Common use of COMPETENT SUPERVISORY AUTHORITY Clause in Contracts

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR applies. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Data centre physical access: Telstra restricts entry into server rooms and protects against unauthorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unauthorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Network User and Authorised User Personal Data. Contracts: In addition to clauses required under data protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with data subject rights as further detailed in Telstra’s privacy statement, available at Xxx.xx/xxxxxxx-xxxxxx. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that the Subprocessor, as detailed in Annex III, is able to provide assistance in meeting obligations under relevant Applicable Data Protection Laws. These include: - Colocation in Tier IV SSAE 16 Type II certified data centres and ISAE 3402 certified facilities delivering reliable failover design to ensure uninterrupted service in the event of a catastrophe; - Ability to choose the data centre location including locations in France and Germany with backups used to provide disaster recovery capabilities kept in the same region; - Controlled physical access with onsite 24x7 security, CCTV coverage and biometric access; - Secure account separation, strong firewall policies and proactive monitoring with regular vulnerability scans and penetration tests performed by a reputable service provider; - Management network communications protected by industry-standard encryption algorithms and security protocols; - Accounts are password protected and accessed via Transport Layer Security (TLS), with role base access controls; and - Monitoring and incident response procedures are provided in all locations with 24x7 standby teams.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR applies. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Data centre physical access: Telstra restricts entry into server rooms and protects against unauthorised unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unauthorised unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Network User and Authorised User Personal Data. Contracts: In addition to clauses required under data protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational organizational measures and processes to comply with data subject rights as further detailed in Telstra’s privacy statement, available at Xxx.xx/xxxxxxx-xxxxxxXxx.xx/xxxxxxx- policy. In addition to the supplier management controls detailed above, Telstra the Subprocessor listed in Annex III also employs specific technical and organisational measures to ensure that the Subprocessor, as detailed in Annex III, is they are able to provide assistance in meeting obligations under relevant Applicable Data Protection Laws. These include: - Colocation − Logs are encrypted in Tier IV SSAE 16 transit to a data center of Customer’s choice, and logs hosted in GCP are encrypted at rest. − The data centers are secured and protected with state-of-the-art physical and network security, the latter provided by industry leading technology. The Subprocesor has obtained SOC 2 Type II certification and the service is hosted in data centers certified as SOC 2 Type II. − Rigorous technical and organisational security controls are applied. − Processing of raw logs in automated. − Customers can choose a specific regional data centres center for storage of their logs. Logs and ISAE 3402 certified facilities delivering reliable failover design information forwarded to ensure uninterrupted service the European data center will remain in the event European Union. − Customers can enable or disable sharing of a catastrophe; - Ability to choose the data centre location including locations log types in France and Germany accordance with backups used to provide disaster recovery capabilities kept in the same region; - Controlled physical access with onsite 24x7 security, CCTV coverage and biometric access; - Secure account separation, strong firewall their policies and proactive monitoring with regular they can also control access to the firewall logs. − Internal and external vulnerability scans are run quarterly and penetration tests performed by a reputable service provider; - Management network communications protected by industry-standard encryption algorithms qualified third party is engaged to conduct the application security assessments. − Data is physically or logically separated, and security protocols; - Accounts are password protected Personal Data and accessed via Transport Layer Security (TLS), with role base access controls; and - Monitoring and incident response procedures are provided in all locations with 24x7 standby teamsend user data is segregated from its other customer’s data.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR applies. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Data centre physical access: Telstra restricts entry into server rooms and protects against unauthorised unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unauthorised unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Network User and Authorised User Personal Data. Contracts: In addition to clauses required under data protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational organizational measures and processes to comply with data subject rights as further detailed in Telstra’s privacy statement, available at Xxx.xx/xxxxxxx-xxxxxxXxx.xx/xxxxxxx- policy. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that the Subprocessortransfers to sub-processors, as detailed in Annex I.B and III, is are able to provide assistance in meeting obligations under relevant Applicable Data Protection Lawsdata protection laws. These include: - Colocation The Subprocessor involved under Transfers (a) and (b) utilises encryption in Tier IV SSAE 16 Type II certified transit, use and rest. It provides a number of security features including two factor authentication, enhanced password requirements, role-based priviledges for network administrators and auditable change logs and alerts. Its back-end architecture maintains state of the art physical, technical and adminitrative security measures and undergoes annual third party certification audits against industry recognized security standards such as SSAE18 and ISO 27001. For additional protection, Controller is also able to select to store its data centres and ISAE 3402 certified facilities delivering reliable failover design to ensure uninterrupted service within a cloud based in the event of a catastrophe; - Ability EU and access by the sub-processor to choose the data centre location including locations in France dashboard is blocked by default and Germany with backups used to provide disaster recovery capabilities kept in the same region; - Controlled physical access with onsite 24x7 security, CCTV coverage and biometric access; - Secure account separation, strong firewall policies and proactive monitoring with regular vulnerability scans and penetration tests performed by a reputable service provider; - Management network communications protected by industry-standard encryption algorithms and security protocols; - Accounts are password protected and accessed via Transport Layer Security (TLS), with role base access controls; and - Monitoring and incident response procedures are only provided in all locations with 24x7 standby teamsinstances of required troubleshooting.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR applies. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Data centre physical access: Telstra restricts entry into server rooms and protects against unauthorised unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unauthorised unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Network User and Authorised User Personal Data. Contracts: In addition to clauses required under data protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with data subject rights as further detailed in Telstra’s privacy statement, available at Xxx.xx/xxxxxxx-xxxxxxXxx.xx/xxxxxxx- policy. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that the Subprocessor, as detailed in Annex III, is Subprocessors are able to provide assistance in meeting obligations under relevant Applicable Data Protection Laws. These include: - Colocation − Access by Subprocessors involved in Tier IV SSAE 16 Type II certified data centres Transfer (a): User account details: Username and ISAE 3402 certified facilities delivering reliable failover design password are exchanged under the cover of TLS. Any further transactions are authorized via pseudenoymised unique token-based system and are temporary (expire) to ensure uninterrupted service identify Authorised Users, both internally and with relevant Subprocessors. − Access by the Subprocessors involved in the event of a catastrophe; - Ability to choose Transfer (a): User account details: Username and password is secured by two-factor authentication and the data centre location including locations is encrypted. − Data is kept encrypted at rest in France an AWS database. TPN configuration is behind a VPN with limited access and Germany with backups used all events are logged for verification purposes. There are multiple levels of encryption and controls in place to provide disaster recovery capabilities kept in prevent AWS from accessing the same region; - Controlled physical access with onsite 24x7 security, CCTV coverage and biometric access; - Secure account separation, strong firewall policies and proactive monitoring with regular vulnerability scans and penetration tests performed by a reputable service provider; - Management network communications protected by industry-standard encryption algorithms and security protocols; - Accounts are password protected and accessed via Transport Layer Security (TLS), with role base access controls; and - Monitoring and incident response procedures are provided in all locations with 24x7 standby teamsdata.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR appliesCommission. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Data centre physical access: Telstra restricts entry into server rooms and protects against unauthorised unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unauthorised unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Network User and Authorised User Personal Data. Contracts: In addition to clauses required under data protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with data subject rights as further detailed in Telstra’s privacy statement, available at Xxx.xx/xxxxxxx-xxxxxx. In addition to the supplier management controls security standards detailed above, Telstra also employs the following specific technical security controls to protect transfers: − For Transfer (a): Information processed as part of the Service, IP addresses are pseudonymised by restricting them to country-level geographic location/s, so that they not sufficient to identify a person or a location. − Telstra employs ‘hardening’ of configurations, along with regular patching and organisational measures to ensure vulnerability scans, so that the Subprocessorsystems holding all transferred data, as detailed outlined in Annex IIII, is able to provide assistance in meeting obligations under relevant Applicable Data Protection Lawsmeet security requirements. These include: - Colocation in Tier IV SSAE 16 Type II certified data centres − Extensive and ISAE 3402 certified facilities delivering reliable failover design to ensure uninterrupted service in the event of a catastrophe; - Ability to choose the data centre location including locations in France resilient business continuity and Germany with backups used to provide disaster recovery capabilities kept systems to help ensure the continuity of operations and access to all transferred data listed in Annex I. − Annual re-certification of systems that hold all transferred data listed in Annex I, which includes an extensive audit of security controls and independent annual security penetration testing to validate the same region; - Controlled physical access with onsite 24x7 security, CCTV coverage and biometric access; - Secure account separation, strong firewall policies and proactive monitoring with regular vulnerability scans and penetration tests performed by a reputable service provider; - Management network communications protected by industry-standard encryption algorithms and security protocols; - Accounts are password protected and accessed via Transport Layer Security (TLS), with role base access effectiveness of controls; and - Monitoring and incident response procedures are provided in all locations with 24x7 standby teams.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR appliesCommission. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Data centre physical access: Telstra restricts entry into server rooms and protects against unauthorised unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unauthorised unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Network User and Authorised User Personal Data. Contracts: In addition to clauses required under data protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with data subject rights as further detailed in Telstra’s privacy statement, available at Xxx.xx/xxxxxxx-xxxxxx. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that transfers to the Subprocessor/s, as detailed in Annex I.B and III, is are able to provide assistance in meeting obligations under relevant Applicable Data Protection Lawsdata protection laws. These include: - Colocation The Subprocessor involved under Transfer (a): utilises encryption in Tier IV SSAE 16 Type II certified data centres transit and ISAE 3402 certified facilities delivering reliable failover design during storage, applies SOC 2 and ISO 27001 standards along with user identification and authorisation controls, so that access is controlled, only granted to ensure uninterrupted service in authorised individuals, and removed once that individual no longer needs access to the event of a catastrophe; - Ability to choose the data centre location including locations in France and Germany with backups used to provide disaster recovery capabilities kept in the same region; - Controlled physical access with onsite 24x7 security, CCTV coverage and biometric access; - Secure account separation, strong firewall policies and proactive monitoring with regular vulnerability scans and penetration tests performed by a reputable service provider; - Management network communications protected by industry-standard encryption algorithms and security protocols; - Accounts are password protected and accessed via Transport Layer Security (TLS), with role base access controls; and - Monitoring and incident response procedures are provided in all locations with 24x7 standby teamsrelevant system.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR applies. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Data centre physical access: Telstra restricts entry into server rooms and protects against unauthorised unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unauthorised unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Network User and Authorised User Personal Data. Contracts: In addition to clauses required under data protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with data subject rights as further detailed in Telstra’s privacy statement, available at Xxx.xx/xxxxxxx-xxxxxx. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that the SubprocessorSubprocessors, as detailed in Annex I.B and III, is are able to provide assistance in meeting obligations under relevant Applicable Data Protection Laws. These include: - Colocation in Tier IV SSAE 16 Type II certified data centres and ISAE 3402 certified facilities delivering reliable failover design to ensure uninterrupted service in the event of a catastrophe; - Ability to choose the data centre location including locations in France and Germany with backups used to provide disaster recovery capabilities kept in the same region; - Controlled physical access with onsite 24x7 security, CCTV coverage and biometric access; - Secure account separation, strong firewall policies and proactive monitoring with regular vulnerability scans and penetration tests performed by a reputable service provider; - Management network communications protected by industry-standard encryption algorithms and security protocols; - Accounts are password protected and accessed via Transport Layer Security (TLS), with role base access controls; and - Monitoring and incident response procedures are provided in all locations with 24x7 standby teams.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR appliesCommission. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to relevant industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Data centre physical access: Telstra restricts entry into server rooms and protects against unauthorised unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unauthorised unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Network User and Authorised User or Client Personal Data. Contracts: In addition to clauses required under data protection lawsApplicable Data Protection Laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Network User and Authorised User or Client Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Network User and Authorised User or Client Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with data subject rights as further detailed in Telstra’s privacy statement, available at Xxx.xx/xxxxxxx-xxxxxx. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that the Subprocessortransfers to Subprocessors, as detailed in Annex I.B and III, ensure that the relevant Subprocessor is able to provide assistance in meeting obligations under relevant Applicable Data Protection Laws. These include: - Colocation Access by Subprocessors involved in Tier IV SSAE 16 Type II certified Transfer (d): CDRS occurs behind Telstra firewalls, on Telstra premises, thereby appl security environment. Where possible, access undertaking as part of Transfer (d): CDRs utilises a pseudenoymised unique PIN to identify Authorised Us internally and with relevant Subprocessors. User identification and authorisation controls are applied for Subprocessors with continuous access to data, as detailed in Annex I.B, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. The Subprocessor involved in Transfer (a): Billing portal data centres applies ISO 27001 standards. Data is also segregated and ISAE 3402 certified facilities delivering reliable failover design to ensure uninterrupted service in the event of a catastrophe; - Ability to choose the data centre location including locations in France and Germany with backups used to provide disaster recovery capabilities kept in the same region; - Controlled physical access with onsite 24x7 security, CCTV coverage and biometric access; - Secure account separation, strong firewall policies and proactive monitoring with regular vulnerability scans and penetration tests performed by a reputable service provider; - Management network communications protected by industry-standard encryption algorithms and security protocols; - Accounts are password protected and accessed via Transport Layer Security access control, network access lists, firewalls, including when this Subprocessor partakes in Transfer (TLS), with role base access controls; and - Monitoring and incident response procedures are provided in all locations with 24x7 standby teamsd): CDRs.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR applies. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Data centre physical access: Telstra restricts entry into server rooms and protects against unauthorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unauthorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Network User and Authorised User Personal Data. Contracts: In addition to clauses required under data protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with data subject rights as further detailed in Telstra’s privacy statement, available at Xxx.xx/xxxxxxx-xxxxxxXxx.xx/xxxxxxx- policy. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that the SubprocessorSubprocessors, as detailed in Annex III, is are able to provide assistance in meeting obligations under relevant Applicable Data Protection Laws. These include: - Colocation Security and operational controls based on industry standard practices and certified to meet the guidelines of PCI, SOC 2 Type 2, ISO 27001, and HIPAA. - Information security and awareness programs are in Tier IV SSAE 16 Type II certified place and re-delivered annually - Logical separation controls based on industry standards are used to ensure that customer data is logically separated from other customer data within cloud services environment - The deployment spans across separate data centres providing optimal availability of the cloud services and ISAE 3402 certified facilities delivering reliable failover design leverages the distributed nature of the infrastructure to enable full multi-site disaster recovery by operating in multiple availability zones. - Access controls are implemented to ensure uninterrupted service in that only authorised Telstra user accounts have access to Customer data within the event of a catastrophe; - Ability to choose the data centre location including locations in France and Germany with backups used to provide disaster recovery capabilities kept in the same region; - Controlled physical access with onsite 24x7 security, CCTV coverage and biometric access; - Secure account separation, strong firewall policies and proactive monitoring with regular vulnerability scans and penetration tests performed by a reputable service provider; - Management network communications protected by industry-standard encryption algorithms and security protocols; - Accounts are password protected and accessed via Transport Layer Security (TLS), with role base access controls; and - Monitoring and incident response procedures are provided in all locations with 24x7 standby teamscloud environment.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR applies. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Data centre physical access: Telstra restricts entry into server rooms and protects against unauthorised unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unauthorised unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Network User and Authorised User Personal Data. Contracts: In addition to clauses required under data protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with data subject rights as further detailed in Telstra’s privacy statement, available at Xxx.xx/xxxxxxx-xxxxxx. In addition to the supplier management controls security standards detailed above, Telstra also employs the following specific technical security controls to protect transfers: − For Transfer (a): Information processed as part of the Service, IP addresses are pseudonymised by restricting them to country-level geographic location/s, so that they not sufficient to identify a person or a location. − Telstra employs ‘hardening’ of configurations, along with regular patching and organisational measures to ensure vulnerability scans, so that the Subprocessorsystems holding all transferred data, as detailed outlined in Annex IIII, is able to provide assistance in meeting obligations under relevant Applicable Data Protection Lawsmeet security requirements. These include: - Colocation in Tier IV SSAE 16 Type II certified data centres − Extensive and ISAE 3402 certified facilities delivering reliable failover design to ensure uninterrupted service in the event of a catastrophe; - Ability to choose the data centre location including locations in France resilient business continuity and Germany with backups used to provide disaster recovery capabilities kept systems to help ensure the continuity of operations and access to all transferred data listed in Annex I. − Annual re-certification of systems that hold all transferred data listed in Annex I, which includes an extensive audit of security controls and independent annual security penetration testing to validate the same region; - Controlled physical access with onsite 24x7 security, CCTV coverage and biometric access; - Secure account separation, strong firewall policies and proactive monitoring with regular vulnerability scans and penetration tests performed by a reputable service provider; - Management network communications protected by industry-standard encryption algorithms and security protocols; - Accounts are password protected and accessed via Transport Layer Security (TLS), with role base access effectiveness of controls; and - Monitoring and incident response procedures are provided in all locations with 24x7 standby teams.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR applies. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Data centre physical access: Telstra restricts entry into server rooms and protects against unauthorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unauthorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Network User and Authorised User Personal Data. Contracts: In addition to clauses required under data protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with data subject rights as further detailed in Telstra’s privacy statement, available at Xxx.xx/xxxxxxx-xxxxxx. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that the SubprocessorSubprocessors, as detailed in Annex III, is are able able to provide assistance in meeting obligations under relevant Applicable Data Protection Laws. These include: - Colocation The IGC does not record personal information of an end user against the services, using network identifiers for individual services instead. Encryption is used both in Tier IV SSAE 16 Type II certified data centres transit and ISAE 3402 certified facilities delivering reliable failover design to ensure uninterrupted service in the event of a catastrophe; - Ability to choose the data centre location including locations in France and Germany with backups used to provide disaster recovery capabilities kept in the same region; - Controlled physical access with onsite 24x7 security, CCTV coverage and biometric access; - Secure account separation, strong firewall policies and proactive monitoring with regular vulnerability scans and penetration tests performed by a reputable service provider; - Management network communications protected by industry-standard encryption algorithms and security protocols; - Accounts are password protected and accessed via at rest using methods such as Transport Layer Security (TLS), for example, Hypertext Transfer Protocol Secure (HTTPS) and Secure File Transfer Protocol (SFTP), Internet Protocol Security (IPsec), Virtual Private Networks (VPNs) and hardware encryption. Where local storage solutions are not encrypted, the confidentiality of the data is protected by physical access controls and routines for handling secure disposal of removable media. Local storage is only used for storage of unconsolidated data for shorter time frames. Backups are stored within the production platform in the redundant site and are encrypted. IGC components are constantly monitored by the Subprocessors’ Security Incident Response Team, ensuring that all components are updated against vulnerabilities and latest remedial actions. IGC uses enforced password change, complex password security controls, locking of user accounts, session time-outs, role-based access and user log on history by default to prevent unauthorized access. Operators can further enable optional controls to further increase security such as CAPTCHA code, two-step authentication, and password aging. All IGC equipment is hosted in physically secured tier 3 data centres provided by third parties. The multi-tenant IGC data centres are ISO 27001 Information Security Management and ISO 22301 Business Continuity Management certified. Subprocessor responsible for Transfer (b):Portal configuration and activity, complies with role base access controls; and - Monitoring and incident response procedures are provided in all locations with 24x7 standby teamsISO/IEC 27001:2013.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office where the UK GDPR applies. Telstra protects all third country transfers of Personal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Data centre physical access: Telstra restricts entry into server rooms and protects against unauthorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unauthorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Network User and Authorised User Personal Data. Contracts: In addition to clauses required under data protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with data subject rights as further detailed in Telstra’s privacy statement, available at Xxx.xx/xxxxxxx-xxxxxx. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that the Subprocessor, as detailed in Annex III, is able to provide assistance in meeting obligations under relevant Applicable Data Protection Laws. These include: - Colocation in Tier IV SSAE 16 Type II certified data centres and ISAE 3402 certified facilities delivering reliable failover design to ensure uninterrupted service in the event of a catastrophe; - Ability to choose the data centre location including locations in France and Germany with backups used to provide disaster recovery capabilities kept in the same region; - Controlled physical access with onsite 24x7 security, CCTV coverage and biometric access; - Secure account separation, strong firewall policies and proactive monitoring with regular vulnerability scans and penetration tests performed by a reputable service provider; - Management network communications protected by industry-standard encryption algorithms and security protocols; - Accounts are password protected and accessed via Transport Layer Security (TLS), with role base access controls; and - Monitoring and incident response procedures are provided in all locations with 24x7 standby teams.