Xxxxx Xxxxxx N., Seattle, WA 98109, USA Data Processing Agreement Docebo Spa a Socio Unico VIA XXXXXXXXXX XXXXXXX 25, MILANO Milan,20145 Italy Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Domo Inc. 000 Xxxx Xxxx Xxxxxx Xxxxx Data Processing Agreement; European Commission standard contractual clauses 2010/87/EU eCraft Oy Ab Säterinportti, Linnoitustie 0X, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Google, Inc. 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, XX 00000, XXX Data Processing Agreement Microsoft Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement Nixu Corporation Keilaranta 00, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Siili Solutions Oyj Xxxxxxxxxxxxx 00, 00000 Xxxxxxxx, Xxxxxxx Data Processing Agreement Snowflake Computing Inc. 000 Xxxxx Xxxxxxxxx Xxxxxx #100, San Mateo, CA 94401 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Trimble Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EUthe following provisions apply:

Access Control to Use Specific Areas of Data Processing Systems. Data processor importer commits that the persons entitled to use its data processing system are only able to access the data within the scope and to the extent covered by its access permission (authorization) and that personal data Personal Data cannot be read, copied or modified or removed without authorization. This shall be accomplished by: ; ● staff policies and training in respect of each staff member’s access rights to the personal dataPersonal Data; ● allocation of individual terminals and/or terminal useruser accounts; ● as far as possible, monitoring capability in respect utilisation of individuals who delete, add or modify the personal data and regular update of authorization profilesaudit trail; ● release of data to only authorized persons; and ● policies controlling the retention control of backup copiesfiles, controlled and documented destruction of data Availability Control Data importer implements suitable measures to ensure that Personal Data are protected from accidental destruction or loss. This is accomplished by: ● infrastructure redundancy; and ● as far as possible, use of state of the art encryption technologies. data redundancy via data backup; Transmission Control Data processor importer implements suitable measures to prevent the personal data Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by: ● use of state-of-the-art appropriate firewall and encryption technologies to protect the gateways technologies; and pipelines through which the data travels; ● as far as possible, all data transmissions are logged, arc logged and monitored and tracked. Input Control Data processor importer implements suitable measures to ensure that it is possible to check and establish whether and by whom personal data Personal Data have been input into data processing systems or removed. This is accomplished by: ● an authorization policy for the input of data, as well as for the reading, alteration and deletion of stored data (role based access management rules); ● authentication of the authorized personnel; individual authentication credentials such as user IDs that, once assigned, cannot be re-assigned to another person (including subsequently) ● utilization of user codes (passwords) of at least eight characters or the system maximum permitted number and modification at first use); ● following a policy according to which all staff of Data processor users who have access to personal data processed for Customers Personal Data shall reset their AD passwords at a minimum once per yearas specified in the relevant password policy; and ● providing that entries to data processing facilities (the rooms areas housing the computer hardware and related equipment) equipment are capable of being locked; ● automatic log-off of user ID's (requirement to re-enter password to use the relevant work station) that have not been used for a substantial period of time; and ● electronic recording of entries. Job Control Data processor ensures that personal data may only be processed in accordance with written instructions issued by exporter. This is accomplished by: ● binding policies and procedures for Data processor's employees, subject to Data Exporters' review and approval. Data processor ensures that if security measures are adopted through external entities it obtains written description of the activities performed that guarantees compliance of the measures adopted with this document. Importer System Administrators Data processor further importer implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' ’ access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with relevant system administrators' identification details assigned and providing it promptly to data controller upon request. Availability Control Data processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by: ● infrastructure redundancy to ensure data access is restored within seven days and backup performed at least weekly; ● regular check of all the implemented and herein described security measures; ● any detected security incident is recorded, alongside the followed data recovery procedures, and the identification of the person who carried them out; and ● disaster recovery plans. Data processor system administrators (if any): Data processor implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six monthsa reasonable period; and ● keeping an updated list with system administrators' ’ identification details (e.g. name, surname, function or organizational area) and tasks assigned and providing it promptly to data exporter upon request. Appendix 3: List of Sub-Processors Sub-Processor Name Address Safeguards acc. to Art. 44 - 50 GDPR 10Duke Software Ltd. Uutistie 3 C, 01770 Vantaa, Finland Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Amazon Web Services, Inc. 000 Xxxxx Xxxxxx N., Seattle, WA 98109, USA Data Processing Agreement Docebo Spa a Socio Unico VIA XXXXXXXXXX XXXXXXX 25, MILANO Milan,20145 Italy Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Domo Inc. 000 Xxxx Xxxx Xxxxxx Xxxxx Data Processing Agreement; European Commission standard contractual clauses 2010/87/EU eCraft Oy Ab Säterinportti, Linnoitustie 0X, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Google, Inc. 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, XX 00000, XXX Data Processing Agreement Microsoft Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement Nixu Corporation Keilaranta 00, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Siili Solutions Oyj Xxxxxxxxxxxxx 00, 00000 Xxxxxxxx, Xxxxxxx Data Processing Agreement Snowflake Computing Inc. 000 Xxxxx Xxxxxxxxx Xxxxxx #100, San Mateo, CA 94401 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Trimble Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EUassigned.

Access Control to Use Specific Areas of Data Processing Systems. Data processor The Company commits that the persons entitled to use its their data processing system are only able to access the data within the scope and to the extent covered by its their respective access permission (authorizationauthorisation) and that personal data cannot be read, copied or modified or removed without authorizationauthorisation. This shall be accomplished byby various measures including: ● staff • Employee policies and training in respect of each employee’s access rights to the personal data; ● allocation • Allocation of individual terminals and/or and /or terminal user, and identification characteristics exclusive to specific functions; ● as far as possible• Release of data only to authorised persons, monitoring capability in respect including allocation of individuals who deletedifferentiated access rights and roles; • Use of adequate encryption technologies; and • Control of files, add or modify the controlled and documented destruction of data. Availability Control The Company implements suitable measures to ensure that personal data and regular update of authorization profiles; ● release of data to only authorized persons; ● policies controlling the retention of backup copiesare protected from accidental destruction or loss, including: • Infrastructure redundancy; and ● as far as possible, use • Backup is stored at an alternative site and available for restore in case of state failure of the art encryption technologiesprimary system. Transmission Control Data processor The Company implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized unauthorised parties during the transmission thereof or during the transport of the data media. This is accomplished byby various measures including: ● use • Use of state-of-the-art firewall adequate firewall, VPN and encryption technologies to protect the gateways and pipelines through which the data travels; ● • Certain highly confidential Personal data (e.g., personally identifiable information such as National ID numbers, credit or debit card numbers) is also encrypted within the system; and • Providing user alert upon incomplete transfer of data (end to end check); and • As far as possible, all data transmissions are logged, monitored and tracked. Input Control Data processor The Company implements suitable input control measures, including: • Authentication of the authorised personnel; • Protective measures to ensure that it is possible to check and establish whether and by whom personal for the data have been input into data processing systems or removed. This is accomplished by: ● authentication memory, as well as for the reading, alteration and deletion of the authorized personnelstored data; individual • Utilisation of unique authentication credentials such as user IDs that, once assigned, cannot be re-assigned to another person (including subsequently) ● utilization of user or codes (passwords) of at least eight characters or the system maximum permitted number and modification at first use); ● following a policy according to which all staff of Data processor who have access to personal data processed for Customers shall reset their AD passwords at a minimum once per year; ● providing • Providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being kept locked; ● automatic • Automatic log-off of user ID's (requirement to re-enter password to use the relevant work station) that have not been used for a substantial period of time; and ● electronic • Electronic recording of entries. Job Control Data processor ensures that personal data may only be processed in accordance with written instructions issued by exporter. This is accomplished by: ● binding policies and procedures for Data processor's employees, subject to Data Exporters' review and approval. Data processor ensures that if security measures are adopted through external entities it obtains written description of the activities performed that guarantees compliance of the measures adopted with this document. Data processor further implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with relevant system administrators' identification details assigned and providing it promptly to data controller upon request. Availability Control Data processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by: ● infrastructure redundancy to ensure data access is restored within seven days and backup performed at least weekly; ● regular check of all the implemented and herein described security measures; ● any detected security incident is recorded, alongside the followed data recovery procedures, and the identification of the person who carried them out; and ● disaster recovery plans. Data processor system administrators (if any): Data processor implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with system administrators' identification details (e.g. name, surname, function or organizational area) and tasks assigned and providing it promptly to data exporter upon request. Appendix 3: List of Sub-Processors Sub-Processor Name Address Safeguards acc. to Art. 44 - 50 GDPR 10Duke Software Ltd. Uutistie 3 C, 01770 Vantaa, Finland Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Amazon Web Services, Inc. 000 Xxxxx Xxxxxx N., Seattle, WA 98109, USA Data Processing Agreement Docebo Spa a Socio Unico VIA XXXXXXXXXX XXXXXXX 25, MILANO Milan,20145 Italy Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Domo Inc. 000 Xxxx Xxxx Xxxxxx Xxxxx Data Processing Agreement; European Commission standard contractual clauses 2010/87/EU eCraft Oy Ab Säterinportti, Linnoitustie 0X, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Google, Inc. 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, XX 00000, XXX Data Processing Agreement Microsoft Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement Nixu Corporation Keilaranta 00, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Siili Solutions Oyj Xxxxxxxxxxxxx 00, 00000 Xxxxxxxx, Xxxxxxx Data Processing Agreement Snowflake Computing Inc. 000 Xxxxx Xxxxxxxxx Xxxxxx #100, San Mateo, CA 94401 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Trimble Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU.

Access Control to Use Specific Areas of Data Processing Systems. Data processor commits that the persons entitled to use its data processing system are only able to access the data within the scope and to the extent covered by its access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished by: ● staff policies in respect of access rights to the personal data; ● allocation of individual terminals and/or terminal user; ● as far as possible, monitoring capability in respect of individuals who delete, add or modify the personal data and regular update of authorization profiles; ● release of data to only authorized persons; ● policies controlling the retention of backup copies; and ● as far as possible, use of state of the art encryption technologies. Transmission Control Data processor implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by: ● use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels; ● as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data processor implements suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed. This is accomplished by: ● authentication of the authorized personnel; individual authentication credentials such as user IDs that, once assigned, cannot be re-assigned to another person (including subsequently) ● utilization of user codes (passwords) of at least eight characters or the system maximum permitted number and modification at first use; ● following a policy according to which all staff of Data processor who have access to personal data processed for Customers shall reset their AD passwords at a minimum once per year; ● providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked; ● automatic log-off of user ID's (requirement to re-enter password to use the relevant work station) that have not been used for a substantial period of time; and ● electronic recording of entries. Job Control Data processor ensures that personal data may only be processed in accordance with written instructions issued by exporter. This is accomplished by: ● binding policies and procedures for Data processor's employees, subject to Data Exporters' review and approval. Data processor ensures that if security measures are adopted through external entities it obtains written description of the activities performed that guarantees compliance of the measures adopted with this document. Data processor further implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with relevant system administrators' identification details assigned and providing it promptly to data controller upon request. Availability Control Data processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by: ● infrastructure redundancy to ensure data access is restored within seven days and backup performed at least weekly; ● regular check of all the implemented and herein described security measures; ● any detected security incident is recorded, alongside the followed data recovery procedures, and the identification of the person who carried them out; and ● disaster recovery plans. Data processor system administrators (if any): Data processor implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with system administrators' identification details (e.g. name, surname, function or organizational area) and tasks assigned and providing it promptly to data exporter upon request. Appendix 3: List of Sub-Processors Sub-Processor Name Address Safeguards acc. to Art. 44 - 50 GDPR 10Duke Software Ltd. Uutistie 3 C, 01770 Vantaa, Finland Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Amazon Web Services, Inc. 000 Xxxxx Xxxxxx N., Seattle, WA 98109, USA Data Processing Agreement Docebo Spa a Socio Unico VIA XXXXXXXXXX XXXXXXX 25Agreement; Privacy Shield Certification Atlassian Pty Ltd 0000 Xxxxxxxx Xxxxxx, MILANO Milan,20145 Italy San Francisco, CA94103, USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Domo Inc. 000 Xxxx Xxxx Xxxxxx Xxxxx Privacy Shield Certification Avanade Finland Oy Xxxxxxxxxxxxx 0, 00000 Xxxxxxxx, Xxxxxxx Data Processing Agreement; European Commission standard contractual clauses 2010/87/EU Agreement eCraft Oy Ab Säterinportti, Linnoitustie 0X, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Google, Inc. 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, XX 00000, XXX Data Processing Agreement Agreement, Privacy Shield Certification Marketo, Inc. 000 Xxxxxxxx Xxxxxx Xxxxxxxxx, Xxxxx 000, Xxx Xxxxx, XX, 00000, XXX Data Processing Agreement, Privacy Shield Certification Microsoft Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement Agreement, Privacy Shield Certification Nixu Corporation Keilaranta 00, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Siili Solutions Oyj Xxxxxxxxxxxxx 00, 00000 Xxxxxxxx, Xxxxxxx Data Processing Agreement Snowflake Computing Inc. Sumo Logic, Inc 000 Xxxxx Xxxxxxxxx Xxxxxx #100Xxxx Xxxxxx, San MateoXxxxxxx Xxxx, CA 94401 USA XX 00000, XXX Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Trimble Inc. Privacy Shield Certification Xxxxxxx Inc 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EUEU Xxxxxxx Solutions Oy Xxxxxxxxxxxxxxx 0 00000 XXXXX, Xxxxxxx Data Processing Agreement Xxxxxx Oy Xxxxxxxxxxxxxxx 0, 00000 Xxxxxxxx, Xxxxxxx Data Processing Agreement

Access Control to Use Specific Areas of Data Processing Systems. Data processor commits that the persons entitled to use its data processing system are only able to access the data within the scope and to the extent covered by its access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished by: ● staff policies in respect of access rights to the personal data; ● allocation of individual terminals and/or terminal user; ● as far as possible, monitoring capability in respect of individuals who delete, add or modify the personal data and regular update of authorization profiles; ● release of data to only authorized persons; ● policies controlling the retention of backup copies; and ● as far as possible, use of state of the art encryption technologies. Transmission Control Data processor implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by: ● use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels; ● as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data processor implements suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed. This is accomplished by: ● authentication of the authorized personnel; individual authentication credentials such as user IDs that, once assigned, cannot be re-assigned to another person (including subsequently) ● utilization of user codes (passwords) of at least eight characters or the system maximum permitted number and modification at first use; ● following a policy according to which all staff of Data processor who have access to personal data processed for Customers shall reset their AD passwords at a minimum once per year; ● providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked; ● automatic log-off of user ID's (requirement to re-enter password to use the relevant work station) that have not been used for a substantial period of time; and ● electronic recording of entries. Job Control Data processor ensures that personal data may only be processed in accordance with written instructions issued by exporter. This is accomplished by: ● binding policies and procedures for Data processor's employees, subject to Data Exporters' review and approval. Data processor ensures that if security measures are adopted through external entities it obtains written description of the activities performed that guarantees compliance of the measures adopted with this document. Data processor further implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with relevant system administrators' identification details assigned and providing it promptly to data controller upon request. Availability Control Data processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by: ● infrastructure redundancy to ensure data access is restored within seven days and backup performed at least weekly; ● regular check of all the implemented and herein described security measures; ● any detected security incident is recorded, alongside the followed data recovery procedures, and the identification of the person who carried them out; and ● disaster recovery plans. Data processor system administrators (if any): Data processor implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with system administrators' identification details (e.g. name, surname, function or organizational area) and tasks assigned and providing it promptly to data exporter upon request. Appendix 3: List of Sub-Processors Sub-Processor Name Address Safeguards acc. to Art. 44 - 50 GDPR 10Duke Software Ltd. Uutistie 3 C, 01770 Vantaa, Finland Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Amazon Web Services, Inc. 000 Xxxxx Xxxxxx N., Seattle, WA 98109, USA Data Processing Agreement Docebo Spa a Socio Unico VIA XXXXXXXXXX XXXXXXX 25, MILANO Milan,20145 Italy Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Domo Inc. 000 Xxxx Xxxx Xxxxxx Xxxxx Data Processing Agreement; European Commission standard contractual clauses 2010/87/EU eCraft Oy Ab Säterinportti, Linnoitustie 0X, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Google, Inc. 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, XX 00000, XXX Data Processing Agreement Microsoft Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement Nixu Corporation Keilaranta 00, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Siili Solutions Oyj Xxxxxxxxxxxxx 00, 00000 Xxxxxxxx, Xxxxxxx Data Processing Agreement Snowflake Computing Inc. 000 Xxxxx Xxxxxxxxx Xxxxxx #100, San Mateo, CA 94401 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Trimble Xxxxxxx Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU

Access Control to Use Specific Areas of Data Processing Systems. Data processor commits that the persons entitled to use its data processing system are only able to access the data within the scope and to the extent covered by its access permission (authorization) and that personal data cannot be read, copied or modified or removed without authorization. This shall be accomplished by: ● staff policies in respect of access rights to the personal data; ● allocation of individual terminals and/or terminal user; ● as far as possible, monitoring capability in respect of individuals who delete, add or modify the personal data and regular update of authorization profiles; ● release of data to only authorized persons; ● policies controlling the retention of backup copies; and ● as far as possible, use of state of the art encryption technologies. Transmission Control Data processor implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by: ● use of state-of-the-art firewall and encryption technologies to protect the gateways and pipelines through which the data travels; ● as far as possible, all data transmissions are logged, monitored and tracked. Input Control Data processor implements suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed. This is accomplished by: ● authentication of the authorized personnel; individual authentication credentials such as user IDs that, once assigned, cannot be re-assigned to another person (including subsequently) ● utilization of user codes (passwords) of at least eight characters or the system maximum permitted number and modification at first use; ● following a policy according to which all staff of Data processor who have access to personal data processed for Customers shall reset their AD passwords at a minimum once per year; ● providing that entries to data processing facilities (the rooms housing the computer hardware and related equipment) are capable of being locked; ● automatic log-off of user ID's (requirement to re-enter password to use the relevant work station) that have not been used for a substantial period of time; and ● electronic recording of entries. Job Control Data processor ensures that personal data may only be processed in accordance with written instructions issued by exporter. This is accomplished by: ● binding policies and procedures for Data processor's employees, subject to Data Exporters' review and approval. Data processor ensures that if security measures are adopted through external entities it obtains written description of the activities performed that guarantees compliance of the measures adopted with this document. Data processor further implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with relevant system administrators' identification details assigned and providing it promptly to data controller upon request. Availability Control Data processor implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by: ● infrastructure redundancy to ensure data access is restored within seven days and backup performed at least weekly; ● regular check of all the implemented and herein described security measures; ● any detected security incident is recorded, alongside the followed data recovery procedures, and the identification of the person who carried them out; and ● disaster recovery plans. Data processor system administrators (if any): Data processor implements suitable measures to monitor its system administrators and to ensure that they act in accordance with instructions received. This is accomplished by: ● individual appointment of system administrators; ● adoption of suitable measures to register system administrators' access logs and keep them secure, accurate and unmodified for at least six months; and ● keeping an updated list with system administrators' identification details (e.g. name, surname, function or organizational area) and tasks assigned and providing it promptly to data exporter upon request. Appendix 3: List of Sub-Processors Sub-Processor Name Address Safeguards acc. to Art. 44 - 50 GDPR 10Duke Software Ltd. Uutistie 3 CXxxxxxxx 0 X, 01770 Vantaa00000 Xxxxxx, Finland Xxxxxxx Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Amazon Web Services, Inc. 000 Xxxxx Xxxxxx N., Seattle, WA 98109, USA Data Processing Agreement Docebo Spa a Socio Unico VIA XXXXXXXXXX XXXXXXX 25Agreement; Privacy Shield Certification Atlassian Pty Ltd 0000 Xxxxxxxx Xxxxxx, MILANO Milan,20145 Italy San Francisco, CA94103, USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Domo Inc. 000 Xxxx Xxxx Xxxxxx Xxxxx Privacy Shield Certification Avanade Finland Oy Xxxxxxxxxxxxx 0, 00000 Xxxxxxxx, Xxxxxxx Data Processing Agreement; European Commission standard contractual clauses 2010/87/EU Agreement eCraft Oy Ab SäterinporttiXxxxxxxxxxxxx, Linnoitustie Xxxxxxxxxxxx 0X, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Google, Inc. 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, XX 00000, XXX Data Processing Agreement Agreement, Privacy Shield Certification Marketo, Inc. 000 Xxxxxxxx Xxxxxx Xxxxxxxxx, Xxxxx 000, Xxx Xxxxx, XX, 00000, XXX Data Processing Agreement, Privacy Shield Certification Microsoft Inc. 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement Agreement, Privacy Shield Certification Nixu Corporation Keilaranta Xxxxxxxxxx 00, 00000 Xxxxx, Xxxxxxx Data Processing Agreement Siili Solutions Oyj Xxxxxxxxxxxxx 00, 00000 Xxxxxxxx, Xxxxxxx Data Processing Agreement Snowflake Computing Inc. Sumo Logic, Inc 000 Xxxxx Xxxxxxxxx Xxxxxx #100Xxxx Xxxxxx, San MateoXxxxxxx Xxxx, CA 94401 USA XX 00000, XXX Data Processing Agreement, European Commission standard contractual clauses 2010/87/EU Trimble Inc. Privacy Shield Certification Xxxxxxx Inc 000 Xxxxxxx Xxxxx Sunnyvale, CA 94085 USA Data Processing Agreement, European Commission standard contractual clauses 2010/87/EUEU Xxxxxxx Solutions Oy Xxxxxxxxxxxxxxx 0 00000 XXXXX, Xxxxxxx Data Processing Agreement