Common use of Confidentiality and Data Security Clause in Contracts

Confidentiality and Data Security. Contractor agrees and warrants that it will maintain in strict confidence Confidential Information. The term “Confidential Information” includes (i) any information Mercy Corps provides to Contractor that Mercy Corps identifies as confidential; (ii) the terms and conditions of this Agreement (including all Statements of Services); (iii) nonpublic information concerning the affairs, activities, policies, proposals, projects, employees, donors or potential donors, finances, property or method(s) of operation, trade secrets, know-how and similar information of Mercy Corps, its affiliates, as well as any third party and its affiliates with which Mercy Corps may collaborate, and (iv) any Mercy Corps information that contains personally identifiable information hereby defined as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (referred to as “PII”). Contractor agrees to the following: a. Contractor will comply with the Mercy Corps’ Responsible Data Policy and all Federal, State and applicable laws and regulations governing the confidentiality and privacy of the information provided under this Agreement. b. Contractor will treat Confidential Information with the same standard of care that it may use to maintain its own confidential information, provided that the standard is not negligent. This includes maintaining appropriate technical and organizational measures to protect Confidential Information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. c. Contractor agrees to the implement and follow additional data security requirements concerning PII and hereby represents and warrants the following: 1) At all times during the term of this Agreement, with respect to PII, Contractor is capable of providing, and will maintain, reasonable physical, technical and administrative safeguards appropriate for any PII received from Mercy Corps, or created or received on Mercy Corps’ behalf: 2) Contractor will ensure that any transmission specifically of donor data containing PII between Mercy Corps and Contractor is conducted via secure FTP or secure/encrypted email, or other mutually agreed upon secure file sharing platform; and 3) Contractor will maintain sufficient procedures to detect and respond to any attempted unauthorized acquisition or use of PII in paper or electronic form or interference with information system operations affecting electronic PII. d. Contractor agrees to use Confidential Information only as required by to perform its services for Mercy Corps under this Agreement, and will not reveal it to a third party or use for any other purpose without the prior written consent of Mercy Corps. Except as otherwise authorized in advance by Mercy Corps, Contractor will not provide to any third party either access to, or information about, Mercy Corps systems, platforms, and other mechanisms without the express written permission in each instance. e. At the termination of the Agreement, Contractor will return to Mercy Corps all Confidential Information provided by Mercy Corps to Contractor, or otherwise take appropriate measures as requested by Mercy Corps to remove any copies of Confidential Information in Contractor’s possession and cause its subcontractors, agents, and others involved in the services to do the same.

Confidentiality and Data Security. Contractor agrees and warrants that it will maintain in strict confidence Confidential Information. The term “Confidential Information” includes (i) any information Mercy Corps provides to Contractor that Mercy Corps identifies as confidential; (ii) the terms and conditions of this Agreement (including all Statements of Services); (iii) nonpublic information concerning the affairs, activities, policies, proposals, projects, employees, donors or potential donors, finances, property or method(s) of operation, trade secrets, know-how and similar information of Mercy Corps, its affiliates, as well as any third party and its affiliates with which Mercy Corps may collaborate, and (iv) any Mercy Corps information that contains personally identifiable information hereby defined as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (referred to as “PII”). Contractor agrees to the following: a. Contractor will comply with the Mercy Corps’ Responsible Data Policy and all Federal, State and applicable laws and regulations governing the confidentiality and privacy of the information provided under this Agreement.. If Contractor will be processing Confidential Information of persons that are subject to General Data Protection Regulation (GDPR), then Contractor shall complete and adhere to Schedule III to this agreement, including providing Mercy Corps with a complete and accurate list of data sub-processors that will be utilized
as part of Contractor operations. Mercy Corps reserves the right to reject any sub-processors that, in its sole discretion, it deems inadequate to comply with the terms herein related to data processing.
b. Contractor will treat Confidential Information with the same standard of care that it may use to maintain its own confidential information, provided that the standard is not negligent. This includes maintaining appropriate technical and organizational measures to protect Confidential Information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. c. Contractor agrees to the implement and follow additional data security requirements concerning PII and hereby represents and warrants the following: 1) At all times during the term of this Agreement, with respect to PII, Contractor is capable of providing, and will maintain, reasonable physical, technical and administrative safeguards appropriate for any PII received from Mercy Corps, or created or received on Mercy Corps’ behalf: 2) Contractor will ensure that any transmission specifically of donor data containing PII between Mercy Corps and Contractor is conducted via secure FTP or secure/encrypted email, or other mutually agreed upon secure file sharing platform; and 3) Contractor will maintain sufficient procedures to detect and respond to any attempted unauthorized acquisition or use of PII in paper or electronic form or interference with information system operations affecting electronic PII. d. Contractor agrees to use Confidential Information only as required by to perform its services for Mercy Corps under this Agreement, and will not reveal it to a third party or use for any other purpose without the prior written consent of Mercy Corps. Except as otherwise authorized in advance by Mercy Corps, Contractor will not provide to any third party either access to, or information about, Mercy Corps systems, platforms, and other mechanisms without the express written permission in each instance. e. At the termination of the Agreement, Contractor will return to Mercy Corps all Confidential Information provided by Mercy Corps to Contractor, or otherwise take appropriate measures as requested by Mercy Corps to remove any copies of Confidential Information in Contractor’s possession and cause its subcontractors, agents, and others involved in the services to do the same.

Confidentiality and Data Security. Contractor agrees 7.1 Each party shall treat information received from the other that is designated as “confidential” at or prior to disclosure (“Confidential Information”) as strictly confidential. FIS designates all information relating to the Services, Third Party Services, Software, Deliverables, Specifications and warrants that it will maintain in strict confidence the terms of the Agreement as its Confidential Information. The term Client designates non-public financial information that is personally identifiable to a Customer (referenced in the Xxxxx-Xxxxx-Xxxxxx Act of 1999 as “Non-public Personal Information” or “NPI”) as its Confidential Information” includes . 7.2 Each party shall: (i) any information Mercy Corps provides restrict disclosure of the other party’s Confidential Information to Contractor that Mercy Corps identifies as confidentialemployees and agents solely on a “need to know” basis in accordance with the Agreement; (ii) the terms advise its employees and conditions agents of this Agreement (including all Statements of Services)their confidentiality obligations; (iii) nonpublic information concerning require agents to protect and restrict the affairs, activities, policies, proposals, projects, employees, donors or potential donors, finances, property or method(s) use of operation, trade secrets, know-how and similar information of Mercy Corps, its affiliates, as well as any third party and its affiliates with which Mercy Corps may collaborate, and the other party’s Confidential Information; (iv) use the same degree of care to protect the other party’s Confidential Information as it uses to safeguard its own Confidential Information of similar importance; (v) establish procedural, physical and electronic safeguards, designed to meet the objectives of the FFIEC Interagency Guidelines, to prevent the compromise or unauthorized disclosure of Confidential Information; and (vi) notify the other party of any Mercy Corps information unauthorized possession or use of its Confidential Information as soon as possible following notice of that contains personally identifiable information hereby defined unauthorized use or possession. FIS shall promptly notify Client of any incident that has resulted or is likely to result in the misuse of NPI, and shall comply with all Laws regarding NPI that are applicable to it as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (referred to as “PII”)third party processor. Contractor agrees FIS shall adhere to the following: a. Contractor will comply with the Mercy Corps’ Responsible Data Policy privacy policies and all Federal, State and applicable laws and regulations governing the confidentiality and privacy of the information provided under this Agreement. b. Contractor will treat Confidential Information with the same standard of care that it may use to maintain its own confidential information, provided that the standard is not negligent. This includes maintaining appropriate technical and organizational security measures to protect the Non-public Personal Information of Client’s customers imposed pursuant to Title V of the Xxxxx-Xxxxx-Xxxxxx Act of 1999 and Massachusetts data privacy laws and regulations, including Mass. X.X. x. 93H, 201 C.M.R. §17 (Standards for the Protection of Personal Information of Residents of the Commonwealth), and any other Massachusetts data privacy law and regulations which may subsequently be enacted and issued, all as they may be modified from time to time. FIS shall not send or store any Non-public Personal Information of Client’s customers outside of the United States. 7.3 Confidential Information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and provide a level of security appropriate to shall remain the risk represented by the processing and the nature property of the data party from or through whom it was provided. Except for NPI, neither party shall be obligated to preserve the confidentiality of any information that: (i) was previously known; (ii) is a matter of public knowledge; (iii) was or is independently developed; (iv) is released for disclosure with written consent; or (v) is received from a third party to whom it was disclosed without restriction. Disclosure of Confidential Information shall be protected. c. Contractor agrees permitted if it is: (a) required by law; (b) in connection with the tax treatment or tax structure of the Agreement; or (c) in response to a valid order of a U.S. court or other governmental body, provided the implement owner receives written notice and follow additional data security requirements concerning PII and hereby represents and warrants the following: 1) At all times during the term is afforded a reasonable opportunity to obtain a protective order. Upon partial termination of this Agreement, Agreement with respect to PIIone or more services, Contractor is capable of providing, and will maintain, reasonable physical, technical and administrative safeguards appropriate for any PII each party shall destroy the other party’s Confidential Information relating exclusively to that service according to written instructions received from Mercy Corpsby the party disclosing such Confidential Information, or created or if the other party that received on Mercy Corps’ behalf: 2) Contractor will ensure that any transmission specifically of donor data containing PII between Mercy Corps and Contractor is conducted via secure FTP or secure/encrypted email, or other mutually agreed upon secure file sharing platform; and 3) Contractor will maintain sufficient procedures to detect and respond to any attempted unauthorized acquisition or use of PII in paper or electronic form or interference with information system operations affecting electronic PII. d. Contractor agrees to use such Confidential Information only as required by declines to perform its services for Mercy Corps under this Agreementfollow such instructions, and will not reveal it said Confidential Information shall be returned to a third party or use for any other purpose without the prior written consent of Mercy Corpsdisclosing party. Except as otherwise authorized in advance by Mercy Corps, Contractor will not provide to any third party either access to, or information about, Mercy Corps systems, platforms, and other mechanisms without the express written permission in each instance. e. At the Upon termination of the Agreement, Contractor will return to Mercy Corps all each party shall destroy any remaining Confidential Information provided by Mercy Corps to Contractor, or otherwise take appropriate measures as requested by Mercy Corps to remove any copies of Confidential Information in Contractor’s possession and cause its subcontractors, agents, and others involved the other party in the services same manner or, return it to do the samedisclosing party at its expense.

Confidentiality and Data Security. Contractor (a) All Confidential Information shall be held in the strictest confidence and will not be disclosed by the Recipient or its Representatives except as specifically permitted by the terms of this Agreement. Recipient and its Representatives will use the Confidential Information solely for the purpose of performing under and in compliance with the terms of this Agreement, will not use the Confidential Information for any other purpose, and will not disclose or communicate the Confidential Information, directly or indirectly, to any other Person, except as permitted under this Agreement. Recipient further agrees and warrants that it the Confidential Information will maintain be disclosed only to such of its Representatives who need to examine or use the Confidential Information for the purposes described above. The Recipient shall be responsible for any breach of this Agreement by any of its Representatives. (b) In the event that Recipient or any of its Representatives is requested or required (by oral question, interrogatories, requests for information or documents, subpoenas, civil investigation or similar process) to disclose any of the Confidential Information, Recipient will provide the Disclosing Party with prompt notice of such requests so that the Disclosing Party may (i) seek an appropriate protective order or (ii) if disclosure is required or deemed advisable, cooperate with the Recipient in strict confidence an attempt to obtain an order or reliable assurance that confidential treatment will be accorded to any portion of the Confidential Information. The term “cost of obtaining any protective order or assurance shall be borne by the Disclosing Party. (c) Each party shall implement and maintain commercially reasonable information security measures consistent with industry standards to protect against unauthorized access to or use of the other party’s Confidential Information” includes . The Subservicer has implemented and will maintain security measures designed to meet the obligations of the Guidelines. The Subservicer shall promptly provide Servicer with notice of any unauthorized access to or use of Nonpublic Personal Information relating to a mortgagor of a Mortgage Loan which warrants consumer notice pursuant to the Guidelines. The Subservicer and the Servicer agree and acknowledge that as to all Nonpublic Personal Information received or obtained by either of them or their Representatives, with respect to any mortgagor of a Mortgage Loan: (i) any such information Mercy Corps provides shall be held by the Subservicer, the Servicer or their respective Representatives in accordance with all applicable law, including but not limited to Contractor that Mercy Corps identifies as confidential; the Guidelines and the privacy provisions of the Xxxxx-Xxxxx-Xxxxxx Act of 1999 and applicable state law and regulations thereunder and (ii) the terms and conditions of this Agreement (including all Statements of Services); (iii) nonpublic such information concerning the affairs, activities, policies, proposals, projects, employees, donors is in connection with a proposed or potential donors, finances, property or method(s) of operation, trade secrets, know-how and similar information of Mercy Corps, its affiliates, as well as any third party and its affiliates with which Mercy Corps may collaborate, and (iv) any Mercy Corps information that contains personally identifiable information hereby defined as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable actual secondary market sale related to a specific individual (referred to as “PII”). Contractor agrees to the following: a. Contractor will comply with the Mercy Corps’ Responsible Data Policy and all Federal, State and applicable laws and regulations governing the confidentiality and privacy transaction of the information provided under this Agreementmortgagor for the purposes of 16 C.F.R., Section 313.14(a)(3). b. Contractor will treat Confidential Information with (d) Upon the same standard of care that it may use to maintain its own confidential information, provided that the standard is not negligent. This includes maintaining appropriate technical and organizational measures to protect Confidential Information against accidental termination or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. c. Contractor agrees to the implement and follow additional data security requirements concerning PII and hereby represents and warrants the following: 1) At all times during the term expiration of this Agreement, with respect the Recipient shall promptly surrender to PII, Contractor is capable the Disclosing Party all of providing, and will maintain, reasonable physical, technical and administrative safeguards appropriate for any PII received from Mercy Corps, or created or received on Mercy Corps’ behalf: 2) Contractor will ensure that any transmission specifically of donor data containing PII between Mercy Corps and Contractor is conducted via secure FTP or secure/encrypted email, or other mutually agreed upon secure file sharing platform; and 3) Contractor will maintain sufficient procedures to detect and respond to any attempted unauthorized acquisition or use of PII in paper or electronic form or interference with information system operations affecting electronic PII. d. Contractor agrees to use the Confidential Information only in the Recipient’s possession, or, at the Disclosing Party’s option, completely and permanently destroy all copies thereof and shall provide to Disclosing Party a certificate of a senior officer certifying that it has done so; provided, however, that unless the Subservicer has resigned or has been terminated as required by the servicer pursuant to perform its services for Mercy Corps under this Agreement, and will not reveal it the Subservicer shall retain the Subservicing Files. Notwithstanding anything herein to a third party or the contrary, the Recipient may retain such information as may be required by law. Further, to the extent destruction is required hereunder Recipient shall only be required to use all commercially reasonable efforts to destroy any electronic information from its computer systems. (e) The Recipient shall be responsible for any other purpose without the prior written consent breach of Mercy Corps. Except as otherwise authorized in advance by Mercy Corps, Contractor will not provide to any third party either access to, or information about, Mercy Corps systems, platforms, and other mechanisms without the express written permission in each instance. e. At the termination of the Agreement, Contractor will return to Mercy Corps all Confidential Information provided by Mercy Corps to Contractor, or otherwise take appropriate measures as requested by Mercy Corps to remove any copies of Confidential Information in Contractor’s possession and cause its subcontractors, agents, and others involved in the services to do the same.this Section 8.10

Confidentiality and Data Security. Contractor agrees The Ceding Company and warrants the Reinsurer agree that it Customer and Proprietary Information (as defined herein) will maintain in strict confidence Confidential Information. The term “Confidential Information” includes (i) any information Mercy Corps provides to Contractor that Mercy Corps identifies be treated as confidential; (ii) . Customer Information includes, but is not limited to, medical, financial, and other personal information about proposed, current, and former contract owners, annuitants, applicants, and beneficiaries of Base Annuities and Riders issued by the Ceding Company. Proprietary Information includes, but is not limited to, business plans and trade secrets, mortality and lapse studies, underwriting manuals and guidelines, reinsurance fees and expenses, applications and contract forms, and the specific terms and conditions of this Agreement. 10 of 88 Customer and Proprietary Information will not include information that: (a) is or becomes available to the general public through no fault of the party receiving the Customer or Proprietary Information (the “Recipient”); or (b) is independently developed by the Recipient without violating any obligations under this Agreement and without the use of any Customer or Proprietary Information; or (including c) is acquired by the Recipient from a third party not covered by a confidentiality agreement. The parties will not disclose Customer Information and Proprietary Information to any other parties unless agreed to in writing, except as necessary for retrocession purposes, as requested by external auditors, as required by court order, or as required or allowed by law or regulation so long as the Reinsurer provides the Ceding Company with advance notice of such disclosure. The Ceding Company shall not provide the Reinsurer with personally identifiable Customer Information unless requested by the Reinsurer. The Reinsurer also agrees to protect the confidentiality of Customer Information by: • Holding all Statements Customer Information transmitted to them by or on behalf of Servicesthe Ceding Company in strict confidence; • Maintaining appropriate measures that are designed to protect the security, integrity and confidentiality of Customer Information; • Using Customer Information only in the ordinary course of business to carry out the Reinsurer’s obligations under this Agreement; and • Disclosing Customer Information to third parties only as necessary to perform services under the Agreement, for purposes of retrocession, or as may be required or permitted by law. Both the Ceding Company and the Reinsurer agree that they will (a) immediately notify the other party if they become aware of any unauthorized access to or collection, use, or disclosure of Customer Information or Proprietary Information in their possession or in the possession of a third party to whom such party provided access (“Data Breach”); (iiib) nonpublic information concerning cooperate in any investigation or actions to mitigate damages the affairsother party determines is reasonably necessary as a result of such Data Breach; (c) reimburse the other party for all reasonable costs incurred by such party in any internal investigation of such Data Breach; and 11 of 88 (d) be liable for any damages, activities, policies, proposals, projects, employees, donors or potential donors, finances, property or method(s) of operation, trade secrets, know-how and similar information of Mercy Corps, its affiliates, as well as any third party and its affiliates with which Mercy Corps may collaborateexpenses, and liabilities incurred by such party arising from claims or actions by third parties resulting from such Data Breach. The parties hereto further agree to comply with all applicable federal, state and local laws pertaining to breach of data security. Each party has the right to verify the other party’s compliance with this Article by audit or inspection. The Ceding Company acknowledges that the Reinsurer can aggregate data with other companies reinsured with the Reinsurer as long as the data cannot be identified as belonging to the Ceding Company. Each party agrees that it will not, directly or indirectly, disclose or release in any manner (ivincluding through press release or public announcement) any Mercy Corps information to the “Media” relating to the transaction covered by this Reinsurance Agreement. For purposes of this provision, “Media” includes, without limitation, any news organization, publication, show, website, web blog, bulletin board, social media outlet or program whether published through print, radio, television, internet or otherwise. Furthermore, the Ceding Company agrees that contains personally identifiable whenever it provides information hereby defined as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable regarding the transaction covered by this Reinsurance Agreement to a specific individual (referred to as “PII”). Contractor agrees to the following: a. Contractor will comply with the Mercy Corps’ Responsible Data Policy and all Federalthird party, State and applicable laws and regulations governing the confidentiality and privacy of the information provided under this Agreement. b. Contractor will treat Confidential Information with the same standard of care that it may use the proper name of the Reinsurer in such information but shall not include any reference to maintain [XXX], [XXX] or any derivation of the name [XXX]; provided, however, that such references to [XXX] can be made whether oral or written (i) to regulators and rating agencies; (ii) with the consent of the Reinsurer; or (iii) where such reference is required or requested by law, regulatory action or regulation, in which event (solely with respect to this clause (iii) prior written notice will be given to the Reinsurer to the extent feasible and the Parties will reasonably cooperate with respect to the wording of such disclosure. Nothing contained in this Paragraph 19 is intended or should be interpreted to prevent either party from providing Customer and Proprietary Information to its own confidential informationattorneys, consultants, other authorized representatives, or retrocessionaires in connection with the transactions contemplated by this Agreement, provided that any such attorneys, consultants, authorized representatives, or retrocessionaires shall be bound by the standard is not negligentcovenants contained in this Paragraph 19. This includes maintaining appropriate technical and organizational measures to protect Confidential Information against accidental or unlawful destruction or accidental lossThe confidentiality obligations contained in this Agreement, alteration, unauthorized disclosure or access, and provide a level of security appropriate as they relate to the risk represented by the processing and the nature of the data to be protected. c. Contractor agrees reinsurance hereunder, shall not apply to the implement federal U.S. tax structure or federal U.S. tax treatment of this Agreement and follow additional data security requirements concerning PII each 12 of 88 party hereto (and hereby represents any affiliate or representative of either party hereto) may disclose to any and warrants all person, without limitation of any kind, the following: 1) At all times during the term federal U.S. tax structure and federal U.S. tax treatment of this Agreement. The preceding sentence is intended to cause the Agreement to be treated as not having been offered under conditions of confidentiality for purposes of Section 1.6011-4(b)(3) (or any successor provision) of the Treasury Regulations promulgated under Section 6011 of the Internal Revenue Code of 1986, with respect to PII, Contractor is capable of providingas amended, and will maintain, reasonable physical, technical and administrative safeguards appropriate for any PII received from Mercy Corps, or created or received on Mercy Corps’ behalf: 2) Contractor will ensure that any transmission specifically of donor data containing PII between Mercy Corps and Contractor is conducted via secure FTP or secure/encrypted email, or other mutually agreed upon secure file sharing platform; and 3) Contractor will maintain sufficient procedures to detect and respond to any attempted unauthorized acquisition or use of PII shall be construed in paper or electronic form or interference a manner consistent with information system operations affecting electronic PIIsuch purpose. d. Contractor agrees to use Confidential Information only as required by to perform its services for Mercy Corps under this Agreement, and will not reveal it to a third party or use for any other purpose without the prior written consent of Mercy Corps. Except as otherwise authorized in advance by Mercy Corps, Contractor will not provide to any third party either access to, or information about, Mercy Corps systems, platforms, and other mechanisms without the express written permission in each instance. e. At the termination of the Agreement, Contractor will return to Mercy Corps all Confidential Information provided by Mercy Corps to Contractor, or otherwise take appropriate measures as requested by Mercy Corps to remove any copies of Confidential Information in Contractor’s possession and cause its subcontractors, agents, and others involved in the services to do the same.

Confidentiality and Data Security. Contractor agrees and warrants that it will maintain in strict confidence Confidential Information. The term “Confidential Information” includes (i) any information Mercy Corps provides to Contractor that Mercy Corps identifies as confidential; (ii) the terms and conditions of this Agreement (including all Statements of Services); (iii) nonpublic information concerning the affairs, activities, policies, proposals, projects, employees, donors or potential donors, finances, property or method(s) of operation, trade secrets, know-know- how and similar information of Mercy Corps, its affiliates, as well as any third party and its affiliates with which Mercy Corps may collaborate, and (iv) any Mercy Corps information that contains personally identifiable information hereby defined as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (referred to as “PII”). Contractor agrees to the following: a. Contractor will comply with the Mercy Corps’ Responsible Data Policy and all Federal, State and applicable laws and regulations governing the confidentiality and privacy of the information provided under this Agreement. b. Contractor will treat Confidential Information with the same standard of care that it may use to maintain its own confidential information, provided that the standard is not negligent. This includes maintaining appropriate technical and organizational measures to protect Confidential Information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. c. Contractor agrees to the implement and follow additional data security requirements concerning PII and hereby represents and warrants the following: 1) i. At all times during the term of this Agreement, with respect to PII, Contractor is capable of providing, and will maintain, reasonable physical, technical and administrative safeguards appropriate for any PII received from Mercy Corps, or created or received on Mercy Corps’ behalf:; 2) ii. Contractor will ensure that any transmission specifically of donor data containing PII between Mercy Corps and Contractor is conducted via secure FTP or secure/encrypted email, or other mutually agreed upon secure file sharing platform; and 3) iii. Contractor will maintain sufficient procedures to detect and respond to any attempted unauthorized acquisition or use of PII in paper or electronic form or interference with information system operations affecting electronic PII. d. Contractor agrees to use Confidential Information only as required by to perform its services for Mercy Corps under this Agreement, and will not reveal it to a third party or use for any other purpose without the prior written consent of Mercy Corps. Except as otherwise authorized in advance by Mercy Corps, Contractor will not provide to any third party either access to, or information about, Mercy Corps systems, platforms, and other mechanisms without the express written permission in each instance. e. At the termination of the Agreement, Contractor will return to Mercy Corps all Confidential Information provided by Mercy Corps to Contractor, or otherwise take appropriate measures as requested by Mercy Corps to remove any copies of Confidential Information in Contractor’s possession and cause its subcontractors, agents, and others involved in the services to do the same.

Confidentiality and Data Security. Contractor agrees and warrants that it will maintain in strict confidence Confidential Information. The term “Confidential Information” includes (i) any information Mercy Corps provides to Contractor that Mercy Corps identifies as confidential; (ii) the terms and conditions of this Agreement (including all Statements of Services); (iii) nonpublic information concerning the affairs, activities, policies, proposals, projects, employees, donors or potential donors, finances, property or method(s) of operation, trade secrets, know-how and similar information of Mercy Corps, its affiliates, as well as any third party and its affiliates with which Mercy Corps may collaborate, and (iv) any Mercy Corps information that contains personally identifiable information hereby defined as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (referred to as “PII”). Contractor agrees to the following: a. Contractor will comply with the Mercy Corps’ Responsible Data Policy and all Federal, State and applicable laws and regulations governing the confidentiality and privacy of the information provided under this Agreement. If Contractor will be processing Confidential Information of persons that are subject to General Data Protection Regulation (GDPR), then Contractor shall complete and adhere to Schedule III to this agreement, including providing Mercy Corps with a complete and accurate list of data sub-processors that will be utilized as part of Contractor operations. Mercy Corps reserves the right to reject any sub-processors that, in its sole discretion, it deems inadequate to comply with the terms herein related to data processing. b. Contractor will treat Confidential Information with the same standard of care that it may use to maintain its own confidential information, provided that the standard is not negligent. This includes maintaining appropriate technical and organizational measures to protect Confidential Information against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected. c. Contractor agrees to the implement and follow additional data security requirements concerning PII and hereby represents and warrants the following: 1) At all times during the term of this Agreement, with respect to PII, Contractor is capable of providing, and will maintain, reasonable physical, technical and administrative safeguards appropriate for any PII received from Mercy Corps, or created or received on Mercy Corps’ behalf: 2) Contractor will ensure that any transmission specifically of donor data containing PII between Mercy Corps and Contractor is conducted via secure FTP or secure/encrypted email, or other mutually agreed upon secure file sharing platform; and 3) Contractor will maintain sufficient procedures to detect and respond to any attempted unauthorized acquisition or use of PII in paper or electronic form or interference with information system operations affecting electronic PII. d. Contractor agrees to use Confidential Information only as required by to perform its services for Mercy Corps under this Agreement, and will not reveal it to a third party or use for any other purpose without the prior written consent of Mercy Corps. Except as otherwise authorized in advance by Mercy Corps, Contractor will not provide to any third party either access to, or information about, Mercy Corps systems, platforms, and other mechanisms without the express written permission in each instance. e. At the termination of the Agreement, Contractor will return to Mercy Corps all Confidential Information provided by Mercy Corps to Contractor, or otherwise take appropriate measures as requested by Mercy Corps to remove any copies of Confidential Information in Contractor’s possession and cause its subcontractors, agents, and others involved in the services to do the same.

Confidentiality and Data Security. Contractor agrees The Ceding Company and warrants the Reinsurer agree that it Customer and Proprietary Information (as defined herein) will maintain in strict confidence Confidential Information. The term “Confidential Information” includes (i) any information Mercy Corps provides to Contractor that Mercy Corps identifies be treated as confidential; (ii) . Customer Information includes, but is not limited to, medical, financial, and other personal information about proposed, current, and former contract owners, annuitants, applicants, and beneficiaries of Base Annuities and Riders issued by the Ceding Company. Proprietary Information includes, but is not limited to, business plans and trade secrets, mortality and lapse studies, underwriting manuals and guidelines, reinsurance fees and expenses, applications and contract forms, and the specific terms and conditions of this Agreement. Customer and Proprietary Information will not include information that: (a) is or becomes available to the general public through no fault of the party receiving the Customer or Proprietary Information (the “Recipient”); or (b) is independently developed by the Recipient without violating any obligations under this Agreement and without the use of any Customer or Proprietary Information; or (including c) is acquired by the Recipient from a third party not covered by a confidentiality agreement. The parties will not disclose Customer Information and Proprietary Information to any other parties unless agreed to in writing, except as necessary for retrocession purposes, as requested by external auditors, as required by court order, or as required or allowed by law or regulation so long as the Reinsurer provides the Ceding Company with advance notice of such disclosure. The Ceding Company shall not provide the Reinsurer with personally identifiable Customer Information unless requested by the Reinsurer. The Reinsurer also agrees to protect the confidentiality of Customer Information by: • Holding all Statements Customer Information transmitted to them by or on behalf of Servicesthe Ceding Company in strict confidence; • Maintaining appropriate measures that are designed to protect the security, integrity and confidentiality of Customer Information; • Using Customer Information only in the ordinary course of business to carry out the Reinsurer’s obligations under this Agreement; and • Disclosing Customer Information to third parties only as necessary to perform services under the Agreement, for purposes of retrocession, or as may be required or permitted by law. Both the Ceding Company and the Reinsurer agree that they will (a) immediately notify the other party if they become aware of any unauthorized access to or collection, use, or disclosure of Customer Information or Proprietary Information in their possession or in the possession of a third party to whom such party provided access (“Data Breach”); (iiib) nonpublic information concerning cooperate in any investigation or actions to mitigate damages the affairsother party determines is reasonably necessary as a result of such Data Breach; (c) reimburse the other party for all reasonable costs incurred by such party in any internal investigation of such Data Breach; and (d) be liable for any damages, activities, policies, proposals, projects, employees, donors or potential donors, finances, property or method(s) of operation, trade secrets, know-how and similar information of Mercy Corps, its affiliates, as well as any third party and its affiliates with which Mercy Corps may collaborateexpenses, and liabilities incurred by such party arising from claims or actions by third parties resulting from such Data Breach. The parties hereto further agree to comply with all applicable federal, state and local laws pertaining to breach of data security. Each party has the right to verify the other party’s compliance with this Article by audit or inspection. The Ceding Company acknowledges that the Reinsurer can aggregate data with other companies reinsured with the Reinsurer as long as the data cannot be identified as belonging to the Ceding Company. Each party agrees that it will not, directly or indirectly, disclose or release in any manner (ivincluding through press release or public announcement) any Mercy Corps information to the “Media” relating to the transaction covered by this Reinsurance Agreement. For purposes of this provision, “Media” includes, without limitation, any news organization, publication, show, website, web blog, bulletin board, social media outlet or program whether published through print, radio, television, internet or otherwise. Furthermore, the Ceding Company agrees that contains personally identifiable whenever it provides information hereby defined as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable regarding the transaction covered by this Reinsurance Agreement to a specific individual (referred to as “PII”). Contractor agrees to the following: a. Contractor will comply with the Mercy Corps’ Responsible Data Policy and all Federalthird party, State and applicable laws and regulations governing the confidentiality and privacy of the information provided under this Agreement. b. Contractor will treat Confidential Information with the same standard of care that it may use the proper name of the Reinsurer in such information but shall not include any reference to maintain [XXX], [XXX] or any derivation of the name [XXX]; provided, however, that such references to [XXX] can be made whether oral or written (i) to regulators and rating agencies; (ii) with the consent of the Reinsurer; or (iii) where such reference is required or requested by law, regulatory action or regulation, in which event (solely with respect to this clause (iii) prior written notice will be given to the Reinsurer to the extent feasible and the Parties will reasonably cooperate with respect to the wording of such disclosure. Nothing contained in this Paragraph 19 is intended or should be interpreted to prevent either party from providing Customer and Proprietary Information to its own confidential informationattorneys, consultants, other authorized representatives, or retrocessionaires in connection with the transactions contemplated by this Agreement, provided that any such attorneys, consultants, authorized representatives, or retrocessionaires shall be bound by the standard is not negligentcovenants contained in this Paragraph 19. This includes maintaining appropriate technical and organizational measures to protect Confidential Information against accidental or unlawful destruction or accidental lossThe confidentiality obligations contained in this Agreement, alteration, unauthorized disclosure or access, and provide a level of security appropriate as they relate to the risk represented by the processing and the nature of the data to be protected. c. Contractor agrees reinsurance hereunder, shall not apply to the implement federal U.S. tax structure or federal U.S. tax treatment of this Agreement and follow additional data security requirements concerning PII each party hereto (and hereby represents any affiliate or representative of either party hereto) may disclose to any and warrants all person, without limitation of any kind, the following: 1) At all times during the term federal U.S. tax structure and federal U.S. tax treatment of this Agreement. The preceding sentence is intended to cause the Agreement to be treated as not having been offered under conditions of confidentiality for purposes of Section 1.6011-4(b)(3) (or any successor provision) of the Treasury Regulations promulgated under Section 6011 of the Internal Revenue Code of 1986, with respect to PII, Contractor is capable of providingas amended, and will maintain, reasonable physical, technical and administrative safeguards appropriate for any PII received from Mercy Corps, or created or received on Mercy Corps’ behalf: 2) Contractor will ensure that any transmission specifically of donor data containing PII between Mercy Corps and Contractor is conducted via secure FTP or secure/encrypted email, or other mutually agreed upon secure file sharing platform; and 3) Contractor will maintain sufficient procedures to detect and respond to any attempted unauthorized acquisition or use of PII shall be construed in paper or electronic form or interference a manner consistent with information system operations affecting electronic PIIsuch purpose. d. Contractor agrees to use Confidential Information only as required by to perform its services for Mercy Corps under this Agreement, and will not reveal it to a third party or use for any other purpose without the prior written consent of Mercy Corps. Except as otherwise authorized in advance by Mercy Corps, Contractor will not provide to any third party either access to, or information about, Mercy Corps systems, platforms, and other mechanisms without the express written permission in each instance. e. At the termination of the Agreement, Contractor will return to Mercy Corps all Confidential Information provided by Mercy Corps to Contractor, or otherwise take appropriate measures as requested by Mercy Corps to remove any copies of Confidential Information in Contractor’s possession and cause its subcontractors, agents, and others involved in the services to do the same.