Common use of COMPETENT SUPERVISORY AUTHORITY Clause in Contracts

COMPETENT SUPERVISORY AUTHORITY. As set out in Section 5.6 above ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA The following measures are the minimum required to be implemented by the data importer on the transferred Personal Data: •Implement Information Security and Privacy Protection policies and procedures for critical assets and business processes in accordance with relevant laws, regulations and aligned to industry standards like ISO27001 or NIST Cyber Security Framework. •Regularly assess security controls and risks in your information system(s) to determine if the controls are effective in their application, particularly following major changes, security incidents or data breaches. •Ability to ensure the ongoing confidentiality, integrity, availability and resilience of Personal Data and systems and services that process the Personal Data. •Manage supplier relationships including security requirements, SLAs, outsourcing agreements for contracts being used as part of the service provision including data processing agreements in place with the sub-processors you use to deliver the services or products in accordance with the GDPR. •Perform appropriate background checks on personnel (employees, contractors and third party users) before hiring, when needed and legally permitted. •All relevant personnel should be adequately and regularly trained on security and privacy protection. •Manage access to protect personal data and systems or services that process and store personal data from unauthorized access following separation of duties and least privilege principles. Access controls should include identity management, authentication of users incorporating a strong password policy, authorization, accountability, network segregation, regular access reviews (i.e. rights and privileges) and access revocation where access is no longer necessary. •Implement a strong password policy by enforcing the use of sufficiently complex combinations of characters and numbers, length, enforcing periodic password renewal, restrictions on password reuse, ensure passwords are encrypted and incorporate multi- factor where possible. •Establish, protect, and maintain the integrity of your network, platforms and services by taking steps to detect and prevent successful security incidents like DDoS, viruses, code injections or other malware that can alter the functionality of the systems, or confidentiality, integrity or availability of information and systems, through industry best practice security controls like malware protection, DDoS protection, IDS/IPS, firewalls, vulnerability scanning, patch management. •Ensure network and information systems and services are subject to regular security testing (e.g. penetration testing, vulnerability scanning, static and dynamic application security testing), including for major upgrades, to identify vulnerabilities that could expose your service to increased risk of malicious intrusion, modification, and unauthorized access to sensitive data. •Implement a patch management process to ensure updates are performed on systems with critical and high risk vulnerabilities addressed immediately, with all other system flaws, weaknesses or deficiencies identified, reported and remediated in a timely manner. •Antivirus software must be loaded and operational on all systems processing personal data. Other malware detection techniques should be used where possible (e.g., email scanning, file system scanning, internet traffic scanning, etc.). •Assets are inventoried, classified and updated when changes occur (i.e. new systems /software introduced, systems decommissioned). •Establish change and configuration management procedures for key network and information systems to manage configuration securely. •Implement network and information systems security event logging and monitoring for the offered service using Security Operations Center (SOC), Security Information and Event Management (SIEM), agents to report anomalous behavior at both network and host level. •Protect logs against modification or tampering. •Protect the service infrastructure from unauthorized software being installed. •Ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident (i.e. security incidents and/or data breaches) through effective detection, response and reporting capabilities. •Provide continuity for the services offered, ability to recover from data loss, protection against compromise, provision of appropriate failover, necessary data retention and an effective data backup policy. •Use pseudonymisation and encryption to protect the confidentiality of personal data and other sensitive data while in transit or at rest. Encryption should meet industry standard requirements like NIST FIPS 140. •Ensure personal data removal, deletion and sanitization measures meet appropriate levels of security. •Service software is developed in a secure way through secure coding practices, following industry best practices (i.e. OWASP Top 10, Secure Coding Standards) including vulnerability analysis. •Ensure perimeter and internal network protection, maintain physical or logical separation between the perimeter network and internal networks containing personal data. Development and test environments are secured and separated from live production environments. •Ensure physical security of locations at which personal data is processed including reasonable steps to protect against unauthorized access. •Devices used for handling Personal Data should not permit data to be written to removable media or to have data read from same nor should they allow printing of Personal data to an unauthorized printer. Such devices should have password protected screensavers implemented and be locked as a matter of course when the user leaves the workstation. •All important and confidential documentation is removed from the desk and locked away when items are not in use or an employee leaves his/her workstation •Remote access to network and information systems is secured through VPN connection while using devices that have been adequately secured against compromise (e.g. through the use of antivirus software and patching devices with available security fixes). Exhibit B: Data Transfer Agreement Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers) Data Transfer Agreement Between Name of the data exporting organization: Huawei Services (Hong Kong) Co., Limited Address: 9th Floor, Tower 0, Xxx Xxxxxxx, Xx. 0 Xxxxxx Xxxx, Xxxx Xxx Xxxx, Kowloon, Hong Kong and Huawei Services (Hong Kong) Co., Limited on behalf of other Data Controllers (please refer to our website for the controller list) hereinafter "data exporter" And Developer who signed the HUAWEI AppGallery Connect Service Agreement with data exporter and part of the Agreement hereinafter "data importer" each a "party"; together "the parties".

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13: As set out in Section 5.6 above 6 above. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA The following measures are the minimum required to be implemented by the data importer on the transferred Personal Data: •Implement Information Security and Privacy Protection policies and procedures for critical assets and business processes in accordance with relevant laws, regulations and aligned to industry standards like ISO27001 or NIST Cyber Security Framework. •Regularly assess security controls and risks in your information system(s) to determine if the controls are effective in their application, particularly following major changes, security incidents or data breaches. •Ability to ensure the ongoing confidentiality, integrity, availability and resilience of Personal Data and systems and services that process the Personal Data. •Manage supplier relationships including security requirements, SLAs, outsourcing agreements for contracts being used as part of the service provision including data processing agreements in place with the sub-processors you use to deliver the services or products in accordance with the GDPR. •Perform appropriate background checks on personnel (employees, contractors and third party users) before hiring, when needed and legally permitted. •All relevant personnel should be adequately and regularly trained on security and privacy protection. •Manage access to protect personal data and systems or services that process and store personal data from unauthorized access following separation of duties and least privilege principles. Access controls should include identity management, authentication of users incorporating a strong password policy, authorization, accountability, network segregation, regular access reviews (i.e. rights and privileges) and access revocation where access is no longer necessary. •Implement a strong password policy by enforcing the use of sufficiently complex combinations of characters and numbers, length, enforcing periodic password renewal, restrictions on password reuse, ensure passwords are encrypted and incorporate multi- factor where possible. •Establish, protect, and maintain the integrity of your network, platforms and services by taking steps to detect and prevent successful security incidents like DDoS, viruses, code injections or other malware that can alter the functionality of the systems, or confidentiality, integrity or availability of information and systems, through industry best practice security controls like malware protection, DDoS protection, IDS/IPS, firewalls, vulnerability scanning, patch management. •Ensure network and information systems and services are subject to regular security testing (e.g. penetration testing, vulnerability scanning, static and dynamic application security testing), including for major upgrades, to identify vulnerabilities that could expose your service to increased risk of malicious intrusion, modification, and unauthorized access to sensitive data. •Implement a patch management process to ensure updates are performed on systems with critical and high risk vulnerabilities addressed immediately, with all other system flaws, weaknesses or deficiencies identified, reported and remediated in a timely manner. •Antivirus software must be loaded and operational on all systems processing personal data. Other malware detection techniques should be used where possible (e.g., email scanning, file system scanning, internet traffic scanning, etc.). •Assets are inventoried, classified and updated when changes occur (i.e. new systems /software introduced, systems decommissioned). •Establish change and configuration management procedures for key network and information systems to manage configuration securely. •Implement network and information systems security event logging and monitoring for the offered service using Security Operations Center (SOC), Security Information and Event Management (SIEM), agents to report anomalous behavior at both network and host level. •Protect logs against modification or tampering. •Protect the service infrastructure from unauthorized software being installed. •Ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident (i.e. security incidents and/or data breaches) through effective detection, response and reporting capabilities. •Provide continuity for the services offered, ability to recover from data loss, protection against compromise, provision of appropriate failover, necessary data retention and an effective data backup policy. •Use pseudonymisation and encryption to protect the confidentiality of personal data and other sensitive data while in transit or at rest. Encryption should meet industry standard requirements like NIST FIPS 140. •Ensure personal data removal, deletion and sanitization measures meet appropriate levels of security. •Service software is developed in a secure way through secure coding practices, following industry best practices (i.e. OWASP Top 10, Secure Coding Standards) including vulnerability analysis. •Ensure perimeter and internal network protection, maintain physical or logical separation between the perimeter network and internal networks containing personal data. Development and test environments are secured and separated from live production environments. •Ensure physical security of locations at which personal data is processed including reasonable steps to protect against unauthorized access. •Devices used for handling Personal Data should not permit data to be written to removable media or to have data read from same nor should they allow printing of Personal data to an unauthorized printer. Such devices should have password protected screensavers implemented and be locked as a matter of course when the user leaves the workstation. •All important and confidential documentation is removed from the desk and locked away when items are not in use or an employee leaves his/her workstation workstation; and •Remote access to network and information systems is secured through VPN connection while using devices that have been adequately secured against compromise (e.g. through the use of antivirus software and patching devices with available security fixes). Exhibit ) Attachment B: Data Transfer Agreement Standard contractual clauses for the transfer of personal data from the Community Singapore to third countries (controller to controller transfers) Data Transfer This Agreement is made and entered into Between Name of the data exporting organization: Huawei Services (Hong Kong) Co., Limited ("Huawei") Address: 9th FloorRoom 03, Tower 0/X, Xxxxx 0, Xxx xxx Xxxxxxx, Xx. 0 Xxxxxx Xxxx, Xxxx Xxx Xxxx, KowloonXxxxxxx, Hong Kong Xxxx Xxxx. Company registration number: 1451551 and/or relevant AppTouch Provider outside both EU/EEA and Huawei Services (Hong Kong) Co., Limited on behalf of other Data Controllers (please refer to our website for the controller list) Russia hereinafter "data exporter" And Developer who signed the HUAWEI AppGallery Connect Service Agreement on Use of Huawei APIs with data exporter Huawei and part of the Agreement hereinafter "data importer" each a "party"; together "the parties".

COMPETENT SUPERVISORY AUTHORITY. As set out Identify the competent supervisory authority/ies in Section 5.6 above accordance with Clause 13 Irish Data Protection Commission ANNEX II TECHNICAL AND ORGANISATIONAL ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA The following measures are the minimum required to be implemented by the data importer on the transferred Personal Data: •Implement Information Security and Privacy Protection policies and procedures for critical assets and business processes in accordance with relevant laws, regulations and aligned to industry standards like ISO27001 or NIST Cyber Security Framework. •Regularly assess security controls and risks in your information system(s) to determine if the controls are effective in their application, particularly following major changes, security incidents or data breaches. •Ability to ensure the ongoing confidentiality, integrity, availability and resilience of Personal Data and systems and services that process the Personal Data. •Manage supplier relationships including security requirements, SLAs, outsourcing agreements for contracts being used as part of the service provision including data processing agreements in place with the sub-processors you use to deliver the services or products in accordance with the GDPR. •Perform appropriate background checks on personnel (employees, contractors and third party users) before hiring, when needed and legally permitted. •All relevant personnel should be adequately and regularly trained on security and privacy protection. •Manage access to protect personal data and systems or services that process and store personal data from unauthorized access following separation of duties and least privilege principles. Access controls should include identity management, authentication of users incorporating a strong password policy, authorization, accountability, network segregation, regular access reviews (i.e. rights and privileges) and access revocation where access is no longer necessary. •Implement a strong password policy by enforcing the use of sufficiently complex combinations of characters and numbers, length, enforcing periodic password renewal, restrictions on password reuse, ensure passwords are encrypted and incorporate multi- factor where possible. •Establish, protect, and maintain the integrity of your network, platforms and services by taking steps to detect and prevent successful security incidents like DDoS, viruses, code injections or other malware that can alter the functionality of the systems, or confidentiality, integrity or availability of information and systems, through industry best practice security controls like malware protection, DDoS protection, IDS/IPS, firewalls, vulnerability scanning, patch management. •Ensure network and information systems and services are subject to regular security testing (e.g. penetration testing, vulnerability scanning, static and dynamic application security testing), including for major upgrades, to identify vulnerabilities that could expose your service to increased risk of malicious intrusion, modification, and unauthorized access to sensitive data. •Implement a patch management process to ensure updates are performed on systems with critical and high risk vulnerabilities addressed immediately, with all other system flaws, weaknesses or deficiencies identified, reported and remediated in a timely manner. •Antivirus software must be loaded and operational on all systems processing personal data. Other malware detection techniques should be used where possible (e.g., email scanning, file system scanning, internet traffic scanning, etc.). •Assets are inventoried, classified and updated when changes occur (i.e. new systems /software introduced, systems decommissioned). •Establish change and configuration management procedures for key network and information systems to manage configuration securely. •Implement network and information systems security event logging and monitoring for the offered service using Security Operations Center (SOC), Security Information and Event Management (SIEM), agents to report anomalous behavior at both network and host level. •Protect logs against modification or tampering. •Protect the service infrastructure from unauthorized software being installed. •Ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident (i.e. security incidents and/or data breaches) through effective detection, response and reporting capabilities. •Provide continuity for the services offered, ability to recover from data loss, protection against compromise, provision of appropriate failover, necessary data retention and an effective data backup policy. •Use pseudonymisation and encryption to protect the confidentiality of personal data and other sensitive data while in transit or at rest. Encryption should meet industry standard requirements like NIST FIPS 140. •Ensure personal data removal, deletion and sanitization measures meet appropriate levels of security. •Service software is developed in a secure way through secure coding practices, following industry best practices (i.e. OWASP Top 10, Secure Coding Standards) including vulnerability analysis. •Ensure perimeter and internal network protection, maintain physical or logical separation between the perimeter network and internal networks containing personal data. Development and test environments are secured and separated from live production environments. •Ensure physical security of locations at which personal data is processed including reasonable steps to protect against unauthorized access. •Devices used for handling Personal Data should not permit data to be written to removable media or to have data read from same nor should they allow printing of Personal data to an unauthorized printer. Such devices should have password protected screensavers implemented and be locked as a matter of course when the user leaves the workstation. •All important and confidential documentation is removed from the desk and locked away when items are not in use or an employee leaves his/her workstation •Remote access to network and information systems is secured through VPN connection while using devices that have been adequately secured against compromise (e.g. through the use of antivirus software and patching devices with available security fixes). Exhibit B: Attachment 3 Data Transfer Agreement Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers) Data Transfer This Agreement is made and entered into Between Name of the data exporting organization: Huawei Services (Hong Kong) Co., Limited Address(Company registration number: 9th Floor1451551), Tower a company incorporated under the laws of Hong Kong (China) and having its registered address at Room 00, 0/X, Xxxxx 0, Xxx xxx Xxxxxxx, Xx. 0 Xxxxxx Xxxx, Xxxx Xxx Xxxx, KowloonXxxxxxx, Hong Kong and Huawei Services Xxxx Xxxx (Hong KongXxxxx) Co., Limited on behalf of other ("Data Controllers Exporter") And The entity identified as "Customer" in Agreement (please refer to our website for the controller list"Data Importer") hereinafter "data exporter" And Developer who signed the HUAWEI AppGallery Connect Service Agreement with data exporter and part of the Agreement hereinafter "data importer" each Each a "party"; together "the parties".

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13: As set out in Section 5.6 above 6 above. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA The following measures are the minimum required to be implemented by the data importer on the transferred Personal Data: •Implement Implement Information Security and Privacy Protection policies and procedures for critical assets and business processes in accordance with relevant laws, regulations and aligned to industry standards like ISO27001 or NIST Cyber Security Framework. •Regularly Regularly assess security controls and risks in your information system(s) to determine if the controls are effective in their application, particularly following major changes, security incidents or data breaches. •Ability Ability to ensure the ongoing confidentiality, integrity, availability and resilience of Personal Data and systems and services that process the Personal Data. •Manage Manage supplier relationships including security requirements, SLAs, outsourcing agreements for contracts being used as part of the service provision including data processing agreements in place with the sub-processors you use to deliver the services or products in accordance with the GDPR. •Perform Perform appropriate background checks on personnel (employees, contractors and third party users) before hiring, when needed and legally permitted. •All All relevant personnel should be adequately and regularly trained on security and privacy protection. •Manage Manage access to protect personal data and systems or services that process and store personal data from unauthorized access following separation of duties and least privilege principles. Access controls should include identity management, authentication of users incorporating a strong password policy, authorization, accountability, network segregation, regular access reviews (i.e. rights and privileges) and access revocation where access is no longer necessary. •Implement Implement a strong password policy by enforcing the use of sufficiently complex combinations of characters and numbers, length, enforcing periodic password renewal, restrictions on password reuse, ensure passwords are encrypted and incorporate multi- multi-factor where possible. •EstablishEstablish, protect, and maintain the integrity of your network, platforms and services by taking steps to detect and prevent successful security incidents like DDoS, viruses, code injections or other malware that can alter the functionality of the systems, or confidentiality, integrity or availability of information and systems, through industry best practice security controls like malware protection, DDoS protection, IDS/IPS, firewalls, vulnerability scanning, patch management. •Ensure Ensure network and information systems and services are subject to regular security testing (e.g. penetration testing, vulnerability scanning, static and dynamic application security testing), including for major upgrades, to identify vulnerabilities that could expose your service to increased risk of malicious intrusion, modification, and unauthorized access to sensitive data. •Implement Implement a patch management process to ensure updates are performed on systems with critical and high risk vulnerabilities addressed immediately, with all other system flaws, weaknesses or deficiencies identified, reported and remediated in a timely manner. •Antivirus Antivirus software must be loaded and operational on all systems processing personal data. Other malware detection techniques should be used where possible (e.g., email scanning, file system scanning, internet traffic scanning, etc.). •Assets Assets are inventoried, classified and updated when changes occur (i.e. new systems /software systems/software introduced, systems decommissioned). •Establish Establish change and configuration management procedures for key network and information systems to manage configuration securely. •Implement Implement network and information systems security event logging and monitoring for the offered service using Security Operations Center (SOC), Security Information and Event Management (SIEM), agents to report anomalous behavior at both network and host level. •Protect Protect logs against modification or tampering. •Protect Protect the service infrastructure from unauthorized software being installed. •Ability Ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident (i.e. security incidents and/or data breaches) through effective detection, response and reporting capabilities. •Provide Provide continuity for the services offered, ability to recover from data loss, protection against compromise, provision of appropriate failover, necessary data retention and an effective data backup policy. •Use Use pseudonymisation and encryption to protect the confidentiality of personal data and other sensitive data while in transit or at rest. Encryption should meet industry standard requirements like NIST FIPS 140. •Ensure Ensure personal data removal, deletion and sanitization measures meet appropriate levels of security. •Service Service software is developed in a secure way through secure coding practices, following industry best practices (i.e. OWASP Top 10, Secure Coding Standards) including vulnerability analysis. •Ensure Ensure perimeter and internal network protection, maintain physical or logical separation between the perimeter network and internal networks containing personal data. Development and test environments are secured and separated from live production environments. •Ensure Ensure physical security of locations at which personal data is processed including reasonable steps to protect against unauthorized access. •Devices Devices used for handling Personal Data should not permit data to be written to removable media or to have data read from same nor should they allow printing of Personal data to an unauthorized printer. Such devices should have password protected screensavers implemented and be locked as a matter of course when the user leaves the workstation. •All All important and confidential documentation is removed from the desk and locked away when items are not in use or an employee leaves his/her workstation •Remote workstation; and Remote access to network and information systems is secured through VPN connection while using devices that have been adequately secured against compromise (e.g. through the use of antivirus software and patching devices with available security fixes). Exhibit ) Attachment B: Data Transfer Agreement Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers) Data Transfer in Compliance with Russian Legislation This Agreement Between Name of the data exporting organization: Huawei Services (Hong Kong) is made and entered into between Honor Technologies Co., Limited Address: 9th FloorLtd. (000000, Tower 0Xxxxxx, Xxx XxxxxxxXxxxxxxxxxx xxx., Xx. 0 Xxxxxx Xxxx00, Xxxx Xxx Xxxx, Kowloon, Hong Kong and Huawei Services floor 6) (Hong Kong) Co., Limited on behalf of other Data Controllers (please refer to our website for the controller list"HONOR") hereinafter "data exporter" And Developer who signed the HUAWEI AppGallery Connect Service Agreement Agreements on use of HONOR Services with data exporter and part of the Agreement HONOR, hereinafter "data importer" ", each a "party"; " and together "the parties". Each of the parties is a personal data operator defined by Russian law and also a data controller defined in Agreements, including personal data processed as part of the fulfillment of obligations provided within the Agreements on use of HONOR Services. For the purposes of the Agreement, personal data refers to information that is in accordance with the legislation of the Russian Federation, to be transferred by data exporter to data importer and includes the following data: Payment information except bank card information, such as the order number, amount, subscription information (subscription ID), and currency HONOR ID Game Service data, such as player ID, rankings, achievements, purchases, player stats The personal data transferred concern the following categories of data subjects: Data subjects of the data exporter who have signed both the App Market and IAP user agreements and made in-app purchases; Data subjects of the data exporter who have signed both the Game Center User Agreement and IAP user agreements and made in-app purchases; Data subjects of the data exporter who have authorized the importer to access their account information. Data subjects of the data exporter who have signed the Game Center User Agreement and authorized the disclosure to the importer. The transfer is made for the following purposes: •Allow the settlement of payment between the Data Exporter and the Data Importer. •Allow the data subjects to log in on the importer application with their respective accounts and enable importer to provide account functionalities relying on access to data subject's account related information (e.g. access security events for maintaining account security, access basic profile information and address information to create and maintain user profile information, etc.). •Allow the data subjects to use the Game Service features available on the importer application. Additionally, to allow the importer to improve its service when authorized by the data subjects. The transfer of personal data is not considered by the Parties as an instruction to process personal data. Each of the parties shall ensure the confidentiality of personal data received within the framework of the Agreements, compliance with the requirements for personal data processing established by Federal Law No. 152-FZ of July 27, 2006 "On Personal Data" and regulatory acts adopted in its execution, and shall be responsible for taking all necessary legal, organizational and technical measures to protect personal data from unauthorized or accidental access to them, destruction, modification, blocking, copying, dissemination of personal data as well as other illegal actions such data. The party that provides personal data shall be responsible for the legality and accuracy of provided data to other party for the purpose of executing the Agreement, as well as for obtaining the consent of the data subjects to transfer their personal data to the other party in the manner prescribed by the legislation of the Russian Federation personal data. The party that received personal data from the other party does not assume the obligation to inform the data subjects whose personal data has been transferred about the beginning of their processing, since the party that transfers personal data must bear the obligation to inform the data subjects accordingly. The party that received personal data shall store the data no longer than the purposes of personal data processing require. At the end of the retention period, personal data will be deleted or depersonalized, unless otherwise provided by applicable laws and regulations. In case the Data Importer`s servers to receive such personal data are not located in Russia, then for export of such personal data the Data Exporter should get separate consent of the data subject for cross-border data transfer. The party receiving personal data has the right to engage in processing the received personal data of third parties for the purpose of executing the Agreement in the necessary volume only if the other party provides confirmation of receipt of the relevant consent from the personal data subject. In any case, a party is obliged, upon the request of the other party, to provide information about third parties who were provided with personal data or who had access to them: their full and abbreviated names, address of the location (place of registration and residence), information about which particular personal data what particular subjects and for what purposes were transferred to third parties.

COMPETENT SUPERVISORY AUTHORITY. As set out Identify the competent supervisory authority/ies in Section 5.6 above accordance with Clause 13 Irish Data Protection Commission ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA The following measures are the minimum required to be implemented by the data importer on the transferred Personal Data: •Implement Information Security and Privacy Protection policies and procedures for critical assets and business processes in accordance with relevant laws, regulations and aligned to industry standards like ISO27001 or NIST Cyber Security Framework. •Regularly assess security controls and risks in your information system(s) to determine if the controls are effective in their application, particularly following major changes, security incidents or data breaches. Provide independent assurance (i.e. external audit with industry standard accreditation like ISO27001 or internal audit) of processes and products. •Ability to ensure the ongoing confidentiality, integrity, availability and resilience of Personal Data and systems and services that process the Personal Data. •Manage supplier relationships including security requirements, SLAs, outsourcing agreements for contracts being used as part of the service provision including data processing agreements in place with the sub-sub- processors you use to deliver the services or products in accordance with the GDPR. •Perform appropriate background checks on personnel (employees, contractors and third party users) before hiring, when needed and legally permitted. •All relevant personnel should be adequately and regularly trained on security and privacy protection. Developers and Content Providers with access to sensitive data are adequately trained to understand their data protection responsibilities. •Manage access to protect personal data and systems or services that process and store personal data from unauthorized access following separation of duties and least privilege principles. Access controls should include identity management, authentication of users incorporating a strong password policy, authorization, accountability, network segregation, regular access reviews (i.e. rights and privileges) and access revocation where access is no longer necessary. Higher data classification access requires Multi-Factor Authentication. •Implement a strong password policy by enforcing the use of sufficiently complex combinations of characters and numbers, length, enforcing periodic password renewal, restrictions on password reuse, ensure passwords are encrypted and incorporate multi- multi-factor where possible. •Establish, protect, and maintain the integrity of your network, platforms and services by taking steps to detect and prevent successful security incidents like DDoS, viruses, code injections or other malware that can alter the functionality of the systems, or confidentiality, integrity or availability of information and systems, through industry best practice security controls like malware protection, DDoS protection, IDS/IPS, firewalls, vulnerability scanning, patch management. •Ensure network and information systems and services are subject to regular security testing (e.g. penetration testing, vulnerability scanning, static and dynamic application security testing), including for major upgrades, to identify vulnerabilities that could expose your service to increased risk of malicious intrusion, modification, and unauthorized access to sensitive data. •Implement a patch management process to ensure updates are performed on systems with critical and high risk vulnerabilities addressed immediately, with all other system flaws, weaknesses or deficiencies identified, reported and remediated in a timely manner. •Antivirus software must be loaded and operational on all systems processing personal data. Other malware detection techniques should be used where possible (e.g., email scanning, file system scanning, internet traffic scanning, etc.). •Assets are inventoried, classified and updated when changes occur (i.e. new systems /software systems/software introduced, systems decommissioned). •Establish change and configuration management procedures for key network and information systems to manage configuration securely. •Implement network and information systems security event logging and monitoring for the offered service using Security Operations Center (SOC), Security Information and Event Management (SIEM), agents to report anomalous behavior at both network and host level. •Protect logs against modification or tampering. •Protect the service infrastructure from unauthorized software being installed. •Ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident (i.e. security incidents and/or data breaches) through effective detection, response and reporting capabilities. •Provide continuity for the services offered, ability to recover from data loss, protection against compromise, provision of appropriate failover, necessary data retention and an effective data backup policy. •Use pseudonymisation and encryption to protect the confidentiality of personal data and other sensitive data while in transit or at rest. Encryption should meet industry standard requirements like NIST FIPS 140. •Ensure personal data removal, deletion and sanitization measures meet appropriate levels of security. •Service software is developed in a secure way through secure coding practices, following industry best practices (i.e. OWASP Top 10, Secure Coding Standards) including vulnerability analysis. •Ensure perimeter and internal network protection, maintain physical or logical separation between the perimeter network and internal networks containing personal data. Development and test environments are secured and separated from live production environments. •Ensure physical security of locations at which personal data is processed including reasonable steps to protect against unauthorized access. •Devices used for handling Personal Data should not permit data to be written to removable media or to have data read from same nor should they allow printing of Personal data to an unauthorized printer. Such devices should have password protected screensavers implemented and be locked as a matter of course when the user leaves the workstation. •All important and confidential documentation is removed from the desk and locked away when items are not in use or an employee leaves his/her workstation •Remote access to network and information systems is secured through VPN connection while using devices that have been adequately secured against compromise (e.g. through the use of antivirus software and patching devices with available security fixes). Exhibit B: Data Transfer Agreement Standard contractual clauses ; and •Any mobile devices such as laptops, tablets and phones that are used for processing should have either full disk encryption or folder/file level encryption covering the transfer of personal data from the Community to third countries (controller to controller transfers) Data Transfer Agreement Between Name location of the data exporting organization: Huawei Services (Hong Kong) Co., Limited Address: 9th Floor, Tower 0, Xxx Xxxxxxx, XxPersonal Data. 0 Xxxxxx Xxxx, Xxxx Xxx Xxxx, Kowloon, Hong Kong and Huawei Services (Hong Kong) Co., Limited on behalf of other Data Controllers (please refer to our website for the controller list) hereinafter "data exporter" And Developer who signed the HUAWEI AppGallery Connect Service Agreement with data exporter and part of the Agreement hereinafter "data importer" each a "party"; together "the parties".Attachment 2

COMPETENT SUPERVISORY AUTHORITY. As set out in Section 5.6 5.7 above ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA The following measures are the minimum required to be implemented by the data importer on the transferred Personal Data: •Implement Information Security and Privacy Protection policies and procedures for critical assets and business processes in accordance with relevant laws, regulations and aligned to industry standards like ISO27001 or NIST Cyber Security Framework. •Regularly assess security controls and risks in your information system(s) to determine if the controls are effective in their application, particularly following major changes, security incidents or data breaches. •Ability to ensure the ongoing confidentiality, integrity, availability and resilience of Personal Data and systems and services that process the Personal Data. •Manage supplier relationships including security requirements, SLAs, outsourcing agreements for contracts being used as part of the service provision including data processing agreements in place with the sub-processors you use to deliver the services or products in accordance with the GDPR. •Perform appropriate background checks on personnel (employees, contractors and third party users) before hiring, when needed and legally permitted. •All relevant personnel should be adequately and regularly trained on security and privacy protection. •Manage access to protect personal data and systems or services that process and store personal data from unauthorized access following separation of duties and least privilege principles. Access controls should include identity management, authentication of users incorporating a strong password policy, authorization, accountability, network segregation, regular access reviews (i.e. rights and privileges) and access revocation where access is no longer necessary. •Implement a strong password policy by enforcing the use of sufficiently complex combinations of characters and numbers, length, enforcing periodic password renewal, restrictions on password reuse, ensure passwords are encrypted and incorporate multi- factor where possible. •Establish, protect, and maintain the integrity of your network, platforms and services by taking steps to detect and prevent successful security incidents like DDoS, viruses, code injections or other malware that can alter the functionality of the systems, or confidentiality, integrity or availability of information and systems, through industry best practice security controls like malware protection, DDoS protection, IDS/IPS, firewalls, vulnerability scanning, patch management. •Ensure network and information systems and services are subject to regular security testing (e.g. penetration testing, vulnerability scanning, static and dynamic application security testing), including for major upgrades, to identify vulnerabilities that could expose your service to increased risk of malicious intrusion, modification, and unauthorized access to sensitive data. •Implement a patch management process to ensure updates are performed on systems with critical and high risk vulnerabilities addressed immediately, with all other system flaws, weaknesses or deficiencies identified, reported and remediated in a timely manner. •Antivirus software must be loaded and operational on all systems processing personal data. Other malware detection techniques should be used where possible (e.g., email scanning, file system scanning, internet traffic scanning, etc.). •Assets are inventoried, classified and updated when changes occur (i.e. new systems /software introduced, systems decommissioned). •Establish change and configuration management procedures for key network and information systems to manage configuration securely. •Implement network and information systems security event logging and monitoring for the offered service using Security Operations Center (SOC), Security Information and Event Management (SIEM), agents to report anomalous behavior at both network and host level. •Protect logs against modification or tampering. •Protect the service infrastructure from unauthorized software being installed. •Ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident (i.e. security incidents and/or data breaches) through effective detection, response and reporting capabilities. •Provide continuity for the services offered, ability to recover from data loss, protection against compromise, provision of appropriate failover, necessary data retention and an effective data backup policy. •Use pseudonymisation and encryption to protect the confidentiality of personal data and other sensitive data while in transit or at rest. Encryption should meet industry standard requirements like NIST FIPS 140. •Ensure personal data removal, deletion and sanitization measures meet appropriate levels of security. •Service software is developed in a secure way through secure coding practices, following industry best practices (i.e. OWASP Top 10, Secure Coding Standards) including vulnerability analysis. •Ensure perimeter and internal network protection, maintain physical or logical separation between the perimeter network and internal networks containing personal data. Development and test environments are secured and separated from live production environments. •Ensure physical security of locations at which personal data is processed including reasonable steps to protect against unauthorized access. •Devices used for handling Personal Data should not permit data to be written to removable media or to have data read from same nor should they allow printing of Personal data to an unauthorized printer. Such devices should have password protected screensavers implemented and be locked as a matter of course when the user leaves the workstation. •All important and confidential documentation is removed from the desk and locked away when items are not in use or an employee leaves his/her workstation •Remote access to network and information systems is secured through VPN connection while using devices that have been adequately secured against compromise (e.g. through the use of antivirus software and patching devices with available security fixes). Exhibit BC: Data Transfer Agreement Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers) Data Transfer Agreement Between Name of the data exporting organizationorganisation: Huawei Services (Hong Kong) Co., Limited Address: Room 03, 9th Floor, Tower 0, Xxx Xxxxxxx, Xx. 0 Xxxxxx Xxxx, Xxxx Xxx Xxxx, KowloonXxxxxxx, Hong Kong Xxxx Xxxx (company registration number: 1451551) and Huawei Services (Hong Kong) Co., Limited on behalf of other Data Controllers (please refer to our website for the controller list) hereinafter "data exporter" And Developer who signed the HUAWEI AppGallery Connect Distribution Service Agreement for Paid Apps with data exporter and part of the Agreement hereinafter "data importer" each a "party"; together "the parties".

COMPETENT SUPERVISORY AUTHORITY. As set out Identify the competent supervisory authority/ies in Section 5.6 above accordance with Clause 13 Irish Data Protection Commission ANNEX II TECHNICAL AND ORGANISATIONAL ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA The following measures are the minimum required to be implemented by the data importer on the transferred Personal Data: •Implement Information Security and Privacy Protection policies and procedures for critical assets and business processes in accordance with relevant laws, regulations and aligned to industry standards like ISO27001 or NIST Cyber Security Framework. •Regularly assess security controls and risks in your information system(s) to determine if the controls are effective in their application, particularly following major changes, security incidents or data breaches. •Ability to ensure the ongoing confidentiality, integrity, availability and resilience of Personal Data and systems and services that process the Personal Data. •Manage supplier relationships including security requirements, SLAs, outsourcing agreements for contracts being used as part of the service provision including data processing agreements in place with the sub-processors you use to deliver the services or products in accordance with the GDPR. •Perform appropriate background checks on personnel (employees, contractors and third party users) before hiring, when needed and legally permitted. •All relevant personnel should be adequately and regularly trained on security and privacy protection. •Manage access to protect personal data and systems or services that process and store personal data from unauthorized access following separation of duties and least privilege principles. Access controls should include identity management, authentication of users incorporating a strong password policy, authorization, accountability, network segregation, regular access reviews (i.e. rights and privileges) and access revocation where access is no longer necessary. •Implement a strong password policy by enforcing the use of sufficiently complex combinations of characters and numbers, length, enforcing periodic password renewal, restrictions on password reuse, ensure passwords are encrypted and incorporate multi- factor where possible. •Establish, protect, and maintain the integrity of your network, platforms and services by taking steps to detect and prevent successful security incidents like DDoS, viruses, code injections or other malware that can alter the functionality of the systems, or confidentiality, integrity or availability of information and systems, through industry best practice security controls like malware protection, DDoS protection, IDS/IPS, firewalls, vulnerability scanning, patch management. •Ensure network and information systems and services are subject to regular security testing (e.g. penetration testing, vulnerability scanning, static and dynamic application security testing), including for major upgrades, to identify vulnerabilities that could expose your service to increased risk of malicious intrusion, modification, and unauthorized access to sensitive data. •Implement a patch management process to ensure updates are performed on systems with critical and high risk vulnerabilities addressed immediately, with all other system flaws, weaknesses or deficiencies identified, reported and remediated in a timely manner. •Antivirus software must be loaded and operational on all systems processing personal data. Other malware detection techniques should be used where possible (e.g., email scanning, file system scanning, internet traffic scanning, etc.). •Assets are inventoried, classified and updated when changes occur (i.e. new systems /software introduced, systems decommissioned). •Establish change and configuration management procedures for key network and information systems to manage configuration securely. •Implement network and information systems security event logging and monitoring for the offered service using Security Operations Center (SOC), Security Information and Event Management (SIEM), agents to report anomalous behavior at both network and host level. •Protect logs against modification or tampering. •Protect the service infrastructure from unauthorized software being installed. •Ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident (i.e. security incidents and/or data breaches) through effective detection, response and reporting capabilities. •Provide continuity for the services offered, ability to recover from data loss, protection against compromise, provision of appropriate failover, necessary data retention and an effective data backup policy. •Use pseudonymisation and encryption to protect the confidentiality of personal data and other sensitive data while in transit or at rest. Encryption should meet industry standard requirements like NIST FIPS 140. •Ensure personal data removal, deletion and sanitization measures meet appropriate levels of security. •Service software is developed in a secure way through secure coding practices, following industry best practices (i.e. OWASP Top 10, Secure Coding Standards) including vulnerability analysis. •Ensure perimeter and internal network protection, maintain physical or logical separation between the perimeter network and internal networks containing personal data. Development and test environments are secured and separated from live production environments. •Ensure physical security of locations at which personal data is processed including reasonable steps to protect against unauthorized access. •Devices used for handling Personal Data should not permit data to be written to removable media or to have data read from same nor should they allow printing of Personal data to an unauthorized printer. Such devices should have password protected screensavers implemented and be locked as a matter of course when the user leaves the workstation. •All important and confidential documentation is removed from the desk and locked away when items are not in use or an employee leaves his/her workstation •Remote access to network and information systems is secured through VPN connection while using devices that have been adequately secured against compromise (e.g. through the use of antivirus software and patching devices with available security fixes). Exhibit B: Attachment 3 Data Transfer Agreement Standard contractual clauses for the transfer of personal data from the Community to third countries (controller to controller transfers) Data Transfer This Agreement is made and entered into Between Name of the data exporting organization: Huawei Services (Hong Kong) Co., Limited Address(Company registration number: 9th Floor1451551), Tower a company incorporated under the laws of Hong Kong (China) and having its registered address at Xxxx 00, 0/X, Xxxxx 0, Xxx xxx Xxxxxxx, Xx. 0 Xxxxxx Xxxx, Xxxx Xxx Xxxx, KowloonXxxxxxx, Hong Kong and Huawei Services Xxxx Xxxx (Hong KongXxxxx) Co., Limited on behalf of other ("Data Controllers Exporter") And The entity identified as "Customer" in Agreement (please refer to our website for the controller list"Data Importer") hereinafter "data exporter" And Developer who signed the HUAWEI AppGallery Connect Service Agreement with data exporter and part of the Agreement hereinafter "data importer" each Each a "party"; together "the parties".