Common use of CUSTOMER OTHER CONTRACTUAL REQUIREMENTS Clause in Contracts

CUSTOMER OTHER CONTRACTUAL REQUIREMENTS. Relevant Convictions X Staff Vetting Procedures HM Government Baseline Personal Security Standard check, together with date checked or other Security Clearance for UK government, together with date cleared and validity. Exit Planning X Security Requirements (including details of Security Policy and any additional Customer security requirements) The Point of Access solution will be accredited, or be capable of accreditation, to include data that has an impact level of OFFICIAL - SENSITIVE. The Point of Access solution will satisfy the PSN connectivity requirements. The Point of Access solution will satisfy the GDS XXX connectivity requirements. The Point of Access solution will validate the authenticity of XXXX tokens received from external parties by verifying that they have been digitally signed by a trusted source. The Point of Access solution will be able to receive structured data (XML or JSON) and validate against a known schema. The solution will secure communications using an Extended Validation (EV) certificate so that users can verify that the service can be trusted. The solution will be able to pass structured data (XML or JSON) from a XXXX token across a bridge. The Point of Access solution will produce logs that can be passed to an external Protective Monitoring Service. The solution will timeout a user’s session after a configurable period of inactivity. Protection of Customer Data As per Clause 20 Standards Digital by digital service standard Business Continuity and Disaster Recovery As per Clause 16 Liability £1,000,000 Insurance As per Clause 16 of the Framework Agreement RM1043: “liability insurance, in respect to amounts that the Supplier would be legally liable to pay as damages, including claimant's costs and expenses, in respect of (i) accidental death or bodily injury and/or (ii) loss of or damage to property, with a minimum limit of five million pounds sterling (£5,000,000)” “Professional indemnity insurance with a minimum limit of indemnity of one million pounds sterling (£1,000,000) for each individual claim” Key Sub-Contractors Estimate Contract Charges £ ADDITIONAL AND/OR ALTERNATIVE CLAUSES Supplemental requirements in addition to the Call-Off Terms X Amendments to/refinements of the Call-Off Terms X FORMATION OF CONTRACT BY SIGNING AND RETURNING THIS ORDER FORM THE SUPPLIER AGREES to enter a Call-Off Contract under the Framework Agreement with the Customer to provide the Services. The Parties hereby acknowledge and agree that they have read the Order Form and the Call-Off Terms and by signing below agree to be bound by this Contract. In accordance with paragraph S-9 of Framework Schedule 4 (Call-Off Procedure), the Parties hereby acknowledge and agree that this Contract shall be formed when the Customer acknowledges the receipt of the signed copy of the Order Form from the Supplier within two (2) Working Days from receipt (the “Call-Off Effective Date”).

CUSTOMER OTHER CONTRACTUAL REQUIREMENTS. Relevant Convictions X The supplier must provide details of any convictions relating to professional misconduct by the Supplier or personnel employed by the Supplier undertaking this contract. Staff Vetting Procedures HM Government Baseline Personal Staff undertaking web application development at any DSTL site must hold a valid Security Standard checkClearance. The Supplier’s employees, together with date checked or other Security Clearance agents and representatives shall abide by such regulations, including security and safety regulations, as are applicable to their presence on the DSTL’s premises. A copy of those regulations will be available from DSTL on demand. Such regulations and requirements applying to the DSTL’s premises are restrictive in relation to foreign born nationals and prior written notice of such visits is required. DSTL shall have the right to require the removal of anyone disobeying such regulations and reserves the right to refuse entry to any person whom it considers unsuitable for UK government, together with date cleared and validityany reason. Exit Planning X N/A for this discovery phase only. Security Requirements (including details of Security Policy and any additional Customer security requirements) The Point For the duration of Access solution will this contract and delivery of the R-Cloud discovery phase only, all work undertaken shall not exceed the security classification of OFFICIAL. Additional security conditions may be accredited, or be capable required for subsequent phases of accreditation, to include data that has an impact level of OFFICIAL - SENSITIVE. The Point of Access solution will satisfy the PSN connectivity requirements. The Point of Access solution will satisfy the GDS XXX connectivity requirements. The Point of Access solution will validate the authenticity of XXXX tokens received from external parties by verifying that they have been digitally signed by a trusted source. The Point of Access solution will be able to receive structured data (XML or JSON) and validate against a known schema. The solution will secure communications using an Extended Validation (EV) certificate so that users can verify that the service can be trusted. The solution will be able to pass structured data (XML or JSON) from a XXXX token across a bridge. The Point of Access solution will produce logs that can be passed to an external Protective Monitoring Service. The solution will timeout a user’s session after a configurable period of inactivitythis project. Protection of Customer Data As per Clause 20 Personal Data as defined under the Data Protection Act is not required within the scope of this R-Cloud discovery phase. I.e. information, which relates to a living individual who can be identified from the data. Secure logon details will be required and need to be managed, however, this must not be in breach of the data protection act. Standards Digital by digital service standard R-Cloud must be IL3 compliant. Business Continuity and Disaster Recovery As per Clause 16 N/A Liability £1,000,000 Insurance As per Clause 16 of the Framework Agreement RM1043: “liability insurance, in respect to amounts that the Supplier would be legally liable to pay as damages, including claimant's costs and expenses, in respect of (i) accidental death or bodily injury and/or (ii) loss of or damage to property, with a minimum limit of five million pounds sterling (£5,000,000)” “Professional indemnity insurance with a minimum limit of indemnity of one million pounds sterling (£1,000,000) for each individual claim” Key Sub-Contractors N/A Estimate Contract Charges £ £TBD ADDITIONAL AND/OR ALTERNATIVE CLAUSES Supplemental requirements in addition to the Call-Off Terms X N/A Amendments to/refinements of the Call-Off Terms X N/A FORMATION OF CONTRACT BY SIGNING AND RETURNING THIS ORDER FORM THE SUPPLIER AGREES to enter a Call-Off Contract under the Framework Agreement with the Customer to provide the Services. The Parties hereby acknowledge and agree that they have read the Order Form and the Call-Off Terms and by signing below agree to be bound by this Contract. In accordance with paragraph S-9 of Framework Schedule 4 (Call-Off Procedure), the Parties hereby acknowledge and agree that this Contract shall be formed when the Customer acknowledges the receipt of the signed copy of the Order Form from the Supplier within two (2) Working Days from receipt (the “Call-Off Effective Date”).

CUSTOMER OTHER CONTRACTUAL REQUIREMENTS. Relevant Convictions X See the HM Government Baseline Personnel Security Standard check requirements Staff Vetting Procedures The Supplier shall in respect of each member (or prospective member) of the Supplier Staff to be given access to the Customer’s Assets, (defined as premises, systems, information or data), at the Commencement Date, verify the four elements within the HM Government Baseline Personal Personnel Security Standard check, together Standard. During the Contract Period (where applicable) the Supplier acknowledges that some roles may require different levels of UK Security Clearance. The Supplier shall ensure that it complies with date checked any additional staff vetting procedures or other Security Clearance for UK government, together with date cleared and validityStandards as shall be notified to it by the Customer from time to time. Exit Planning X The Customer & the Supplier will agree an exit plan during the contract period to enable the supplier deliverables to be transferred to the customer ensuring that the Customer has all code & documentation required to support & continuous develop the service with customer resource or any 3rd party as the Customer requires Security Requirements (including details of Security Policy and any additional Customer security requirements) The Point of Access solution Any security requirements in line with DWP Security Policy that are specifically required for this project will be accredited, or be capable of accreditation, to include data that has shared on an impact level of OFFICIAL - SENSITIVE. The Point of Access solution will satisfy the PSN connectivity requirements. The Point of Access solution will satisfy the GDS XXX connectivity requirements. The Point of Access solution will validate the authenticity of XXXX tokens received from external parties by verifying that they have been digitally signed by a trusted source. The Point of Access solution will be able to receive structured data (XML or JSON) and validate against a known schema. The solution will secure communications using an Extended Validation (EV) certificate so that users can verify that the service can be trusted. The solution will be able to pass structured data (XML or JSON) from a XXXX token across a bridge. The Point of Access solution will produce logs that can be passed to an external Protective Monitoring Service. The solution will timeout a user’s session after a configurable period of inactivityas required basis. Protection of Customer Data As per Clause See clause 20 Standards Digital by digital service standard Default Service Standard HMG Baseline Personnel Security Standard Business Continuity and Disaster Recovery As per Clause 16 All supplier staff must adhere to the DH business continuity & disaster recovery procedure as required in the delivery of services for this project Liability £One million pounds £1,000,000 in any one Contract Year Insurance As per Clause 16 of the Framework Agreement RM1043: “liability insurance, in respect to amounts that the Supplier would be legally liable to pay as damages, including claimant's costs and expenses, in respect of (i) accidental death or bodily injury and/or (ii) loss of or damage to property, with a minimum limit of five million pounds sterling (£5,000,000)” “Professional indemnity insurance with a minimum limit of indemnity of one million pounds sterling (£1,000,000) for each individual claim” Key Sub-Contractors Estimate Contract Charges £ ADDITIONAL AND/OR ALTERNATIVE CLAUSES Supplemental requirements in addition to the Call-Off Terms X N/A Amendments to/refinements of the Call-Off Terms X N/A FORMATION OF CONTRACT BY SIGNING AND RETURNING THIS ORDER FORM THE SUPPLIER AGREES to enter a Call-Off Contract under the Framework Agreement with the Customer to provide the Services. The Parties hereby acknowledge and agree that they have read the Order Form and the Call-Off Terms and by signing below agree to be bound by this Contract. In accordance with paragraph S-9 of Framework Schedule 4 (Call-Off Procedure), the Parties hereby acknowledge and agree that this Contract shall be formed when the Customer acknowledges the receipt of the signed copy of the Order Form from the Supplier within two (2) Working Days from receipt (the “Call-Off Effective Date”).

CUSTOMER OTHER CONTRACTUAL REQUIREMENTS. Relevant Convictions X The Supplier will adhere to the standard CPNI (Centre for the Protection of National Infrastructure) checking standards. Staff Vetting Procedures HM Government Baseline Personal Security Standard check, together with date checked or other Security Clearance The Supplier will adhere to the standard CPNI (Centre for UK government, together with date cleared and validitythe Protection of National Infrastructure) checking standards. Exit Planning X The Supplier will require an exit strategy which should highlight the key areas which would benefit from a hand over ensuring skills and knowledge are passed from supplier to the Customers team. This will include guidance on how to update basic information within the CMS, guidance on the infrastructure and how for continuity purposes to edit live information. Security Requirements (including details of Security Policy and any additional Customer security requirements) The Point of Access solution will be accredited, or be capable of accreditation, to include 256 bit encryption standard for person identifiable data that has an impact level of OFFICIAL - SENSITIVE. The Point of Access solution will satisfy the PSN connectivity requirements. The Point of Access solution will satisfy the GDS XXX connectivity requirements. The Point of Access solution will validate the authenticity of XXXX tokens received from external parties by verifying that they have been digitally signed by a trusted source. The Point of Access solution will be able to receive structured data (XML or JSON) and validate against a known schema. The solution will secure communications using an Extended Validation (EV) certificate so that users can verify that the service can be trusted. The solution will be able to pass structured data (XML or JSON) from a XXXX token across a bridge. The Point of Access solution will produce logs that can be passed to an external Protective Monitoring Service. The solution will timeout a user’s session after a configurable period of inactivity. Protection of Customer Data As per Clause 20 The supplier agrees to employ the appropriate organisational, operational and technological processes and procedures to keep the customer data safe from unauthorised use or access, loss, destruction, theft or disclosure. The organisational, operational and technological processes and procedures adopted are required to comply with the requirements of ISO/IEC 27001 as appropriate to the services being provided. Standards Digital by digital service standard Business Continuity and Disaster Recovery As per Clause 16 The new system developed by the supplier will require a disaster recovery approach captured in a clear disaster recovery plan which will provide assurance on recovery and the roles and actions included. Liability £1,000,000 Insurance As per Clause 16 of the Framework framework Agreement RM1043: “liability insurance, in respect to amounts that the Supplier would be legally liable to pay as damages, including claimant's costs and expenses, in respect of (i) accidental death or bodily injury and/or (ii) loss of or damage to property, with a minimum limit of five million pounds sterling (£5,000,000)” “Professional indemnity insurance with a minimum limit of indemnity of one million pounds sterling (£1,000,000) for each individual claim” Key Sub-Contractors Click to enter text. Estimate Contract Charges £ £Click to enter text. ADDITIONAL AND/OR ALTERNATIVE CLAUSES Supplemental requirements in addition to the Call-Off Terms X NA Amendments to/refinements of the Call-Off Terms X NA FORMATION OF CONTRACT BY SIGNING AND RETURNING THIS ORDER FORM THE SUPPLIER AGREES to enter a Call-Off Contract under the Framework framework Agreement with the Customer to provide the Services. The Parties hereby acknowledge and agree that they have read the Order Form and the Call-Off Terms and by signing below agree to be bound by this Contract. In accordance with paragraph S-9 of Framework framework Schedule 4 (Call-Off Procedure), the Parties hereby acknowledge and agree that this Contract shall be formed when the Customer acknowledges the receipt of the signed copy of the Order Form from the Supplier within two (2) Working Days from receipt (the “Call-Off Effective Date”).

CUSTOMER OTHER CONTRACTUAL REQUIREMENTS. Relevant Convictions X None. Staff Vetting Procedures HM Government Vetting will be required for staff, please see Appendix C, Baseline Personal Security Standard personal security check, together with date checked or other Security Clearance for UK government, together with date cleared and validity. Exit Planning X As per Appendix C, overall technical solution, suppliers are invited to propose an offboarding solution for the end of the contract. Security Requirements (including details of Security Policy and any additional Customer security requirements) The Point of Access This is a secure transaction and as per Appendices A and C, suppliers will need to produce a secure solution which will be accredited, or be capable of accreditation, to include data that has an impact level of OFFICIAL - SENSITIVEPenetration tested by CHECK-accredited testers. The Point of Access solution will satisfy the PSN connectivity requirements. The Point of Access solution will satisfy the GDS XXX connectivity requirements. The Point of Access solution will validate the authenticity of XXXX tokens received from external parties by verifying that they have been digitally signed by a trusted source. The Point of Access solution A security consultant will be able available throughout the project for advice and suppliers are encouraged to receive structured data (XML or JSON) and validate against a known schema. The solution will secure communications using an Extended Validation (EV) certificate so that users can verify that the service can be trusted. The solution will be able to pass structured data (XML or JSON) from a XXXX token across a bridge. The Point of Access solution will produce logs that can be passed to an external Protective Monitoring Service. The solution will timeout a user’s session after a configurable period of inactivityuse him. Protection of Customer Data As per Clause 20 Appendix C, overall technical solution, suppliers are asked to keep data as secure as possible and to delete it as soon as it is no longer needed. Standards Digital by digital default service standard Business Continuity and Disaster Recovery As per Clause 16 Click to enter text. Liability £1,000,000 Insurance As per Clause 16 of the Framework framework Agreement RM1043: “liability insurance, in respect to amounts that the Supplier would be legally liable to pay as damages, including claimant's costs and expenses, in respect of (i) accidental death or bodily injury and/or (ii) loss of or damage to property, with a minimum limit of five million pounds sterling (£5,000,000)” “Professional indemnity insurance with a minimum limit of indemnity of one million pounds sterling (£1,000,000) for each individual claim” Key Sub-Contractors Click to enter text. Estimate Contract Charges £ £Click to enter text. ADDITIONAL AND/OR ALTERNATIVE CLAUSES Supplemental requirements in addition to the Call-Off Terms X Click to enter text. Amendments to/refinements of the Call-Off Terms X Click to enter text. FORMATION OF CONTRACT BY SIGNING AND RETURNING THIS ORDER FORM THE SUPPLIER AGREES to enter a Call-Off Contract under the Framework framework Agreement with the Customer to provide the Services. The Parties hereby acknowledge and agree that they have read the Order Form and the Call-Off Terms and by signing below agree to be bound by this Contract. In accordance with paragraph S-9 of Framework framework Schedule 4 (Call-Off Procedure), the Parties hereby acknowledge and agree that this Contract shall be formed when the Customer acknowledges the receipt of the signed copy of the Order Form from the Supplier within two (2) Working Days from receipt (the “Call-Off Effective Date”).