Common use of COMPETENT SUPERVISORY AUTHORITY Clause in Contracts

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 … Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter …

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 … Description MODULE TWO: Transfer Controller to Processor MODULE THREE: Transfer Processor to Processor TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Encryption of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. [Examples of possible measurespersonal data: Measures that enable one to convert clearly legible information into an illegible string by means of pseudonymisation and encryption of personal data a cryptographic process. Measures for ensuring ongoing confidentialityConfidentiality, integrity, availability and resilience of processing systems and services services: Measures for ensuring the ability to restore the availability and access to personal data the Lyve Cloud Services system in a timely manner in the event of a physical or technical incident incident: Measures that ensure the possibility to quickly restore the system in the event of a physical or technical incident. Processes for regularly testing, assessing assessing, and evaluating the effectiveness of technical and organisational organizational measures of the Lyve Cloud Services in order to ensure the security of the processing processing: Measures for user identification and authorisation authorisation: Measures for the protection of data Data during transmission to Lyve Cloud Services: Measures for the protection of data Company Personal Information during storage storage: Measures for ensuring physical security of locations at which personal data Company Personal Information are processed processed: Measures for ensuring events logging logging: Measures for ensuring system configuration, including default configuration: Measures to ensure that all in-scope systems and devices are compliant with baseline configuration settings. Measures for internal IT Information Technology (“IT”) and IT security governance and management management: Measures for certification/assurance of processes and products products: Measures for ensuring data minimisation minimization: Measures to reduce the amount of data collected. Measures for ensuring data quality quality: Measures to ensure that the data pipeline creates and sustains good data quality. Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter …retention:

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 … Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter …

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 … Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to ] 1. Name: … Address: … Contact person's name, position and contact details: … Description of processing (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from including a processor to a clear delimitation of responsibilities in case several sub-processor, to the data exporter processors are authorised): …

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 … Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter …

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies authorities in accordance with Clause 13 … Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter …exporter. 1. Name: Amazon Address: 000 Xxxxx Xxx. North, Seatle WA 00000-0000 Contact person’s name, position and contact details: General Counsel, Amazon, 000 Xxxxx Xxx. North, Seatle WA 98109-5210 Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Amazon provides DNS and legacy backup storage for Subscriber sites hosted on the Pantheon platform. 2. Name: Fastly Address: X.X. Xxx 00000, Xxx Xxxxxxxxx, XX 00000 Contact person’s name, position and contact details: General Counsel, Fastly, X.X. Xxx 00000, Xxx Xxxxxxxxx, XX 00000 Description of processing (including a clear delimitation of responsibility in case several subprocessors are authorized): Fastly provides a CDN and edge cache for Subscriber sites hosted on the Pantheon platform. 3. Name: Google Cloud Platform Address: Google, LLC, 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, Xxxxxxxxxx 00000 Contact person’s name, position and contact details: General Counsel, Google, LLC, 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, Xxxxxxxxxx 00000 Description of processing (including a clear delimitation of responsibility in case several subprocessors are authorized): GCP provides database, file hosting and storage of backups. 4. Name: LogzIO Address: HaArba’a Xxxxxx, 00 Xxx Xxxx – Yafo Israel Contact person’s name, position and contact details: General Counsel, LogzIO, HaArba’a Xxxxxx, 00 Xxx Xxxx – Yafo Israel Description of processing (including a clear delimitation of responsibility in case several subprocessors are authorized): LogzIO provides log aggregation and search capability for Subscriber websites. 5. Name: New Relic Address: 000 Xxxxx Xxxxxx, Xxx Xxxxxxxxx, XX 00000 Contact person’s name, position and contact details: General Counsel, New Relic, 000 Xxxxx Xxxxxx, Xxx Xxxxxxxxx, XX 00000 Description of processing (including a clear delimitation of responsibility in case several subprocessors are authorized): New Relic provides site performance analytics with regard to Subscriber websites. 6. Name: Pingdom Address: Xxxxxxxxxxxxxx 00 00xx Xxxxx, 000 00 Xxxxxxxxx, Xxxxxx Contact person’s name, position and contact details: General Counsel, Pingdom, Xxxxxxxxxxxxxx 00 00xx Xxxxx, 000 00 Xxxxxxxxx, Xxxxxx Description of processing (including a clear delimitation of responsibility in case several subprocessors are authorized): 7. Name: Rackspace Address:1 Fanatical Place, City of Windcrest, Xxx Xxxxxxx, Xxxxx 00000 Contact person’s name, position and contact details: General Counsel, Mail Stop US 109-2301, Rackspace US, Inc., 0 Xxxxxxxxx Xxxxx, Xxxx of Windcrest, Xxx Xxxxxxx, Xxxxx 00000 Description of processing (including a clear delimitation of responsibility in case several subprocessors are authorized): Rackspace provides detection, prevention and resolution of security and technical issues as provided under the applicable Subscriber agreement for Services. 8. Name: Sentry Address: 000 Xxxxxxxxx Xxxxxx, Xxx Xxxxxxxxx, XX 00000 Contact person’s name, position and contact details: General Counsel, Sentry, 000 Xxxxxxxxx Xxxxxx, Xxx Xxxxxxxxx, XX 00000 Description of processing (including a clear delimitation of responsibility in case several subprocessors are authorized): Sentry provides services enabling logging of requests for Subscriber to receive technical support. 9. Name: Tesorio

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 … Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter …exporter.

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 … Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. If you have enquiries about the British Council possible measure for this Agreement, then please contact the British Council’s Information Governance & Risk Management Team (XxxxXxxxxxxxxx@xxxxxxxxxxxxxx.xxx) for further guidance - Delete this paragraph before finalising and signing the Agreement [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter …For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies authorities in accordance with Clause 13 … Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter …exporter. 1. Name: Amazon Address: 000 Xxxxx Xxx. North, Seatle WA 00000-0000 Contact person’s name, position and contact details: General Counsel, Amazon, 000 Xxxxx Xxx. North, Seatle WA 98109-5210 Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Amazon provides DNS and legacy backup storage for Subscriber sites hosted on the Pantheon platform. 2. Name: Fastly Address: P.O. Xxx 00000, Xxx Xxxxxxxxx, XX 00000 Contact person’s name, position and contact details: General Counsel, Fastly, P.O. Xxx 00000, Xxx Xxxxxxxxx, XX 00000 Description of processing (including a clear delimitation of responsibility in case several sub-processors are authorised): Fastly provides a CDN and edge cache for Subscriber sites hosted on the Pantheon platform. 3. Name: Google Cloud Platform Address: Google, LLC, 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, Xxxxxxxxxx 00000 Contact person’s name, position and contact details: General Counsel, Google, LLC, 0000 Xxxxxxxxxxxx Xxxxxxx, Xxxxxxxx Xxxx, Xxxxxxxxxx 00000 Description of processing (including a clear delimitation of responsibility in case several sub-processors are authorised): GCP provides database, file hosting and storage of backups. 4. Name: LogzIO Address: XxXxxx’x Xxxxxx, 00 Xxx Xxxx – Xxxx Israel Contact person’s name, position and contact details: General Counsel, LogzIO, XxXxxx’x Xxxxxx, 00 Xxx Xxxx – Xxxx Xxxxxx Description of processing (including a clear delimitation of responsibility in case several sub-processors are authorised): LogzIO provides log aggregation and search capability for Subscriber websites. 5. Name: New Relic Address: 000 Xxxxx Xxxxxx, Xxx Xxxxxxxxx, XX 00000 Contact person’s name, position and contact details: General Counsel, New Relic, 000 Xxxxx Xxxxxx, Xxx Xxxxxxxxx, XX 00000 Description of processing (including a clear delimitation of responsibility in case several sub-processors are authorised): New Relic provides site performance analytics with regard to Subscriber websites. 6. Name: Pingdom Address: Xxxxxxxxxxxxxx 00 00xx Xxxxx, 000 00 Xxxxxxxxx, Xxxxxx Contact person’s name, position and contact details: General Counsel, Pingdom, Xxxxxxxxxxxxxx 00 00xx Xxxxx, 000 00 Xxxxxxxxx, Xxxxxx Description of processing (including a clear delimitation of responsibility in case several sub-processors are authorised): 7. Name: Rackspace Address:0 Xxxxxxxxx Xxxxx, Xxxx xx Xxxxxxxxx, Xxx Xxxxxxx, Xxxxx 00000 Contact person’s name, position and contact details: General Counsel, Mail Stop US 109-2301, Rackspace US, Inc., 0 Xxxxxxxxx Xxxxx, Xxxx xx Xxxxxxxxx, Xxx Xxxxxxx, Xxxxx 00000 Description of processing (including a clear delimitation of responsibility in case several sub-processors are authorised): Rackspace provides detection, prevention and resolution of security and technical issues as provided under the applicable Subscriber agreement for Services. 8. Name: Sentry Address: 000 Xxxxxxxxx Xxxxxx, Xxx Xxxxxxxxx, XX 00000 Contact person’s name, position and contact details: General Counsel, Sentry, 000 Xxxxxxxxx Xxxxxx, Xxx Xxxxxxxxx, XX 00000 Description of processing (including a clear delimitation of responsibility in case several sub-processors are authorised): Sentry provides services enabling logging of requests for Subscriber to receive technical support. 9. Name: Tesorio Address: 000 Xxxxxx Xxxx, Xxxxxxxxxx, XX 00000 Contact person’s name, position and contact details: General Counsel, Tesorio, 000 Xxxxxx Xxxx, Xxxxxxxxxx, XX 00000 Description of processing (including a clear delimitation of responsibility in case several sub-processors are authorised): Tesorio provides a workflow tool for accounts receivable. 10. Name: Cloudflare Address: 000 Xxxxxxxx Xxxxxx, San Francisco, CA 94107 Contact person's name, position and contact details: General Counsel, 000 Xxxxxxxx Xxxxxx, San Francisco, CA 94107 Description of processing (including a clear delimitation of responsibility in case several sub-processors are authorised): Cloudflare provides a CDN and edge cache for Subscriber sites hosted on the Pantheon platform. 11. Name: Splunk, Inc. Address: 000 Xxxxxxx Xx., San Francisco, CA 94107 Contact person's name, position and contact details: Xxxxxxxxx Xxxxxx, Splunk Global Data Protection Officer; XXX@xxxxxx.xxx Description of processing (including a clear delimitation of responsibility in case several sub-processors are authorised): Splunk provides security log collection activities for the Pantheon enterprise services. International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (only applicable to Customers based in the United Kingdom or collecting data from UK individuals)

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 … Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter …exporter

COMPETENT SUPERVISORY AUTHORITY. Identify the competent supervisory authority/ies in accordance with Clause 13 … Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter exporter 1. Name: … Address: … Contact person’s name, position and contact details: … Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): … 2. APPENDIX 1 To Supplier Data Privacy and Protection Agreement REQUIREMENTS OF SECTION 11 – GERMAN FEDERAL DATA PROTECTION ACT (“FDPA”)

COMPETENT SUPERVISORY AUTHORITY. Identify the The competent supervisory authority/ies authority is the Autoriteit Persoonsgegevens, the Data Protection Authority of the Netherlands. The technical and organizational measures to be implemented and maintained by Supplier are as described in accordance with Clause 13 … Description the main body of the MDPA and the Information Security Exhibit. Without limiting Supplier’s obligations under the MDPA, Supplier shall ensure that each subprocessor implements and maintains, at a minimum, the technical and organisational organizational measures implemented by that Supplier is required to implement pursuant to the data importer(s) (MDPA, including any relevant certifications) to ensure an appropriate level of security, taking into account those measures described in the nature, scope, context Information Security Exhibit and purpose of shall include the processing, and the risks for the rights and freedoms of natural persons. [Examples of possible measuresfollowing: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services ser- vices Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe erasure ATTACHMENT E GLOSSARY OF TERMS All capitalized terms not defined in this Glossary have the specific technical and organisational measures to be taken by meanings set forth elsewhere in the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter …MDPA.