Common use of Confidentiality and Information Security Clause in Contracts

Confidentiality and Information Security. Processor shall keep Personal Data strictly confidential and represents that it has implemented adequate physical, technical and organizational measures, which are reasonable based upon the sensitivity of the Personal Data and/or necessary to secure the Personal Data and to prevent unauthorized access, disclosure, alteration or loss of the same in light of the relevant risks presented by the Processing. In particular, such measures shall include, but shall not be limited to: • Preventing access by unauthorized persons to Processing facilities and systems, where Personal Data is Processed or used (physical access control). • Preventing unauthorized use of Processing systems (admission control). • Ensuring that those persons authorized to use a Processing system are only able to access Personal Data within the scope of their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization during Processing or use and after recording (virtual access control). • Ensuring that, during electronic transfer, transportation or when being saved to data carriers, Personal Data cannot be read, copied, modified or deleted without authorization, and that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged (transmission control). • Ensuring that it is possible to check and ascertain whether and by whom Personal Data has been accessed, modified or deleted from Processing systems (input control), and ensuring that such access, modification and deletion of Personal Data is, in fact, monitored for any unusual or suspicious activities. • Ensuring that Personal Data Processed under these Terms can only be Processed in accordance with the instructions issued by JCI (assignment control). • Ensuring that Personal Data is protected against accidental malfunctions or loss (availability control). • Ensuring that Personal Data collected for different purposes can be Processed separately (separation control). • Maintaining a process for regularly testing, assessing and evaluating the effectiveness of physical, technical and organizational measures to ensure the security of the Processing. • Ensuring that Processor has developed and implemented appropriate privacy and data protection policies and procedures, and that all Personnel who are involved in Processing the Personal Data have been appropriately trained to Process the Personal Data in accordance with such policies and procedures as well as in accordance with these Terms and applicable Data Protection Rules. • Ensuring that disposal of Personal Data is accordance with Section 10 of these Terms is implemented in a secure manner. At the request of JCI, Processor shall provide the former with a comprehensive and up-to-date confidentiality and information security concept relating to the Processing of Personal Data under these Terms. In the event that JCI requires Processor to amend any confidentiality and information security measures, Processor shall cooperate with JCI to implement such measures as soon as practicable. Processor shall ensure that its Personnel, Affiliates’ Personnel and Sub-Processors’ Personnel are subject to legally binding confidentiality and information security obligations that meet or exceed the requirements set forth in these Terms and that survive the termination of their employment.

Confidentiality and Information Security. Processor shall keep Personal Data strictly confidential and represents that it has implemented adequate physical, technical and organizational measures, which are reasonable based upon the sensitivity of the Personal Data and/or necessary to secure the Personal Data and to prevent unauthorized access, disclosure, alteration or loss of the same in light of the relevant risks presented by the Processing. In particular, such measures shall include, but shall not be limited to: • Preventing access by unauthorized persons to Processing facilities and systems, where Personal Data is Processed or used (physical access control). • Preventing unauthorized use of Processing systems (admission control). • Ensuring that those persons authorized to use a Processing system are only able to access Personal Data within the scope of their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization during Processing or use and after recording (virtual access control). • Ensuring that, during electronic transfer, transportation or when being saved to data carriers, Personal Data cannot be read, copied, modified or deleted without authorization, and that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged (transmission control). • Ensuring that it is possible to check and ascertain whether and by whom Personal Data has been accessed, modified or deleted from Processing systems (input control), and ensuring that such access, modification and deletion of Personal Data is, in fact, monitored for any unusual or suspicious activities. • Ensuring that Personal Data Processed under these Terms can only be Processed in accordance with the instructions issued by JCI (assignment control). • Ensuring that Personal Data is protected against accidental malfunctions or loss (availability control). • Ensuring that Personal Data collected for different purposes can be Processed separately (separation control). • Maintaining a process for regularly testing, assessing and evaluating the effectiveness of physical, technical and organizational measures to ensure the security of the Processing. • Ensuring that Processor has developed and implemented appropriate privacy and data protection policies and procedures, and that all Personnel who are involved in Processing the Personal Data have been appropriately trained to Process the Personal Data in accordance with such policies and procedures as well as in accordance with these Terms and applicable Data Protection Rules. • Ensuring that disposal of Personal Data is accordance with Section 10 of these Terms is implemented in a secure manner. At the request of JCI, Processor shall provide the former with a comprehensive and up-to-date confidentiality and information security concept relating to the Processing of Personal Data under these Terms. In the event that JCI requires Processor to amend any confidentiality and information security measures, Processor shall cooperate with JCI to implement such measures as soon as practicable. • Processor shall ensure that its Personnel, Affiliates’ Personnel and Sub-Processors’ Personnel are subject to legally binding confidentiality and information security obligations that meet or exceed the requirements set forth in these Terms and that survive the termination of their employment.

Confidentiality and Information Security. Processor shall keep Personal Data strictly confidential and represents that it has implemented adequate physical, technical and organizational measures, which are reasonable based upon the sensitivity of the Personal Data and/or necessary to secure the Personal Data and to prevent unauthorized access, disclosure, alteration or loss of the same in light of the relevant risks presented by the Processing. In particular, such measures shall include, but shall not be limited to: •  Preventing access by unauthorized persons to Processing facilities and systems, where Personal Data is Processed or used (physical access control). •  Preventing unauthorized use of Processing systems (admission control). •  Ensuring that those persons authorized to use a Processing system are only able to access Personal Data within the scope of their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization during Processing or use and after recording (virtual access control). •  Ensuring that, during electronic transfer, transportation or when being saved to data carriers, Personal Data cannot be read, copied, modified or deleted without authorization, and that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged (transmission control). •  Ensuring that it is possible to check and ascertain whether and by whom Personal Data has been accessed, modified or deleted from Processing systems (input control), and ensuring that such access, modification and deletion of Personal Data is, in fact, monitored for any unusual or suspicious activities. •  Ensuring that Personal Data Processed under these Terms can only be Processed in accordance with the instructions issued by JCI (assignment control). •  Ensuring that Personal Data is protected against accidental malfunctions or loss (availability control). •  Ensuring that Personal Data collected for different purposes can be Processed separately (separation control). •  Maintaining a process for regularly testing, assessing and evaluating the effectiveness of physical, technical and organizational measures to ensure the security of the Processing. •  Ensuring that Processor has developed and implemented appropriate privacy and data protection policies and procedures, and that all Personnel who are involved in Processing the Personal Data have been appropriately trained to Process the Personal Data in accordance with such policies and procedures as well as in accordance with these Terms and applicable Data Protection Rules. •  Ensuring that disposal of Personal Data is accordance with Section 10 of these Terms is implemented in a secure manner. At the request of JCI, Processor shall provide the former with a comprehensive and up-to-date confidentiality and information security concept relating to the Processing of Personal Data under these Terms. In the event that JCI requires Processor to amend any confidentiality and information security measures, Processor shall cooperate with JCI to implement such measures as soon as practicable. Processor shall ensure that its Personnel, Affiliates’ Personnel and Sub-Processors’ Personnel are subject to legally binding confidentiality and information security obligations that meet or exceed the requirements set forth in these Terms and that survive the termination of their employment.