Common use of Confidential Information and Data Protection Clause in Contracts

Confidential Information and Data Protection. 17.1 Pericom and the Client may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. 17.2 Each party will keep in strict confidence all technical or commercial know-how, specifications, inventions, processes or initiatives which are of a confidential nature and any other Confidential Information, whether written or oral, concerning the other party’s business or its products or its services which the other party may obtain, except to the extent any disclosure is required by law. This condition 17 shall survive termination of the Agreement. The Client and Pericom will not, without the consent of the other, disclose such information to any person other than: 17.2.1 their employees, contractors or professional advisers who shall require the information in order for the Client or Pericom to fulfill its obligations under the Agreement; or 17.2.2 in the case of the Client, its Users to the extent that they are required to use or access the Services. 17.3 Information shall not be treated as confidential if it is: 17.3.1 lawfully in the public domain; 17.3.2 lawfully in the possession of the Client or Pericom before disclosure from the other has taken place; 17.3.3 obtained from a third person who is entitled to disclose it; or 17.3.4 replicated independently by someone without access or knowledge of the information. 17.4 If the Client receives a request under the Freedom of Information Xxx 0000 which encompasses any information provided to the Client by Pericom in connection with the Contract the Client will notify Pericom immediately of the request and give Pericom at least ten Business Days to make representations before releasing the requested information (save to the extent otherwise required by law). The following terms shall mean: Data Processor shall take the meaning as defined in the Data Protection Legislation (“Process” or “Processing” shall be construed accordingly); Data Protection Legislation means the UK Data Protection Legislation and any other European Union Legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); GDPR means EU Regulation 2016/679 General Data Protection Regulation; loss or destruction of, or damage to, Personal Data; and to time in the UK including the GDPR; the Data Protection Xxx 0000; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended. 17.5 This clause only applies to the extent that Pericom is Processing Personal Data on behalf of the Client. 17.6 Both Parties will comply with all applicable requirements of the Data Protection Legislation. 17.7 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the Data Controller and Pericom is the Data Processor. 17.8 The Privacy & Data Policy sets out the scope, nature and purpose of Processing by Pericom, the duration of the Processing, the types of Personal Data and the categories of Data Subject. 17.9 Without prejudice to the generality of condition 17.6: 17.9.1 The Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Pericom for the purposes of this Agreement; and 17.9.2 Pericom will: 17.9.2.1 Process Personal Data only on the written instructions of the Client, including regarding transfers of Personal Data outside of the European Economic Area, unless Pericom is required to do so by a legal obligation and, if so, Pericom will notify Client of this before such Processing, unless a legal obligation prohibits this; 17.9.2.2 ensure that all personnel authorised by Pericom to Process Personal Data are obliged to keep the Personal Data confidential; 17.9.2.3 ensure that it has in place appropriate technical and organisational measures designed to protect against a Personal Data Breach, appropriate to the harm that might result from such Personal Data Breach and the nature of the Personal Data to be protected where Pericom shall have regard to the state of technological development and the cost of implementing any measures, including, where appropriate: (A) pseudonymising and encrypting Personal Data; (B) ensuring confidentiality, integrity, availability and resilience of its systems and services; (C) ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident; and (D) regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it; 17.9.2.4 notify the Client without undue delay if it becomes aware of a Personal Data Breach; 17.9.2.5 assist the Client in responding to any requests from Data Subjects and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators, save that if this is not within the reasonable remit of the Services, this will be at Client’s cost; 17.9.2.6 at Client’s written direction, delete (or put Beyond Use) or return Personal Data to Client once provision of the Services has ceased, unless required by a legal obligation tostore the Personal Data; and 17.9.2.7 maintain records and information to demonstrate it compliance with this condition 10 and, where this is not sufficient, allow for audits by Client or Client’s auditor solely to demonstrate compliance, at Client’s cost, provided that the Client: (A) will not exercise its audit rights more than once in any three (3) year period, save where Client reasonably believes that a further audit is required due to Personal Data Breach; (B) gives at least thirty (30) days’ written notice of its intention to audit, including specific details on the scope of the audit and any required evidence; (C) conducts its audit during normal business hours and limits it audit to a maximum of 2 Business Days; and (D) takes all reasonable measures to prevent material business interruption to Pericom.

Confidential Information and Data Protection. 17.1 Pericom and the Client may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. 17.2 Each party will keep in strict confidence all technical or commercial know-how, specifications, inventions, processes or initiatives which are of a confidential nature and any other Confidential Information, whether written or oral, concerning the other party’s business or its products or its services which the other party may obtain, except to the extent any disclosure is required by law. This condition 17 shall survive termination of the Agreement. The Client and Pericom will not, without the consent of the other, disclose such information to any person other than: 17.2.1 their employees, contractors or professional advisers who shall require the information in order for the Client or Pericom to fulfill its obligations under the Agreement; or 17.2.2 in the case of the Client, its Users to the extent that they are required to use or access the Services. 17.3 Information shall not be treated as confidential if it is: 17.3.1 lawfully in the public domain; 17.3.2 lawfully in the possession of the Client or Pericom before disclosure from the other has taken place; 17.3.3 obtained from a third person who is entitled to disclose it; or 17.3.4 replicated independently by someone without access or knowledge of the information. 17.4 If the Client receives a request under the Freedom of Information Xxx 0000 Act 2000 which encompasses any information provided to the Client by Pericom in connection with the Contract the Client will notify Pericom immediately of the request and give Pericom at least ten Business Days to make representations before releasing the requested information (save to the extent otherwise required by law). The following terms shall mean: Data Controller shall take the meaning as defined in the Data Protection Legislation; Data Processor shall take the meaning as defined in the Data Protection Legislation (“Process” or “Processing” shall be construed accordingly); Data Protection Legislation means the UK Data Protection Legislation and any other European Union Legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); Data Subject shall take the meaning as defined in the Data Protection Legislation; GDPR means EU Regulation 2016/679 General Data Protection Regulation; Personal Data Breach means unauthorised or unlawful Processing of Personal Data or accidental loss or destruction of, or damage to, Personal Data; and UK Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in the UK including the GDPR; the Data Protection Xxx 0000Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended. 17.5 This clause only applies to the extent that Pericom is Processing Personal Data on behalf of the Client. 17.6 Both Parties will comply with all applicable requirements of the Data Protection Legislation. 17.7 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the Data Controller and Pericom is the Data Processor. 17.8 The Privacy & Data Policy sets out the scope, nature and purpose of Processing by Pericom, the duration of the Processing, the types of Personal Data and the categories of Data Subject. 17.9 Without prejudice to the generality of condition 17.6: 17.9.1 The Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Pericom for the purposes of this Agreement; and 17.9.2 Pericom will: 17.9.2.1 Process Personal Data only on the written instructions of the Client, including regarding transfers of Personal Data outside of the European Economic Area, unless Pericom is required to do so by a legal obligation and, if so, Pericom will notify Client of this before such Processing, unless a legal obligation prohibits this; 17.9.2.2 ensure that all personnel authorised by Pericom to Process Personal Data are obliged to keep the Personal Data confidential; 17.9.2.3 ensure that it has in place appropriate technical and organisational measures designed to protect against a Personal Data Breach, appropriate to the harm that might result from such Personal Data Breach and the nature of the Personal Data to be protected where Pericom shall have regard to the state of technological development and the cost of implementing any measures, including, where appropriate: (A) pseudonymising and encrypting Personal Data; (B) ensuring confidentiality, integrity, availability and resilience of its systems and services; (C) ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident; and (D) regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it; 17.9.2.4 notify the Client without undue delay if it becomes aware of a Personal Data Breach; 17.9.2.5 assist the Client in responding to any requests from Data Subjects and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators, save that if this is not within the reasonable remit of the Services, this will be at Client’s cost; 17.9.2.6 at Client’s written direction, delete (or put Beyond Use) or return Personal Data to Client once provision of the Services has ceased, unless required by a legal obligation tostore the Personal Data; and 17.9.2.7 maintain records and information to demonstrate it compliance with this condition 10 and, where this is not sufficient, allow for audits by Client or Client’s auditor solely to demonstrate compliance, at Client’s cost, provided that the Client: (A) will not exercise its audit rights more than once in any three (3) year period, save where Client reasonably believes that a further audit is required due to Personal Data Breach; (B) gives at least thirty (30) days’ written notice of its intention to audit, including specific details on the scope of the audit and any required evidence; (C) conducts its audit during normal business hours and limits it audit to a maximum of 2 Business Days; and (D) takes all reasonable measures to prevent material business interruption to Pericom. 17.10 Pericom retains all administration and executive password and access privileges for all its clients. Passwords and secure information are stored in a multi-level encrypted enterprise environment, backed up across multiple datacentres globally, with full redundancy. As an additional layer of security passwords are changed regularly and never shared outside our organisation. Within Pericom only specific accredited users have access via additional levels of MFA access and all access is monitored, time, data and user stamped 17.10.1 From time to time clients ask that an additional layer of security is provided to remit against a scenario where Pericom is compromised and unable to operate or continue to service its clients infrastructure as a result of being forced into administration. This is catered for by Pericom’s client escrow / holding service which is subject to scoping, setup, registration and delivery. All pricing is POA.