Common use of Controller Obligations Clause in Contracts

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Laws. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Laws, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates of the Controller who use the Software shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Software; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPA, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the AgreementCustomer Terms, this DPA and its obligations under Data Protection Laws. 5.2 all applicable data protection laws. The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations authorizations necessary to permit the Processor, its affiliates Subsidiaries and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 . The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 Customer Terms. All affiliates Subsidiaries of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 . The Controller shall has their own obligations to implement their own appropriate technical and organisational organizational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: : (ia) the pseudonymisation pseudonymization and encryption of Personal Data; ; (iib) the ability to ensure the on-going ongoing confidentiality, integrity, availability and resilience of processing systems and Software; services; (iiic) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (ivd) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational organizational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 . The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data does not process the Personal Data except on instructions from the Controller. The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the AgreementCustomer Terms. The Processor will process the request to the extent it is lawful, and will reasonably fulfil fulfill such request in accordance with its standard operational procedures to the extent possible. 5.7 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPA, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection LawsLaw. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with all Data Protection LawsLaw, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data only processes the Personal Data on the documented instructions of the Controller. 5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAby the Processor, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection LawsLaw. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Sub- Processors, to execute their rights or perform their obligations under this DPA. 5.3 All Affiliates of the Controller who use the Services shall comply with the obligations of the Controller set out in this DPA. 5.4 The Controller is responsible for compliance with Data Protection LawsLaw, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates of the Controller who use the Software shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Controller recognises and agrees that the Processor will process the request to the extent it is lawful, lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. In such case, the The Processor will notify shall be entitled to charge the Controller of for its fees for costs and expenses in providing any such assistance in advance, unless otherwise agreedassistance.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection LawsLaw. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with all Data Protection LawsLaw, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates Affiliates of the Controller who use the Software Solution and Services shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data only processes the Personal Data on the documented instructions of the Controller. 5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAby the Processor, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Lawsall applicable data protection laws. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going ongoing confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data only processes the Personal Data on the documented instructions of the Controller. 5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAby the Processor, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that that: (i) it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Laws. 5.2 The Controller represents and warrants that Law; (ii) it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Laws, including requirements with regards to the transfer of Personal Data under this DPA ; and the Agreement. 5.4 All affiliates (iii) all Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 5.2 The Controller shall implement appropriate technical and organisational procedures measures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going ongoing confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.3 The Controller acknowledges and agrees that some instructions from the Controller, Controller including destruction or return of data, the Processor assisting with audits, inspections or inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. In such case, case the Processor will shall notify the Controller of its fees for providing such assistance in advanceadvance and shall be entitled to charge the Controller for its reasonable costs and expenses in providing such assistance, unless agreed otherwise agreedin writing.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection LawsLaw. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 All Affiliates of the Controller who use the Services shall comply with the obligations of the Controller set out in this DPA. 5.4 The Controller is responsible for compliance with Data Protection LawsLaw, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates of the Controller who use the Software shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. In such case, the The Processor will notify shall be entitled to charge the Controller of for its fees for costs and expenses in providing any such assistance in advance, unless otherwise agreedassistance.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the AgreementCustomer Terms, this DPA and its obligations under Data Protection Laws. 5.2 all applicable data protection laws. The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations authorizations necessary to permit the Processor, its affiliates Subsidiaries and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 . The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the lawful processing of Personal Data (including Special Categories of Data) and the transfer of Personal Data (including Special Categories of Data) under this DPA and the Agreement. 5.4 Customer Terms. All affiliates Subsidiaries of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 . The Controller shall has their own obligations to implement their own appropriate technical and organisational organizational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: : (ia) the pseudonymisation pseudonymization and encryption of Personal Data; ; (iib) the ability to ensure the on-going ongoing confidentiality, integrity, availability and resilience of processing systems and Software; services; (iiic) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (ivd) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational organizational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 . The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data does not process the Personal Data except on instructions from the Controller. The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the AgreementCustomer Terms. The Processor will process the request to the extent it is lawful, and will reasonably fulfil fulfill such request in accordance with its standard operational procedures to the extent possible. 5.7 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPA, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the AgreementTerms and Conditions, this DPA and its obligations under Data Protection Laws. 5.2 all applicable data protection laws. The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Subsidiaries and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 . The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 Terms and Conditions. All affiliates Subsidiaries of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 . The Controller shall has their own obligations to implement their own appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 . The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data does not process the Personal Data except on instructions from the Controller. The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the AgreementTerms and Conditions. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 . The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, data from the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAProcessor, may result in additional fees. In such case, the Processor will notify the Controller of its such fees for providing such assistance in advance, advance unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that that: (i) it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Laws. 5.2 The Controller represents and warrants that Law; (ii) it has obtained any any, and all all, necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processorsprocessors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Laws, including requirements with regards to the transfer of Personal Data under this DPA ; and the Agreement. 5.4 All affiliates (iii) all Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 5.2 The Controller shall implement appropriate technical and organisational procedures measures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.3 The Controller acknowledges and agrees that some instructions from the Controller, Controller including destruction or return of data, the Processor assisting with audits, inspections or inspections, DPIAs or providing any other assistance under this DPA, may result in additional fees. In such case, case the Processor will shall notify the Controller of its fees for providing such assistance in advanceadvance and shall be entitled to charge the Controller for its reasonable costs and expenses in providing such assistance, unless otherwise agreedagreed otherwise.

Controller Obligations. 5.1 The Controller represents and warrants that that: (i) it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Laws. 5.2 The Controller represents and warrants that Law; (ii) it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Laws, including requirements with regards to the transfer of Personal Data under this DPA ; and the Agreement. 5.4 All affiliates (iii) all Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 5.2 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going ongoing confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.3 The Controller acknowledges and agrees that some instructions from the Controller, Controller including destruction or return of data, the Processor assisting with audits, inspections or inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. In such case, case the Processor will shall notify the Controller of its fees for providing such assistance in advanceadvance and shall be entitled to charge the Controller for its reasonable costs and expenses in providing such assistance, unless agreed otherwise agreedin writing.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the AgreementCustomer Terms, this DPA and its obligations under Data Protection Laws. 5.2 all applicable data protection laws. The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Subsidiaries and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 . The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 Customer Terms. All affiliates Subsidiaries of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 . The Controller shall has their own obligations to implement their own appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) : a. the pseudonymisation and encryption of Personal Data; (ii) ; b. the ability to ensure the on-going ongoing confidentiality, integrity, availability and resilience of processing systems and Software; (iii) services; c. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) and d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 . The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data does not process the Personal Data except on instructions from the Controller. The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the AgreementCustomer Terms. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 . The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, data from the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAProcessor, may result in additional fees. In such case, the Processor will notify the Controller of its such fees for providing such assistance in advance, advance unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents You represent and warrants warrant that it you shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Lawsall applicable data protection laws. 5.2 The Controller represents You represent and warrants warrant that it has you have obtained any and all necessary permissions and authorisations necessary to permit the Processorus, its affiliates our Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is You are responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Customer Data under this DPA and the Agreement. 5.4 All affiliates of the Controller Authorised Affiliates who use the Software Services shall comply with the your obligations of the Controller set out in this DPA. 5.5 The Controller You shall implement appropriate technical and organisational procedures to protect Personal Customer Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller . 5.6 You shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Customer Data; (ii) the ability to ensure the on-on- going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Customer Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Customer Data transmitted, stored or otherwise processed. 5.6 The Controller 5.7 You shall take steps to ensure that any natural person acting under your authority who has access to Customer Data does not process the Customer Data except on your instructions. 5.8 You may require correction, deletion, blocking and/or making available the Personal Customer Data during or after termination of the Agreement. The Processor We will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its our standard operational procedures to the extent possible. 5.7 The Controller acknowledges 5.9 You acknowledge and agrees agree that some instructions from the Controlleryou, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAdata from us, may result in additional fees. In such case, the Processor we will notify the Controller you of its such fees for providing such assistance in advance, advance unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Professional Services Agreement, this DPA and its obligations under Data Protection Lawsall applicable data protection laws. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Professional Services Agreement. 5.4 All affiliates Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data only processes the Personal Data on the documented instructions of the Controller. 5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Professional Services Agreement. The Processor will process the request to the extent it is lawful, lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAby the Processor, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Lawsall applicable data protection laws. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations authorizations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational organizational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: : (i) the pseudonymisation and encryption of Personal Data; ; (ii) the ability to ensure the on-going ongoing confidentiality, integrity, availability and resilience of processing systems and Software; services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; ; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational organizational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data only processes the Personal Data on the documented instructions of the Controller. 5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, lawful and will reasonably fulfil fulfill such request in accordance with its standard operational procedures to the extent possible. 5.7 5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAby the Processor, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the AgreementCustomer Terms, this DPA and its obligations under Data Protection Laws. 5.2 all applicable data protection laws. The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Subsidiaries and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 . The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 Customer Terms. All affiliates Subsidiaries of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 . The Controller shall has their own obligations to implement their own appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) : a. the pseudonymisation and encryption of Personal Data; (ii) ; b. the ability to ensure the on-going confidentialityongoing confidentiality, integrity, availability and resilience of processing systems and Software; (iii) services; c. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) and d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 . The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data does not process the Personal Data except on instructions from the Controller. The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the AgreementCustomer Terms. The Processor will process the request to the extent it is lawful, and will reasonably fulfil fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 . The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, data from the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAProcessor, may result in additional fees. In such case, the Processor will notify the Controller of its such fees for providing such assistance in advance, advance unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Lawsall applicable data protection laws. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates Affiliates of the Controller who use the Software Solution or Services shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data only processes the Personal Data on the documented instructions of the Controller. 5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAby the Processor, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection LawsLaw. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with all Data Protection LawsLaw, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data only processes the Personal Data on the documented instructions of the Controller. 5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Controller acknowledges and agrees that the Processor will process the request to the extent it is lawful, lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAby the Processor, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection LawsLaw. 5.2 The Controller represents and warrants that it has obtained any any, and all all, necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Laws, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates Affiliates of the Controller who use the Software Solutions or Services shall comply with the obligations of the Controller set out in this DPA. 5.5 5.4 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.5 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. In such case, case the Processor will shall notify the Controller of such fees and shall be entitled to charge the Controller for its fees for costs and expenses in providing any such assistance in advance, unless otherwise agreedassistance.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection LawsLaw. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 All Affiliates of the Controller who use the Services shall comply with the obligations of the Controller set out in this DPA. 5.4 The Controller is responsible for compliance with Data Protection LawsLaw, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates of the Controller who use the Software shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Controller acknowledges and agrees that the Processor will process the request to the extent it is lawful, lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. In such case, the The Processor will notify shall be entitled to charge the Controller of for its fees for costs and expenses in providing any such assistance in advance, unless otherwise agreedassistance.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Laws. 5.2 all applicable data protection laws. The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Subsidiaries and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 . The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 DPA. All affiliates Subsidiaries of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 . The Controller shall has its own obligations to implement their own appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) • the pseudonymisation and encryption of Personal Data; (ii) • the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) • the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 . The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data does not process the Personal Data except on instructions from the Controller. The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 . The Controller acknowledges and agrees that some instructions from that: • Subsidiaries of the Controller, including destruction or return Processor may be used as Sub-processors; • the Processor and its Subsidiaries respectively may engage Sub-processors in connection with the provision of datathe Services. All Sub-processors who process Personal Data in the provision of the Services to the Controller shall comply with the obligations of the Processor similar to those set out in this DPA. Where Sub-processors are located outside of the EEA, the Processor assisting confirms that such Sub-processors: • are located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or • have entered into Standard Contractual Clauses with auditsthe Processor; or • have other legally recognised appropriate safeguards in place, inspections such as the EU-US Privacy Shield or DPIAs or providing any assistance under Binding Corporate Rules. The Processor shall make available to the Controller the current list of sub-processors which shall include the identities of Sub-processors and their country of location. During the term of this DPA, may result in additional fees. In such case, the Processor will notify shall provide the Controller with at least 30 days prior notification, via email, of its any changes to the list of Sub- processor(s) who may process Personal Data before authorising any new or replacement Sub-processor(s) to process Personal Data in connection with the provision of the Services. If the Controller objects to a new or replacement Sub-processor the Controller may terminate the terms with respect to those Services which cannot be provided by the Processor without the use of the new or replacement Sub-processor. The Processor will refund the Controller any prepaid fees for providing covering the remainder of the Term following the effective date of termination with respect to such assistance in advance, unless otherwise agreedterminated Services.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection LawsLaw. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection LawsLaw, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going ongoing confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAby the Processor, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection LawsLaw. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions consents, permissions, and authorisations authorizations necessary to permit the Processor, its affiliates Processor and Sub-Processors, Processors to execute their rights or perform their obligations under the Agreement and this DPA. 5.3 The Controller is responsible for compliance with Data Protection Laws, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates Affiliates of the Controller who use the Services and Software shall comply with the Controller’s obligations of the Controller set out forth in this DPADPA and shall be bound by the DPA as if a party hereto. 5.5 5.4 The Controller shall implement appropriate technical and organisational organizational procedures to protect Personal Data, taking into account considering the state of the art, the costs of implementation and the nature, scope, context context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriatewithout limitation: (ia) the pseudonymisation pseudonymization and encryption of Personal Data; (iib) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iiic) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (ivd) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing assessing the appropriate level of security account security, Controller shall be taken in particular of consider the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored stored, or otherwise processed. 5.6 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.5 The Controller acknowledges and agrees that some instructions requests from the Controller, including destruction or return of data, the Processor assisting with audits, inspections inspections, data protection impact assessments, or DPIAs or otherwise providing any non-mandatory assistance under this DPA, may result in additional feesfees or charges. In such caseUnder these circumstances, the Processor will notify provide the Controller of its with an Order form quoting and specifying such fees for providing or charges. If Controller does not accept or execute the Order form, the Processor shall have no obligation to provide such assistance in advance, unless otherwise agreedassistance.

Controller Obligations. 5.1 The Controller represents and warrants that that: (i) it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Laws. 5.2 The Controller represents and warrants that Law; (ii) it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Laws, including requirements with regards to the transfer of Personal Data under this DPA ; and the Agreement. 5.4 All affiliates (iii) all Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 5.2 The Controller shall implement appropriate technical and organisational procedures measures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going ongoing confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.3 The Controller acknowledges and agrees that some instructions from the Controller, Controller including destruction or return of data, the Processor assisting with audits, inspections or inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. In such case, case the Processor will shall notify the Controller of its fees for providing such assistance in advanceadvance and shall be entitled to charge the Controller for its reasonable costs and expenses in providing such assistance, unless agreed otherwise agreedin writing.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms provisions of the AgreementTerms of Service, this DPA and its obligations under Data Protection Lawsall applicable data protection laws. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance will comply with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the AgreementTerms of Service. 5.4 All affiliates Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data does not process the Personal Data except on instructions from the Controller. 5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possibleprocedures. 5.7 5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, data from the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAProcessor, may result in additional fees. In such case, the Processor will notify the Controller of its such fees for providing such assistance in advance, advance unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that that: (i) it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Laws. 5.2 The Controller represents and warrants that Law; (ii) it has obtained any any, and all all, necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processorsprocessors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Laws, including requirements with regards to the transfer of Personal Data under this DPA ; and the Agreement. 5.4 All affiliates (iii) all Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 5.2 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.3 The Controller acknowledges and agrees that some instructions from the Controller, Controller including destruction or return of data, the Processor assisting with audits, inspections or inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. In such case, case the Processor will shall notify the Controller of its fees for providing such assistance in advanceadvance and shall be entitled to charge the Controller for its reasonable costs and expenses in providing such assistance, unless otherwise agreedagreed otherwise.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the AgreementCustomer Terms, this DPA and its obligations under Data Protection Laws. 5.2 all applicable data protection laws. The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Subsidiaries and Sub-Sub- Processors, to execute their rights or perform their obligations under this DPA. 5.3 . The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 Customer Terms. All affiliates Subsidiaries of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 . The Controller shall has their own obligations to implement their own appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 . The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data does not process the Personal Data except on instructions from the Controller. The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 . The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, data from the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAProcessor, may result in additional fees. In such case, the Processor will notify the Controller of its such fees for providing such assistance in advance, advance unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection LawsLaw. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 All Affiliates of the Controller who use the Products shall comply with the obligations of the Controller set out in this DPA. 5.4 The Controller is responsible for compliance with Data Protection LawsLaw, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates of the Controller who use the Software shall comply with the obligations of the Controller set out in this DPAMSA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the AgreementMSA. The Processor will process the request to the extent it is lawful, lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. In such case, the The Processor will notify shall be entitled to charge the Controller of for its fees for costs and expenses in providing any such assistance in advance, unless otherwise agreedassistance.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection LawsLaw. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations authorizations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with all Data Protection LawsLaw, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational organizational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational organizational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data only processes the Personal Data on the documented instructions of the Controller. 5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Controller acknowledges and agrees that the Processor will process the request to the extent it is lawful, lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAby the Processor, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Lawsall applicable data protection laws. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data only processes the Personal Data on the documented instructions of the Controller. 5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAby the Processor, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Lawsall applicable data protection laws. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations authorizations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational organizational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: : (i) the pseudonymisation and encryption of Personal Data; ; (ii) the ability to ensure the on-going ongoing confidentiality, integrity, availability and resilience of processing systems and Software; services; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; ; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational organizational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data only processes the Personal Data on the documented instructions of the Controller. 5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, lawful and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAby the Processor, may result in additional fees. In such case, the Processor will notify the Controller of its fees for providing such assistance in advance, unless otherwise agreed.

Controller Obligations. 5.1 The Controller represents and warrants that it shall comply with the terms of the Agreement, this DPA and its obligations under Data Protection Lawsall applicable data protection laws. 5.2 The Controller represents and warrants that it has obtained any and all necessary permissions and authorisations necessary to permit the Processor, its affiliates Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA. 5.3 The Controller is responsible for compliance with Data Protection Lawsall applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this DPA and the Agreement. 5.4 All affiliates Affiliates of the Controller who use the Software Services shall comply with the obligations of the Controller set out in this DPA. 5.5 The Controller shall implement appropriate technical and organisational procedures to protect Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and Softwareservices; (iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In accessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. 5.6 The Controller shall take steps to ensure that any natural person acting under the authority of the Controller who has access to Personal Data does not process the Personal Data except on instructions from the Controller. 5.7 The Controller may require correction, deletion, blocking and/or making available the Personal Data during or after termination of the Agreement. The Processor will process the request to the extent it is lawful, and will reasonably fulfil such request in accordance with its standard operational procedures to the extent possible. 5.7 5.8 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, data from the Processor assisting with audits, inspections or DPIAs or providing any assistance under this DPAProcessor, may result in additional fees. In such case, the Processor will notify the Controller of its such fees for providing such assistance in advance, advance unless otherwise agreed.