Common use of COMPETENT SUPERVISORY AUTHORITY Clause in Contracts

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of personal data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network and ac Identification: Telstra users are granted a unique ID before being granted access to any systems containing Client Personal Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Client Personal Data required to perform their role. This includes record-keeping of authorised system users with access to Client Personal Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for pass are also encrypted at rest. Application Security Developer training and awareness: Software Developers are trained on foundational concepts for building secure software including secure design, threat modelling, secure coding, security testing, and best practices surrounding privacy. Application design: Telstra requires that applications are signed to disabling or restrict access to system services, applying the principle of least privilege, and employing layered defences wherever possible. This includes a requirement that all third-party software is securely configured to recommended vendor security configuration, or Telstra standards, and applying strict controls around access to repositories containing Telstra source code. Standard Practices Change and Configuration Management Process and procedures: Telstra does not permit Client Personal Data to be used to development purposes –non-production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Client Personal Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Client Personal Data is classified as such to meet applicable requirements under Applicable Data Protection Laws. This enables Telstra to remove Client Personal Data from datasets, if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of Personal Data in datasets, using approved algorithms or software. Information handling: Telstra staff must protect Client Personal Data by using approved encryption methods when it is been stored and transmitted, only using authorised file sharing services, and locking devices when not in use. At an application level, Telstra solutions must meet data segregation requiremen logically separated from other c customer data that they require for their role. Incident Management Incident response plan: Telstra maintains and tests an incident response plan, which is supported by the designation of personnel who are available on a 24/7 basis to respond to alerts, along with training to all staff with security breach response responsibilities. Logging and monitoring Audit log content and trails: Telstra implements audit trails that link system component access to individual user accounts to reconstruct access to Client Personal Data. Logs for systems that store, process, or transmit Personal Data are continually reviewed. Network security Network management: Telstra operates procedures for monitoring access to network resources and sensitive data environments, and uses intrusion detection / prevention techniques on traffic entering its internal network. Physical security Facility controls: Telstra limits and monitors physical access to systems containing Client Personal Data by requiring that access is authorised and based on individual job functions, any third party access is vetted and approved, and access is revoked immediately upon termination. Standard Practices Data centre physical access: Telstra restricts entry into server rooms and protects against unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Client Personal Data. Contracts: In addition to clauses required under Applicable Data Protection Laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Client Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Client Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that transfers to Subprocessors, as detailed in Annex I.B and III, ensure that the relevant Subprocessor is able to provide assistance in meeting obligations under Applicable Data Protection Laws. These include: Access by Subprocessors involved in Transfer (d): CDRS occurs behind Telstra firewalls, on Telstra premises, thereby applying the above controls relating to Telstra’s security environment. Where possible, access undertaking as part of Transfer (d): CDRs utilises a pseudenoymised unique PIN to identify Clients’ end relevant Subprocessors. User identification and authorisation controls are applied for Subprocessors with continuous access to data, as detailed in Annex I.B, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. The Subprocessor involved in Transfer (a): Billing portal data applies ISO 27001 standards. Data is also segregated and protected by access control, network access lists, firewalls, including when this Subprocessor partakes in Transfer (d): CDRs.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection CommissionCommission where the EU GDPR applies and the United Kingdom Information Commissioner’ GDPR applies. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of personal dataPersonal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network and ac Identification: Telstra users are granted a unique ID before being granted access to any systems containing Client Authorised User Personal Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Client Authorised User Personal Data required to perform their role. This includes record-keeping of authorised system users with access to Client Authorised User Personal Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for pass are also encrypted at rest. Application Security Developer training and awareness: Software Developers developers are trained on foundational concepts for building secure software including secure design, threat modelling, secure coding, security testing, and best practices surrounding privacy. Application design: Telstra requires that applications are signed to disabling or restrict access to system services, applying the principle of least privilege, and employing layered defences wherever possible. This includes a requirement that all third-party software is securely configured to recommended vendor security configuration, or Telstra standards, and applying strict controls around access to repositories containing Telstra source code. Standard Practices Change and Configuration Management Process and procedures: Telstra does not permit Client Authorised User Personal Data to be used to for development purposes –non-production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Client Authorised User Personal Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Client Authorised User Personal Data is classified as such to meet applicable requirements under Applicable Data Protection Lawsdata protection laws. This enables Telstra to remove Client Authorised User Personal Data from datasets, if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of Personal Data in datasets, using approved algorithms or software. Information handling: Telstra staff must protect Client Authorised User Personal Data by using approved encryption methods when it is been stored and transmitted, only using authorised file sharing services, and locking devices when not in use. At an application level, Telstra solutions must meet data segregation requiremen requirements, so that each logically separated from other c customer data that they require for their role. Incident Management Incident response plan: Telstra maintains and tests an incident response plan, which is supported by the designation of personnel who are available on a 24/7 basis to respond to alerts, along with training to all staff with security breach response responsibilities. Logging and monitoring Audit log content and trails: Telstra implements audit trails that link system component access to individual user accounts to reconstruct access to Client Authorised User Personal Data. Logs for systems that store, process, or transmit Authorised User Personal Data are continually reviewed. Network security Network management: Telstra operates procedures for monitoring access to network resources and sensitive data environments, and uses intrusion detection / prevention techniques on traffic entering its internal network. Physical security Facility controls: Telstra limits and monitors physical access to systems containing Client Authorised User Personal Data by requiring that access is authorised and based on individual job functions, any third party access is vetted and approved, and access is revoked immediately upon termination. Standard Practices Data centre physical access: Telstra restricts entry into server rooms and protects against unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Client Authorised User Personal Data. Contracts: In addition to clauses required under Applicable Data Protection Lawsdata protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Client Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Client Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with data subject rights as further detailed in Xxx.xx/xxxxxxx-xxxxxx. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that transfers to Subprocessors, as detailed in Annex I.B and III, ensure that the relevant Subprocessor is Subprocessors are able to provide assistance in meeting obligations under Applicable Data Protection Laws. These include: Access by Subprocessors involved in Transfer (d): CDRS CDRs occurs behind Telstra firewalls, on Telstra premises, thereby applying the above controls relating to Telstra’s appl security environment. Where possible, access undertaking as part of Transfer (d): CDRs utilises a pseudenoymised unique PIN to identify Clients’ end Authorised Users, both internally and with relevant Subprocessors. User identification and authorisation controls are applied for Subprocessors with continuous access to data, as detailed in Annex I.B, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. The Subprocessor involved in Transfer (a): Billing portal data applies ISO 27001 standards. Data is also segregated and protected by access control, network access lists, firewalls, including when this Subprocessor partakes in Transfer (d): CDRs.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection CommissionCommission where the EU GDPR applies and the United Kingdom Information GDPR applies. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of personal dataPersonal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network and ac User Personal Data. Identification: Telstra users are granted a unique ID before being granted access to any systems containing Client Network User and Authorised User Personal Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Client Network User and Authorised User Personal Data required to perform their role. This includes record-keeping of authorised system users with access to Client Network User and Authorised User Personal Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for pass Telstroar ’passswosrdtsatrenngdthaanrddcosmplfexity. Passwords are also encrypted at rest. Application Security Developer training and awareness: Software Developers developers are trained on foundational concepts for building secure software including secure design, threat modelling, secure coding, security testing, and best practices surrounding privacy. Application design: Telstra requires that applications are signed to disabling or restrict access to system services, applying the principle of least privilege, and employing layered defences wherever possible. This includes a requirement that all third-party software is securely configured to recommended vendor security configuration, or Telstra standards, and applying strict controls around access to repositories containing Telstra source code. Standard Practices Change and Configuration Management Process and procedures: Telstra does not permit Client Network User and Authorised User Personal Data to be used to for development purposes –– non-production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Client Network User and Authorised User Personal Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Client Network User and Authorised User Personal Data is classified as such to meet applicable requirements under Applicable Data Protection Lawsdata protection laws. This enables Telstra to remove Client Network User and Authorised User Personal Data from datasets, if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of Personal Data in datasets, using approved algorithms or software. Information handling: Telstra staff must protect Client Network User and Authorised User Personal Data by using approved encryption methods when it is been stored and transmitted, only using authorised file sharing services, and locking devices when not in use. At an application level, Telstra solutions must meet data segregation requiremen requirements, so that each customer’s data is logically separated from other c sep users can only see customer data that they require for their role. Incident Management Incident response plan: Telstra maintains and tests an incident response plan, which is supported by the designation of personnel who are available on a 24/7 basis to respond to alerts, along with training to all staff with security breach response responsibilities. Logging and monitoring Audit log content and trails: Telstra implements audit trails that link system component access to individual user accounts to reconstruct access to Client Network User and Authorised User Personal Data. Logs for systems that store, process, or transmit Network User and Authorised User Personal Data are continually reviewed. Network security Network management: Telstra operates procedures for monitoring access to network resources and sensitive data environments, and uses intrusion detection / prevention techniques on traffic entering its internal network. Physical security Facility controls: Telstra limits and monitors physical access to systems containing Client Network User and Authorised User Personal Data by requiring that access is authorised and based on individual job functions, any third Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Standard Practices Data centre physical access: Telstra restricts entry into server rooms and protects against unathorised unauthorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unathorised unauthorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Client Network User and Authorised User Personal Data. Contracts: In addition to clauses required under Applicable Data Protection Lawsdata protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Client Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Client Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with data subject rights as further detailed in Xxx.xx/xxxxxxx-xxxxxx. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that transfers to Subprocessorsthe Subprocessor, as detailed in Annex I.B and III, ensure that the relevant Subprocessor is able to provide assistance in meeting obligations under relevant Applicable Data Protection Laws. These include: Access - Colocation in Tier IV SSAE 16 Type II certified data centres and ISAE 3402 certified facilities delivering reliable failover design to ensure uninterrupted service in the event of a catastrophe; - Ability to choose the data centre location including locations in France and Germany with backups used to provide disaster recovery capabilities kept in the same region; - Controlled physical access with onsite 24x7 security, CCTV coverage and biometric access; - Secure account separation, strong firewall policies and proactive monitoring with regular vulnerability scans and penetration tests performed by Subprocessors involved in Transfer (d): CDRS occurs behind Telstra firewalls, on Telstra premises, thereby applying the above controls relating to Telstra’s security environment. Where possible, access undertaking as part of Transfer (d): CDRs utilises a pseudenoymised unique PIN to identify Clients’ end relevant Subprocessors. User identification and authorisation controls are applied for Subprocessors with continuous access to data, as detailed in Annex I.B, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. The Subprocessor involved in Transfer (a): Billing portal data applies ISO 27001 standards. Data is also segregated and reputable service provider; - Management network communications protected by industry-standard encryption algorithms and security protocols; - Accounts are password protected and accessed via Transport Layer Security (TLS), with role base access control, network access lists, firewalls, including when this Subprocessor partakes controls; and - Monitoring and incident response procedures are provided in Transfer (d): CDRsall locations with 24x7 standby teams.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of personal dataPersonal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to relevant industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network and ac ne Client Personal Data. Identification: Telstra users are granted a unique ID before being granted access to any systems containing Authorised User or Client Personal Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Authorised User or Client Personal Data required to perform their role. This includes record-keeping of authorised system users with access to Authorised User or Client Personal Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for pass p Passwords are also encrypted at rest. Application Security Developer training and awareness: Software Developers are trained on foundational concepts for building secure software including secure design, threat modelling, secure coding, security testing, and best practices surrounding privacy. Application design: Telstra requires that applications are signed to disabling or restrict access to system services, applying the principle of least privilege, and employing layered defences wherever possible. This includes a requirement that all third-party software is securely configured to recommended vendor security configuration, or Telstra standards, and applying strict controls around access to repositories containing Telstra source code. Standard Practices Change and Configuration Management Process and procedures: Telstra does not permit Authorised User or Client Personal Data to be used to development purposes –non-– non- production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Authorised User or Client Personal Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Authorised User or Client Personal Data is classified as such to meet applicable requirements under Applicable Data Protection Laws. This enables Telstra to remove Authorised User or Client Personal Data from datasets, if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of Personal Data in datasets, using approved algorithms or software. Information handling: Telstra staff must protect Authorised User or Client Personal Data by using approved encryption methods when it is been stored and transmitted, only using authorised file sharing services, and locking devices when not in use. At an application level, Telstra solutions must meet data segregation requiremen requirements, so that each customer’s data is logically separated from other c sep users can only see customer data that they require for their role. Incident Management Incident response plan: Telstra maintains and tests an incident response plan, which is supported by the designation of personnel who are available on a 24/7 basis to respond to alerts, along with training to all staff with security breach response responsibilities. Logging and monitoring Audit log content and trails: Telstra implements audit trails that link system component access to individual user accounts to reconstruct access to Authorised User or Client Personal Data. Logs for systems that store, process, or transmit Authorised User or Client Personal Data are continually reviewed. Network security Network management: Telstra operates procedures for monitoring access to network resources and sensitive data environments, and uses intrusion detection / prevention techniques on traffic entering its internal network. Physical security Facility controls: Telstra limits and monitors physical access to systems containing Authorised User or Client Personal Data by requiring that access is authorised and based on individual job functions, any third party Standard Practices access is vetted and approved, and access is revoked immediately upon termination. Standard Practices Data centre physical access: Telstra restricts entry into server rooms and protects against unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Authorised User or Client Personal Data. Contracts: In addition to clauses required under Applicable Data Protection Laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Authorised User or Client Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Authorised User or Client Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that transfers to Subprocessors, as detailed in Annex I.B and III, ensure that the relevant Subprocessor is able to provide assistance in meeting obligations under Applicable Data Protection Laws. These include: Access by Subprocessors involved in Transfer (d): CDRS occurs behind Telstra firewalls, on Telstra premises, thereby applying the above controls relating to Telstra’s appl security environment. Where possible, access undertaking as part of Transfer (d): CDRs utilises a pseudenoymised unique PIN to identify Clients’ end Authorised Us internally and with relevant Subprocessors. User identification and authorisation controls are applied for Subprocessors with continuous access to data, as detailed in Annex I.B, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. The Subprocessor involved in Transfer (a): Billing portal data applies ISO 27001 standards. Data is also segregated and protected by access control, network access lists, firewalls, including when this Subprocessor partakes in Transfer (d): CDRs.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of personal dataPersonal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network and ac access any Authorised User Personal Data. Identification: Telstra users are granted a unique ID before being granted access to any systems containing Client Authorised User Personal Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Client Authorised User Personal Data required to perform their role. This includes record-keeping of authorised system users with access to Client Authorised User Personal Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for pass password strength and complexity. Passwords are also encrypted at rest. Application Security Developer training and awareness: Software Developers are trained on foundational concepts for building secure software including secure design, threat modelling, secure coding, security testing, and best practices surrounding privacy. Application design: Telstra requires that applications are signed to disabling or restrict access to system services, applying the principle of least privilege, and employing layered defences wherever possible. This includes a requirement that all third-party software is securely configured to recommended vendor security configuration, or Telstra standards, and applying strict controls around access to repositories containing Telstra source code. Standard Practices Change and Configuration Management Process and procedures: Telstra does not permit Client Authorised User Personal Data to be used to development purposes –– non-production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Client Authorised User Personal Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Client Authorised User Personal Data is classified as such to meet applicable requirements under Applicable Data Protection Lawsdata protection laws. This enables Telstra to remove Client Authorised User Personal Data from datasets, if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of Personal Data personal data in datasets, using approved algorithms or software. Information handling: Telstra staff must protect Client Authorised User Personal Data by using approved encryption methods when it is been stored and transmitted, only using authorised file sharing services, and locking devices when not in use. At an application level, Telstra solutions must meet data segregation requiremen requirements, so that each customer’s data is logically separated from other c customers’ data and users can only see customer data that they require for their role. Incident Management Incident response plan: Telstra maintains and tests an incident response plan, which is supported by the designation of personnel who are available on a 24/7 basis to respond to alerts, along with training to all staff with security breach response responsibilities. Logging and monitoring Audit log content and trails: Telstra implements audit trails that link system component access to individual user accounts to reconstruct access to Client Authorised User Personal Data. Logs for systems that store, process, or transmit Authorised User Personal Data are continually reviewed. Network security Network management: Telstra operates procedures for monitoring access to network resources and sensitive data environments, and uses intrusion detection / prevention techniques on traffic entering its internal network. Physical security Facility controls: Telstra limits and monitors physical access to systems containing Client Authorised User Personal Data by requiring that access is authorised and based on individual job functions, any third party access Standard Practices is vetted and approved, and access is revoked immediately upon termination. Standard Practices Data centre physical access: Telstra restricts entry into server rooms and protects against unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Client Authorised User Personal Data. Contracts: In addition to clauses required under Applicable Data Protection Lawsdata protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Client Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Client Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that transfers to Subprocessorsthe Subprocessor/s, as detailed in Annex I.B and III, ensure that the relevant Subprocessor is are able to provide assistance in meeting obligations under Applicable Data Protection Lawsrelevant data protection laws. These include: Access by Subprocessors The Subprocessor involved in under Transfer (da): CDRS occurs behind Telstra firewallsutilises encryption in transit and during storage, on Telstra premises, thereby applying the above controls relating to Telstra’s security environment. Where possible, access undertaking as part of Transfer (d): CDRs utilises a pseudenoymised unique PIN to identify Clients’ end relevant Subprocessors. User applies SOC 2 and ISO 27001 standards along with user identification and authorisation controls are applied for Subprocessors with continuous access to data, as detailed in Annex I.Bcontrols, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. The Subprocessor involved in Transfer (a): Billing portal data applies ISO 27001 standards. Data is also segregated and protected by access control, network access lists, firewalls, including when this Subprocessor partakes in Transfer (d): CDRs.ANNEX III

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection CommissionCommission where the EU *'35 DSSOLHV DQG WKH 8QLWHG .LQJGRP ,QIRUPDWLRQ GDPR applies. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of personal dataPersonal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network and ac ORJ LQWR 7HOVWUD¶V QHWZRUN DQG DF User Personal Data. Identification: Telstra users are granted a unique ID before being granted access to any systems containing Client Network User and Authorised User Personal Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Client Network User and Authorised User Personal Data required to perform their role. This includes record-keeping of authorised system users with access to Client Network User and Authorised User Personal Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for pass TelstUD¶V VWDQGDUGV IRU SDVVZRUG V are also encrypted at rest. Application Security Developer training and awareness: Software Developers developers are trained on foundational concepts for building secure software including secure design, threat modelling, secure coding, security testing, and best practices surrounding privacy. Application design: Telstra requires that applications are signed to disabling or restrict access to system services, applying the principle of least privilege, and employing layered defences wherever possible. This includes a requirement that all third-party software is securely configured to recommended vendor security configuration, or Telstra standards, and applying strict controls around access to repositories containing Telstra source code. Standard Practices Change and Configuration Management Process and procedures: Telstra does not permit Client Network User and Authorised User Personal Data to be used to for development purposes –± non-production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Client Network User and Authorised User Personal Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Client Network User and Authorised User Personal Data is classified as such to meet applicable requirements under Applicable Data Protection Lawsdata protection laws. This enables Telstra to remove Client Network User and Authorised User Personal Data from datasets, if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of Personal Data in datasets, using approved algorithms or software. Information handling: Telstra staff must protect Client Network User and Authorised User Personal Data by using approved encryption methods when it is been stored and transmitted, only using authorised file sharing services, and locking devices when not in use. At an application level, Telstra solutions must meet data segregation requiremen logically separated from other c requirements, so that each FXVWRPHU¶V GDWD LV ORJLFDOO\ VHS users can only see customer data that they require for their role. Incident Management Incident response plan: Telstra maintains and tests an incident response plan, which is supported by the designation of personnel who are available on a 24/7 basis to respond to alerts, along with training to all staff with security breach response responsibilities. Logging and monitoring Audit log content and trails: Telstra implements audit trails that link system component access to individual user accounts to reconstruct access to Client Network User and Authorised User Personal Data. Logs for systems that store, process, or transmit Network User and Authorised User Personal Data are continually reviewed. Network security Network management: Telstra operates procedures for monitoring access to network resources and sensitive data environments, and uses intrusion detection / prevention techniques on traffic entering its internal network. Physical security Facility controls: Telstra limits and monitors physical access to systems containing Client Personal Data by requiring that access is authorised and based on individual job functions, any third party access is vetted and approved, and access is revoked immediately upon termination. Standard Practices Data centre physical access: Telstra restricts entry into server rooms and protects against unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Client Personal Data. Contracts: In addition to clauses required under Applicable Data Protection Laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Client Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Client Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that transfers to Subprocessors, as detailed in Annex I.B and III, ensure that the relevant Subprocessor is able to provide assistance in meeting obligations under Applicable Data Protection Laws. These include: Access by Subprocessors involved in Transfer (d): CDRS occurs behind Telstra firewalls, on Telstra premises, thereby applying the above controls relating to Telstra’s security environment. Where possible, access undertaking as part of Transfer (d): CDRs utilises a pseudenoymised unique PIN to identify Clients’ end relevant Subprocessors. User identification and authorisation controls are applied for Subprocessors with continuous access to data, as detailed in Annex I.B, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. The Subprocessor involved in Transfer (a): Billing portal data applies ISO 27001 standards. Data is also segregated and protected by access control, network access lists, firewalls, including when this Subprocessor partakes in Transfer (d): CDRs.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of personal dataPersonal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to relevant industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network and ac PHWKRGV WR ORJ LQWR 7HOVWUD¶V QH Client Personal Data. Identification: Telstra users are granted a unique ID before being granted access to any systems containing Authorised User or Client Personal Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Authorised User or Client Personal Data required to perform their role. This includes record-keeping of authorised system users with access to Authorised User or Client Personal Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for pass ZLWK 7HOVWUD¶V VWDQGDUGV IRU S Passwords are also encrypted at rest. Application Security Developer training and awareness: Software Developers are trained on foundational concepts for building secure software including secure design, threat modelling, secure coding, security testing, and best practices surrounding privacy. Application design: Telstra requires that applications are signed to disabling or restrict access to system services, applying the principle of least privilege, and employing layered defences wherever possible. This includes a requirement that all third-party software is securely configured to recommended vendor security configuration, or Telstra standards, and applying strict controls around access to repositories containing Telstra source code. Standard Practices Change and Configuration Management Process and procedures: Telstra does not permit Authorised User or Client Personal Data to be used to development purposes –non-± non- production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Authorised User or Client Personal Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Authorised User or Client Personal Data is classified as such to meet applicable requirements under Applicable Data Protection Laws. This enables Telstra to remove Authorised User or Client Personal Data from datasets, if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of Personal Data in datasets, using approved algorithms or software. Information handling: Telstra staff must protect Authorised User or Client Personal Data by using approved encryption methods when it is been stored and transmitted, only using authorised file sharing services, and locking devices when not in use. At an application level, Telstra solutions must meet data segregation requiremen logically separated from other c requirements, so that each FXVWRPHU¶V GDWD LV ORJLFDOO\ VHS users can only see customer data that they require for their role. Incident Management Incident response plan: Telstra maintains and tests an incident response plan, which is supported by the designation of personnel who are available on a 24/7 basis to respond to alerts, along with training to all staff with security breach response responsibilities. Logging and monitoring Audit log content and trails: Telstra implements audit trails that link system component access to individual user accounts to reconstruct access to Authorised User or Client Personal Data. Logs for systems that store, process, or transmit Authorised User or Client Personal Data are continually reviewed. Network security Network management: Telstra operates procedures for monitoring access to network resources and sensitive data environments, and uses intrusion detection / prevention techniques on traffic entering its internal network. Physical security Facility controls: Telstra limits and monitors physical access to systems containing Client Personal Data by requiring that access is authorised and based on individual job functions, any third party access is vetted and approved, and access is revoked immediately upon termination. Standard Practices Data centre physical access: Telstra restricts entry into server rooms and protects against unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Client Personal Data. Contracts: In addition to clauses required under Applicable Data Protection Laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Client Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Client Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that transfers to Subprocessors, as detailed in Annex I.B and III, ensure that the relevant Subprocessor is able to provide assistance in meeting obligations under Applicable Data Protection Laws. These include: Access by Subprocessors involved in Transfer (d): CDRS occurs behind Telstra firewalls, on Telstra premises, thereby applying the above controls relating to Telstra’s security environment. Where possible, access undertaking as part of Transfer (d): CDRs utilises a pseudenoymised unique PIN to identify Clients’ end relevant Subprocessors. User identification and authorisation controls are applied for Subprocessors with continuous access to data, as detailed in Annex I.B, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. The Subprocessor involved in Transfer (a): Billing portal data applies ISO 27001 standards. Data is also segregated and protected by access control, network access lists, firewalls, including when this Subprocessor partakes in Transfer (d): CDRs.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of personal data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network and ac access any Client personal data. Identification: Telstra users are granted a unique ID before being granted access to any systems containing Client Personal Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Client Personal Data required to perform their role. This includes record-keeping of authorised system users with access to Client Personal Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for pass password strength and complexity. Passwords are also encrypted at rest. Application Security Developer training and awareness: Software Developers are trained on foundational concepts for building secure software including secure design, threat modelling, secure coding, security testing, and best practices surrounding privacy. Application design: Telstra requires that applications are signed to disabling or restrict access to system services, applying the principle of least privilege, and employing layered defences wherever possible. This includes a requirement that all third-party software is securely configured to recommended vendor security configuration, or Telstra standards, and applying strict controls around access to repositories containing Telstra source code. Standard Practices Change and Configuration Management Process and procedures: Telstra does not permit Client Personal Data to be used to development purposes –– non-production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Client Personal Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Client Personal Data is classified as such to meet applicable requirements under Applicable Data Protection Laws. This enables Telstra to remove Client Personal Data from datasets, if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of Personal Data in datasets, using approved algorithms or software. Information handling: Telstra staff must protect Client Personal Data by using approved encryption methods when it is been stored and transmitted, only using authorised file sharing services, and locking devices when not in use. At an application level, Telstra solutions must meet data segregation requiremen requirements, so that each customer’s data is logically separated from other c customers’ data and users can only see customer data that they require for their role. Incident Management Incident response plan: Telstra maintains and tests an incident response plan, which is supported by the designation of personnel who are available on a 24/7 basis to respond to alerts, along with training to all staff with security breach response responsibilities. Logging and monitoring Audit log content and trails: Telstra implements audit trails that link system component access to individual user accounts to reconstruct access to Client Personal Data. Logs for systems that store, process, or transmit Personal Data are continually reviewed. Network security Network management: Telstra operates procedures for monitoring access to network resources and sensitive data environments, and uses intrusion detection / prevention techniques on traffic entering its internal network. Physical security Facility controls: Telstra limits and monitors physical access to systems containing Client Personal Data by requiring that access is authorised and based on individual job functions, any third party access is vetted and approved, and access is revoked immediately upon termination. Standard Practices Data centre physical access: Telstra restricts entry into server rooms and protects against unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Client Personal Data. Contracts: In addition to clauses required under Applicable Data Protection Laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Client Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Client Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that transfers to Subprocessors, as detailed in Annex I.B and III, ensure that the relevant Subprocessor is able to provide assistance in meeting obligations under Applicable Data Protection Laws. These include: − Access by Subprocessors involved in Transfer (d): CDRS occurs behind Telstra firewalls, on Telstra premises, thereby applying the above controls relating to Telstra’s security environment. − Where possible, access undertaking as part of Transfer (d): CDRs utilises a pseudenoymised unique PIN to identify Clients’ end users, both internally and with relevant Subprocessors. − User identification and authorisation controls are applied for Subprocessors with continuous access to data, as detailed in Annex I.B, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. − The Subprocessor involved in Transfer (a): Billing portal data applies ISO 27001 standards. Data is also segregated and protected by access control, network access lists, firewalls, including when this Subprocessor partakes in Transfer (d): CDRs.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection Commission. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of personal dataPersonal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network and ac access any Network User and Authorised User Personal Data. Identification: Telstra users are granted a unique ID before being granted access to any systems containing Client Network User and Authorised User Personal Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Client Network User and Authorised User Personal Data required to perform their role. This includes record-keeping of authorised system users with access to Client Network User and Authorised User Personal Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for pass password strength and complexity. Passwords are also encrypted at rest. Application Security Developer training and awareness: Software Developers developers are trained on foundational concepts for building secure software including secure design, threat modelling, secure coding, security testing, and best practices surrounding privacy. Application design: Telstra requires that applications are signed to disabling or restrict access to system services, applying the principle of least privilege, and employing layered defences wherever possible. This includes a requirement that all third-party software is securely configured to recommended vendor security configuration, or Telstra standards, and applying strict controls around access to repositories containing Telstra source code. Standard Practices Change and Configuration Management Process and procedures: Telstra does not permit Client Network User and Authorised User Personal Data to be used to for development purposes –– non-production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Client Network User and Authorised User Personal Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Client Network User and Authorised User Personal Data is classified as such to meet applicable requirements under Applicable Data Protection Lawsdata protection laws. This enables Telstra to remove Client Network User and Authorised User Personal Data from datasets, if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of Personal Data in datasets, using approved algorithms or software. Information handling: Telstra staff must protect Client Network User and Authorised User Personal Data by using approved encryption methods when it is been stored and transmitted, only using authorised file sharing services, and locking devices when not in use. At an application level, Telstra solutions must meet data segregation requiremen requirements, so that each customer’s data is logically separated from other c customers’ data and users can only see customer data that they require for their role. Incident Management Incident response plan: Telstra maintains and tests an incident response plan, which is supported by the designation of personnel who are available on a 24/7 basis to respond to alerts, along with training to all staff with security breach response responsibilities. Logging and monitoring Audit log content and trails: Telstra implements audit trails that link system component access to individual user accounts to reconstruct access to Client Network User and Authorised User Personal Data. Logs for systems that store, process, or transmit Network User and Authorised User Personal Data are continually reviewed. Network security Network management: Telstra operates procedures for monitoring access to network resources and sensitive data environments, and uses intrusion detection / prevention techniques on traffic entering its internal network. Physical security Facility controls: Telstra limits and monitors physical access to systems containing Client Network User and Authorised User Personal Data by requiring that access is authorised and based on individual job functions, any third Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Standard Practices Data centre physical access: Telstra restricts entry into server rooms and protects against unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Client Network User and Authorised User Personal Data. Contracts: In addition to clauses required under Applicable Data Protection Lawsdata protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Client Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Client Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. In addition to the supplier management controls security standards detailed above, Telstra also employs the following specific technical and organisational measures security controls to ensure that transfers to Subprocessors, as detailed in Annex I.B and III, ensure that the relevant Subprocessor is able to provide assistance in meeting obligations under Applicable Data Protection Laws. These includeprotect transfers: Access by Subprocessors involved in Transfer (d): CDRS occurs behind Telstra firewalls, on Telstra premises, thereby applying the above controls relating to Telstra’s security environment. Where possible, access undertaking as part of Transfer (d): CDRs utilises a pseudenoymised unique PIN to identify Clients’ end relevant Subprocessors. User identification and authorisation controls are applied for Subprocessors with continuous access to data, as detailed in Annex I.B, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. The Subprocessor involved in − For Transfer (a): Billing portal Information processed as part of the Service, IP addresses are pseudonymised by restricting them to country-level geographic location/s, so that they not sufficient to identify a person or a location. − Telstra employs ‘hardening’ of configurations, along with regular patching and vulnerability scans, so that systems holding all transferred data, as outlined in Annex I, meet security requirements. − Extensive and resilient business continuity and disaster recovery systems to help ensure the continuity of operations and access to all transferred data applies ISO 27001 standards. Data is also segregated listed in Annex I. − Annual re-certification of systems that hold all transferred data listed in Annex I, which includes an extensive audit of security controls and protected by access control, network access lists, firewalls, including when this Subprocessor partakes in Transfer (d): CDRsindependent annual security penetration testing to validate the effectiveness of controls.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection CommissionCommission where the EU GDPR applies and the United Kingdom Information GDPR applies. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of personal data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network and ac Identification: Telstra users are granted a unique ID before being granted access to any systems containing Client Authorised User Personal Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Client Authorised User Personal Data required to perform their role. This includes record-keeping of authorised system users with access to Client Authorised User Personal Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for pass are also encrypted at rest. Application Security Developer training and awareness: Software Developers are trained on foundational concepts for building secure software including secure design, threat modelling, secure coding, security testing, and best practices surrounding privacy. Application design: Telstra requires that applications are signed to disabling or restrict access to system services, applying the principle of least privilege, and employing layered defences wherever possible. This includes a requirement that all third-party software is securely configured to recommended vendor security configuration, or Telstra standards, and applying strict controls around access to repositories containing Telstra source code. Standard Practices Change and Configuration Management Process and procedures: Telstra does not permit Client Authorised User Personal Data to be used to development purposes –non-production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Client Authorised User Personal Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Client Authorised User Personal Data is classified as such to meet applicable requirements under Applicable Data Protection Laws. This enables Telstra to remove Client Authorised User Personal Data from datasets, if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of Personal Data in datasets, using approved algorithms or software. Information handling: Telstra staff must protect Client Authorised User Personal Data by using approved encryption methods when it is been stored and transmitted, only using authorised file sharing services, and locking devices when not in use. At an application level, Telstra solutions must meet data segregation requiremen requirements, so that each customer’s logically separated from other c customer data that they require for their role. Incident Management Incident response plan: Telstra maintains and tests an incident response plan, which is supported by the designation of personnel who are available on a 24/7 basis to respond to alerts, along with training to all staff with security breach response responsibilities. Logging and monitoring Audit log content and trails: Telstra implements audit trails that link system component access to individual user accounts to reconstruct access to Client Authorised User Personal Data. Logs for systems that store, process, or transmit Authorised User Personal Data are continually reviewed. Network security Network management: Telstra operates procedures for monitoring access to network resources and sensitive data environments, and uses intrusion detection / prevention techniques on traffic entering its internal network. Physical security Facility controls: Telstra limits and monitors physical access to systems containing Client Authorised User Personal Data by requiring that access is authorised and based on individual job functions, any third party access is vetted and approved, and access is revoked immediately upon termination. Standard Practices Data centre physical access: Telstra restricts entry into server rooms and protects against unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Client Authorised User Personal Data. Contracts: In addition to clauses required under Applicable Data Protection Laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Client Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Client Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that transfers to Subprocessors, as detailed in Annex I.B and III, ensure that the relevant Subprocessor is able to provide assistance in meeting obligations under Applicable Data Protection Laws. These include: Access by Subprocessors involved in Transfer (d): CDRS occurs behind Telstra firewalls, on Telstra premises, thereby applying the above controls relating to Telstra’s applyi security environment. Where possible, access undertaking as part of Transfer (d): CDRs utilises a pseudenoymised unique PIN to identify Clients’ end tousiersd, ebonthtiniterfnaylly Author and with relevant Subprocessors. User identification and authorisation controls are applied for Subprocessors with continuous access to data, as detailed in Annex I.B, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. The Subprocessor involved in Transfer (a): Billing portal data applies ISO 27001 standards. Data is also segregated and protected by access control, network access lists, firewalls, including when this Subprocessor partakes in Transfer (d): CDRs.

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection CommissionCommission where the EU GDPR applies and the United Kingdom Information Commissioner’s Office w GDPR applies. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of personal dataPersonal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network TelstAurthaor’isesd Unseer and ac ExternPaerlsonaPl Daatra.ties’ Identification: Telstra users are granted a unique ID before being granted access to any systems containing Client Personal Authorised User and External PartPieresosna’l Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Client Personal Authorised User anPedrsonEal Data required to perform their role. This includes record-keeping of authorised system users with access to Client Personal Authorised User and External PartiPeersson’al Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for pass p Passwords are also encrypted at rest. Application Security Developer training and awareness: Software Developers are trained on foundational concepts for building secure software including secure design, threat modelling, secure coding, security testing, and best practices surrounding privacy. Application design: Telstra requires that applications are signed to disabling or restrict access to system services, applying the principle of least privilege, and employing layered defences wherever possible. This includes a requirement that all third-party software is securely configured to recommended vendor security configuration, or Telstra standards, and Standard Practices applying strict controls around access to repositories containing Telstra source code. Standard Practices Change and Configuration Management Process and procedures: Telstra does not permit Client Personal Authorised User and External PartPieresosna’l Data to be used to for development purposes –– non-production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Client Personal Authorised User anPdersonEalx Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Client Authorised User an Personal Data is classified as such to meet applicable requirements under Applicable Data Protection Lawsdata protection laws. This enables Telstra to remove Client Personal Data from datasets, if Authorised User and ExtePerrsnonaallDataPfraomrtdaitaseests,’if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of Personal Data personal data in datasets, using approved algorithms or software. Information handling: Telstra staff must protect Client Personal Data by using Authorised User and ExternalPerPsoanarl Dtaitaebysu’sing approved encryption methods when it is been stored and transmitted, only using authorised file sharing services, and locking devices when not in use. At an application level, Telstra solutions must meet data segregation requiremen logically separated requirements, so that each customer’s cdaaltlay isseplaorgaited from other c o users can only see customer data that they require for their role. Incident Management Incident response plan: Telstra maintains and tests an incident response plan, which is supported by the designation of personnel who are available on a 24/7 basis to respond to alerts, along with training to all staff with security breach response responsibilities. Logging and monitoring Audit log content and trails: Telstra implements audit trails that link system component access to individual user accounts to reconstruct access to Client Personal DataAuthorised User aPnedrsonEal xDattae. Logs for Lrognsafolr systems that store, process, or transmit Personal Authorised User and External PartiesP’ersonal Data are continually reviewed. Network security Network management: Telstra operates procedures for monitoring access to network resources and sensitive data environments, and uses intrusion detection / prevention techniques on traffic entering its internal network. Standard Practices Physical security Facility controls: Telstra limits and monitors physical access to systems containing Client Personal Data by Authorised User anPdersoEnaxl tDaetarbny requiring that access is authorised and based on individual job functions, any third party access is vetted and approved, and access is revoked immediately upon termination. Standard Practices Data centre physical access: Telstra restricts entry into server rooms and protects against unathorised unauthorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unathorised unauthorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Client Personal Data. Authorised User and ExtPeerrsonnaal lDataP. arties’ Contracts: In addition to clauses required under Applicable Data Protection Lawsdata protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Client Personal Data. Authorised User and ExternalPerPsoanarl Xxxxxx.xx’ Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Client Personal DataAuthorised User and ExtePerrsnonaall DatPa; data loss preventionadartatlioses spr’evention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with data subject rights as further detailed in Telstra’-s xxxxx policy. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that transfers to Subprocessors, as detailed in Annex I.B and III, ensure that the relevant Subprocessor is sub-processors are able to provide assistance in meeting obligations under Applicable Data Protection Laws. These include: Access by Subprocessors involved in Data stored under Transfer (da): CDRS occurs behind Telstra firewallsTrader Voice SIP Connect CDRs, on Telstra premises, thereby applying the above controls relating to Telstra’s security environment. Where possible, access undertaking as part of Transfer (db): CDRs utilises a pseudenoymised unique PIN Conferencing solution configuration data and Transfer (c): Communications content automatically backed up within storage centr availability zones are designed to identify Clients’ end relevant Subprocessorsbe isolated from failures in other availability zones and protect data for disaster recovery. User identification Measures to ensure data minimisation and authorisation controls limited data retention are applied for Subprocessors with continuous to Transfer (a): Trader Voice SIP Connect CDRs and Transfer (c): Communications content, such as the automatic permanent deletion of call data upon completion of a call and the successful transfer of the recording to the Customer, as well as the limited 30 day retention of call details on the conferencing platform. These periods are enforced by scripts that are designed to delete data at agreed intervals. In the event of script failure, an alert is generated and action is taken. Sub-processor access to data, as detailed in Annex I.B, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. The Subprocessor involved data in Transfer (a): Billing portal Trader Voice SIP Connect CDRs, Transfer (b): Conferencing solution configuration data applies ISO 27001 and Transfer (c): Communications content is controlled by Telstra and protected via VPN, two factor authentication and Telstra password standards. Data is also segregated and protected by access control, network access lists, firewalls, including when this Subprocessor partakes in Transfer (d): CDRs.ANNEX III

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection CommissionCommission where the EU *'35 DSSOLHV DQG WKH 8QLWHG .LQJGRP ,QIRUPDWLRQ GDPR applies. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of personal dataPersonal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network and ac ORJ LQWR 7HOVWUD¶V QHWZRUN DQG DF User Personal Data. Identification: Telstra users are granted a unique ID before being granted access to any systems containing Client Network User and Authorised User Personal Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Client Network User and Authorised User Personal Data required to perform their role. This includes record-keeping of authorised system users with access to Client Network User and Authorised User Personal Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for pass TelstUD¶V VWDQGDUGV IRU SDVVZRUG V are also encrypted at rest. Application Security Developer training and awareness: Software Developers developers are trained on foundational concepts for building secure software including secure design, threat modelling, secure coding, security testing, and best practices surrounding privacy. Application design: Telstra requires that applications are signed to disabling or restrict access to system services, applying the principle of least privilege, and employing layered defences wherever possible. This includes a requirement that all third-party software is securely configured to recommended vendor security configuration, or Telstra standards, and applying strict controls around access to repositories containing Telstra source code. Standard Practices Change and Configuration Management Process and procedures: Telstra does not permit Client Network User and Authorised User Personal Data to be used to for development purposes –± non-production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Client Network User and Authorised User Personal Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Client Network User and Authorised User Personal Data is classified as such to meet applicable requirements under Applicable Data Protection Lawsdata protection laws. This enables Telstra to remove Client Network User and Authorised User Personal Data from datasets, if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of Personal Data in datasets, using approved algorithms or software. Information handling: Telstra staff must protect Client Network User and Authorised User Personal Data by using approved encryption methods when it is been stored and transmitted, only using authorised file sharing services, and locking devices when not in use. At an application level, Telstra solutions must meet data segregation requiremen logically separated from other c requirements, so that each FXVWRPHU¶V GDWD LV ORJLFDOO\ VHS users can only see customer data that they require for their role. Incident Management Incident response plan: Telstra maintains and tests an incident response plan, which is supported by the designation of personnel who are available on a 24/7 basis to respond to alerts, along with training to all staff with security breach response responsibilities. Logging and monitoring Audit log content and trails: Telstra implements audit trails that link system component access to individual user accounts to reconstruct access to Client Network User and Authorised User Personal Data. Logs for systems that store, process, or transmit Network User and Authorised User Personal Data are continually reviewed. Network security Network management: Telstra operates procedures for monitoring access to network resources and sensitive data environments, and uses intrusion detection / prevention techniques on traffic entering its internal network. Physical security Facility controls: Telstra limits and monitors physical access to systems containing Client Network User and Authorised User Personal Data by requiring that access is authorised and based on individual job functions, any third Standard Practices party access is vetted and approved, and access is revoked immediately upon termination. Standard Practices Data centre physical access: Telstra restricts entry into server rooms and protects against unathorised unauthorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unathorised unauthorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Client Network User and Authorised User Personal Data. Contracts: In addition to clauses required under Applicable Data Protection Lawsdata protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Client Network User and Authorised User Personal Data. Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Client Network User and Authorised User Personal Data; data loss prevention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. Telstra has implemented technical and organisational measures and processes to comply with GDWD VXEMHFW ULJKWV DV IXUWKHU GHWDLOHG L-Q 7HOVW policy. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that transfers to Subprocessors, as detailed in Annex I.B and III, ensure that the relevant Subprocessor is Subprocessors are able to provide assistance in meeting obligations under Applicable relevant Data Protection Laws. These include: Access by Subprocessors involved in Transfer (da): CDRS occurs behind Telstra firewalls, on Telstra premises, thereby applying User account details: Username and password are exchanged under the above controls relating to Telstra’s security environmentcover of TLS. Where possible, access undertaking as part of Transfer (d): CDRs utilises a Any further transactions are authorized via pseudenoymised unique PIN token-based system and are temporary (expire) to identify Clients’ end Authorised Users, both internally and with relevant Subprocessors. User identification and authorisation controls are applied for Access by the Subprocessors with continuous access to data, as detailed in Annex I.B, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. The Subprocessor involved in Transfer (a): Billing portal User account details: Username and password and Transfer (b): User log activity information, is secured by two-factor authentication and the data applies ISO 27001 standardsis encrypted. Data is also segregated kept encrypted at rest in an AWS database. TPN configuration is behind a VPN with limited access and protected by access control, network access lists, firewalls, including when this Subprocessor partakes all events are logged for verification purposes. There are multiple levels of encryption and controls in Transfer (d): CDRs.place to prevent AWS from accessing the data. ANNEX III

COMPETENT SUPERVISORY AUTHORITY. The competent supervisory authority is the Irish Data Protection CommissionCommission where the EU GDPR applies and the United Kingdom Information Commissioner’s Of GDPR applies. ANNEX II TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA Telstra protects all third country transfers of personal dataPersonal Data, undertaken by Telstra personnel or affiliates as detailed in Annex III, in accordance with our suite of information security standards. These standards define a number of baseline controls, which are implemented at appropriate risk based levels to protect the confidentiality, integrity and availability of both Telstra core and customer specific data. The controls and practices detailed in the standards align to industry practices and standards, such as ISO/IEC 27001:2013, ISO 31000:2009, NIST and PCI DSS. Telstra can provide details of our current certifications upon request from customers. Telstra conducts periodic reviews of the information security standards, and may therefore amend the below baseline controls from time to time to align with industry security standards and the evolving risk landscape: Standard Practices Access Control User access responsibilities: Telstra staff are only able to use approved, authenticated, and encrypted remote access communication methods to log into Telstra’s network los gnetwiorknatndoaccTeses lansy tAurthaor’ised User and ac ExternPaerlsonaPl Daatra.ties’ Identification: Telstra users are granted a unique ID before being granted access to any systems containing Client Personal Authorised User and External PartPieresosna’l Data, so that access is logged and monitored. Role assignment and role based access control: Telstra implements and maintains system and application access profiles based on the principle of least privilege, which means that staff are only provided with the minimum access to Client Personal Authorised User anPedrsonEal Data required to perform their role. This includes record-keeping of authorised system users with access to Client Personal Authorised User and External PartiPeersson’al Data and governance procedures around these records, such as the annual revalidation or certification of user access requirements. Passwords and authentication mechanisms: Telstra uses authentication methods that are capable to validating passwords in-line with Telstra’s standards for pass fomprlexityp. Passwords are also encrypted at rest. Application Security Developer training and awareness: Software Developers are trained on foundational concepts for building secure software including secure design, threat modelling, secure coding, security testing, and best practices surrounding privacy. Application design: Telstra requires that applications are signed to disabling or restrict access to system services, applying the principle of least privilege, and employing layered defences wherever possible. This includes a requirement that all third-party software is securely configured to recommended vendor security configuration, or Telstra standards, and Standard Practices applying strict controls around access to repositories containing Telstra source code. Standard Practices Change and Configuration Management Process and procedures: Telstra does not permit Client Personal Authorised User and External PartPieresosna’l Data to be used to development purposes –– non-production and production environment must be separated and, at a minimum, enforce logical isolation. System and server configuration: Telstra maintains security configuration baselines consistent with industry accepted hardening standards, which address all known security vulnerabilities, and communicates these to relevant personnel. Servers are specifically configured to prevent Client Personal Authorised User anPdersonEalx Data from being exported to unauthorised users. Cryptography Cryptographic algorithms: Only Telstra approved algorithms may be used, and Telstra requires that system configuration support is removed for all weak, non-approved algorithms. Access to encryption keys is recorded and audited at least annually. Data Protection Information classification: Client Authorised User an Personal Data is classified as such to meet applicable requirements under Applicable Data Protection Lawsdata protection laws. This enables Telstra to remove Client Personal Data from datasets, if Authorised User and ExtePerrsnonaallDataPfraomrtdaitaseests,’if not required to provide the agreed service or meet regulatory requirements, and to remove or protect direct identifiers of Personal Data personal data in datasets, using approved algorithms or software. Information handling: Telstra staff must protect Client Personal Data by using Authorised User and ExternalPerPsoanarl Dtaitaebysu’sing approved encryption methods when it is been stored and transmitted, only using authorised file sharing services, and locking devices when not in use. At an application level, Telstra solutions must meet data segregation requiremen requirements, so that each customer’s data is logically separated from other c sep users can only see customer data that they require for their role. Incident Management Incident response plan: Telstra maintains and tests an incident response plan, which is supported by the designation of personnel who are available on a 24/7 basis to respond to alerts, along with training to all staff with security breach response responsibilities. Logging and monitoring Audit log content and trails: Telstra implements audit trails that link system component access to individual user accounts to reconstruct access to Client Personal DataAuthorised User aPnedrsonEal xDattae. Logs for Lrognsafolr systems that store, process, or transmit Personal Authorised User and External PartiesP’ersonal Data are continually reviewed. Network security Network management: Telstra operates procedures for monitoring access to network resources and sensitive data environments, and uses intrusion detection / prevention techniques on traffic entering its internal network. Standard Practices Physical security Facility controls: Telstra limits and monitors physical access to systems containing Client Personal Data by Authorised User anPdersoEnaxl tDaetarbny requiring that access is authorised and based on individual job functions, any third party access is vetted and approved, and access is revoked immediately upon termination. Standard Practices Data centre physical access: Telstra restricts entry into server rooms and protects against unathorised access by logging entry and exit, requiring a special code or key for entry, and configuring access controls to continue preventing unathorised entry if power is lost. Staff security General security culture and conduct: Telstra maintains a formal security awareness program so that staff are aware of their security responsibilities. This includes providing an annual security module to all staff and additional role-based training for relevant personnel. Background checks: Telstra staff undergo relevant and appropriate background checks. Supplier Management Due diligence: Telstra requires that a partner security assessment is undertaken for suppliers that have the potential to access Client Personal Authorised User and External Parties’Personal Data. Contracts: In addition to clauses required under Applicable Data Protection Lawsdata protection laws, Telstra incorporates standard data security clauses into contracts for suppliers that will access, transmit, use, or store Client Personal Data. Authorised User and ExternalPerPsoanarl Xxxxxx.xx’ Security: Suppliers must agree to comply with Telstra security standards and any additional Telstra requirements for the secure access, exchange, and lifecycle management of Telstra information, including Client Personal DataAuthorised User and ExtePerrsnonaall DatPa; data loss preventionadartatlioses spr’evention; and business continuity and disaster recovery. Vulnerability management Vulnerability protection: Telstra deploys anti-malware software, penetration testing, vulnerability assessments, and periodic evaluations of malware threats to systems. Patch management: Telstra requires that system components and software are patched and protected from known vulnerabilities, and controls are in place to verify the integrity of patches prior to deployment. In addition to the supplier management controls detailed above, Telstra also employs specific technical and organisational measures to ensure that transfers to Subprocessorssub-processors, as detailed in Annex I.B and III, ensure that the relevant Subprocessor sub-processor is able to provide assistance in meeting obligations under Applicable Data Protection Laws. These include: Access by Subprocessors sub-processors involved in Transfer (dc): CDRS GVoIP CDRs occurs behind Telstra firewalls, on Telstra premises, thereby applying the above controls relating to Telstra’s security environment. Where possible, access undertaking as part of Transfer (dc): GVoIP CDRs utilises a pseudenoymised unique PIN to identify Clients’ end Authorised Users, both internally and with relevant Subprocessorssub-processors. User identification and authorisation controls are applied for Subprocessors sub-processors with continuous access to data, as detailed in Annex I.B, so that access is controlled, only granted to authorised individuals, and removed once that individual no longer needs access to the relevant system. The Subprocessor sub-processor involved in Transfer (a): Billing portal data applies ISO 27001 standards. Data is also segregated and protected by access control, network access lists, firewalls, including when this Subprocessor sub-processor partakes in Transfer (c): GVoIP CDRs. Data stored under Transfer (d): Trader Voice SIP Connect CDRs, Transfer (e): Conferencing solution configuration data and Transfer (f): Communications content automatically backed up within storage centr availability zones are designed to be isolated from failures in other availability zones and protect data for disaster recovery. Measures to ensure data minimisation and limited data retention are applied to Transfer (d): Trader Voice SIP Connect CDRs and Transfer (f): Communicatoins content, such as the automatic permanent deletion of call data upon completion of a call and the successful transfer of the recording to the Customer, as well as the limited 30 day retention of call details on the conferencing platform. These periods are enforced by scripts that are designed to delete data at agreed intervals. In the event of script failure, an alert is generated and action is taken. Sub-processor access to data in Transfer (d): Trader Voice SIP Connect CDRs., Transfer (e): Conferencing solution configuration data and Transfer (f): Communicatoins content is controlled by Telstra and protected via VPN, two factor authentication and Telstra password standards. ANNEX III