Common use of Data Processing Clause in Contracts

Data Processing. 12.1 In this Clause 12, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in the Data Protection Legislation. 12.2 The Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause 12 shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations. 12.3 For the purposes of the Data Protection Legislation and for this Clause 12, the Service Provider is the “Data Processor” and the Client is the “Data Controller”. 12.4 The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement. 12.5 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreement: 12.5.1 Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law; 12.5.2 Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures.; 12.5.3 Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential; 12.5.4 Not transfer any personal data outside of the UK without the prior written consent of the Data Controller and only if the following conditions are satisfied: 12.5.4.1 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data; 12.5.4.2 Affected data subjects have enforceable rights and effective legal remedies; 12.5.4.3 The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and 12.5.4.4 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data. 12.5.5 Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects and in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office); 12.5.6 Notify the Data Controller without undue delay of a personal data breach; 12.5.7 On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law; and 12.5.8 Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 12 and to allow for audits by the Data Controller and/or any party designated by the Data Controller. 12.7 The Data Processor shall not sub-contract any of its obligations to a sub- contractor with respect to the processing of personal data under this Clause 13 without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractor, the Data Processor shall: 12.7.1 Enter into a written agreement with the sub-contractor, which shall impose upon the sub-contractor the same obligations as are imposed upon the Data Processor by this Clause 13 and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and 12.7.2 Ensure that the sub-contractor complies fully with its obligations under that agreement and the Data Protection Legislation. 12.8 Either Party may, at any time, and on at least 30 calendar days’ notice, alter this Clause 13, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced by attachment to this Agreement.

Data Processing. 12.1 In this Clause 12To the extent Client, “personal data”in its use of the Anaplan Service, “data subject”submits Personal Data to Anaplan, “data controller”then as Data Processor, “data processor”, and “personal data breach” shall have the meaning defined Anaplan shall: (a) Process Personal Data as a Data Processor in the Data Protection Legislation. 12.2 The Parties hereby agree that they shall both comply accordance with all applicable data protection requirements Client’s documented instructions as set out in this Agreement/Order unless required to do otherwise by European Union, English or Member State law to which Anaplan is subject (in which case Anaplan shall inform the Client of that legal requirement before Processing unless that law prohibits such information on important grounds of public interest); (b) taking into the account the state of the art, the costs of implementation and the nature scope context and purposes of processing as well as the risk of the varying likelihood and severity of rights and freedoms of natural persons in relation to the Personal Data Protection Legislation. This Clause 12 implement appropriate technical and organizational measures to protect Personal Data against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure, access or Processing of Personal Data, including as appropriate pseudonymisation and encryption of Personal Data provided that if the Client requests and Anaplan agrees to any additional specific requirements over and above the Anaplan measures referred to in paragraph 7 below the Client shall pay for Anaplan’s reasonable cost and expenses charged at Anaplan’s standard rates (provided that Anaplan shall (i) notify Client in advance that such change is chargeable, (ii) provide Client with an estimate of such charges; and (iii) not relieve either Party of incur any obligations set out such charges without the Client’s written approval); (c) to the extent Client is unable to correct, amend, block or delete Personal Data contained in the Data Protection Legislation Anaplan Service, assist with any lawful and does not remove or replace any of those obligations. 12.3 For the purposes of the Data Protection Legislation and for this Clause 12, the Service Provider is the “Data Processor” commercially reasonable request by Client to facilitate such actions (and the Client shall pay for Anaplan’s reasonable cost and expenses at Anaplan’s standard rates (provided that Anaplan shall (i) notify Client in advance that such change is chargeable; (ii) provide Client with an estimate of such charges; and (iii) not incur any such charges without the “Client’s written approval); (d) notify Client if receives a request from a Data Controller”. 12.4 The Subject for access to, correction, amendment or deletion of that Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement. 12.5 The Data Processor shall, with respect Subject's Personal Data; (e) not respond to any personal data processed by it in relation to its performance of any of its obligations under this Agreement: 12.5.1 Process the personal data only on the written instructions of the request from a Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law; 12.5.2 Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures.; 12.5.3 Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential; 12.5.4 Not transfer any personal data outside of the UK Subject without the prior written consent of the Data Controller and only if the following conditions are satisfied: 12.5.4.1 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data; 12.5.4.2 Affected data subjects have enforceable rights and effective legal remedies; 12.5.4.3 The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and 12.5.4.4 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data. 12.5.5 Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects and in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office); 12.5.6 Notify the Data Controller without undue delay of a personal data breach; 12.5.7 On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law; and 12.5.8 Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 12 and to allow for audits by the Data Controller and/or any party designated by the Data Controller. 12.7 The Data Processor shall not sub-contract any of its obligations to a sub- contractor with respect to the processing of personal data under this Clause 13 without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractor, the Data Processor shall: 12.7.1 Enter into a written agreement with the sub-contractor, which shall impose upon the sub-contractor the same obligations as are imposed upon the Data Processor by this Clause 13 and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and 12.7.2 Ensure that the sub-contractor complies fully with its obligations under that agreement and the Data Protection Legislation. 12.8 Either Party may, at any time, and on at least 30 calendar days’ notice, alter this Clause 13, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced by attachment to this Agreement.Client's prior

Data Processing. 12.1 In this Clause 12, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in the Data Protection Legislation. 12.2 The Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause 12 shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations. 12.3 For the purposes of the Data Protection Legislation and for this Clause 12, the Service Provider is the “Data Processor” and the Client is the “Data Controller”. 12.4 The type(s) of personal data, the scope, nature and purpose of the processing, and the duration of the processing are set out in Schedule 3. 12.5 The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement. 12.5 12.6 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreement: 12.5.1 12.6.1 Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law; 12.5.2 12.6.2 Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures.. Measures to be taken are set out in Schedule 3; 12.5.3 12.6.3 Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential; 12.5.4 12.6.4 Not transfer any personal data outside of the UK without the prior written consent of the Data Controller and only if the following conditions are satisfied: 12.5.4.1 12.6.4.1 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data; 12.5.4.2 12.6.4.2 Affected data subjects have enforceable rights and effective legal remedies; 12.5.4.3 12.6.4.3 The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and 12.5.4.4 12.6.4.4 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data. 12.5.5 12.6.5 Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects and in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office); 12.5.6 12.6.6 Notify the Data Controller without undue delay of a personal data breach; 12.5.7 12.6.7 On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law; and 12.5.8 12.6.8 Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 12 and to allow for audits by the Data Controller and/or any party designated by the Data Controller. 12.7 The Data Processor shall not sub-contract any of its obligations to a sub- contractor with respect to the processing of personal data under this Clause 13 without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractor, the Data Processor shall: 12.7.1 Enter into a written agreement with the sub-contractor, which shall impose upon the sub-contractor the same obligations as are imposed upon the Data Processor by this Clause 13 and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and 12.7.2 Ensure that the sub-contractor complies fully with its obligations under that agreement and the Data Protection Legislation12. 12.8 Either Party may, at any time, and on at least 30 calendar days’ notice, alter this Clause 13, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced by attachment to this Agreement.

Data Processing. 12.1 In this Clause 12, “personal data”, “data subject”, “data controller”, “data processor”19.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 19 is in addition to, and “personal data breach” shall have the meaning defined in does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation. 12.2 19.2 The Parties hereby agree parties acknowledge that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause 12 shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations. 12.3 For for the purposes of the Data Protection Legislation and for this Clause 12Legislation, the Service Provider Authority is the “Data Processor” Controller and the Client Supplier is the “Processor. Schedule 9 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data Controller”and categories of Data Subject. 12.4 The Data Controller shall 19.3 Without prejudice to the generality of clause 19.1, the Authority will ensure that it has in place all necessary appropriate consents and notices required in place to enable the lawful transfer of personal data the Personal Data to the Data Processor Supplier for the duration and purposes described in of this Agreement. 12.5 The Data Processor 19.4 Without prejudice to the generality of clause 19.1, the Supplier shall, with respect to any personal data processed by it in relation to its any Personal Data processed in connection with the performance of any by the Supplier of its obligations under this Agreement: 12.5.1 Process the personal data 19.4.1 process that Personal Data only on the documented written instructions of the Data Controller Authority which are set out in Schedule 10, unless the Data Processor Supplier is required by Domestic Law to otherwise required to process such personal data by lawthat Personal Data. The Data Processor Where the Supplier is relying on Domestic Law as the basis for processing Personal Data, the Supplier shall promptly notify the Data Controller Authority of such this before performing the processing required by Domestic Law unless prohibited the Domestic Law prohibits the Supplier from doing so by lawnotifying the Customer; 12.5.2 Ensure 19.4.2 ensure that it has in place suitable appropriate technical and organisational measures (as defined in the Data Protection Legislation), reviewed and approved by the Data Controller) Authority, to protect the personal data from against unauthorised or unlawful processingprocessing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage or destruction. Such measures shall and the nature of the data to be proportionate protected, having regard to the potential harm resulting from such events, taking into account the current state of the art in technology technological development and the cost of implementing any measures (those measures.measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 12.5.3 Ensure 19.4.3 ensure that any and all staff with personnel who have access to the personal data (whether for processing purposes or otherwise) and/or process Personal Data are contractually obliged to keep that personal data the Personal Data confidential; 12.5.4 Not 19.4.4 not transfer any personal data Personal Data outside of the UK without unless the prior written consent of the Data Controller Authority has been obtained and only if the following conditions are satisfiedfulfilled: 12.5.4.1 The Data Controller and/or (a) the Authority or the Supplier has provided appropriate safeguards in relation to the transfer; (b) the Data Processor has/have provided suitable safeguards for the transfer of personal data; 12.5.4.2 Affected data subjects have Subject has enforceable rights and effective legal remedies; 12.5.4.3 The Data Processor (c) the Supplier complies with its obligations under the Data Protection Legislation, Legislation by providing an adequate level of protection to any and all personal data so Personal Data that is transferred; and 12.5.4.4 The Data Processor (d) the Supplier complies with all the reasonable instructions given notified to it in advance by the Data Controller Authority with respect to the processing of the personal data.Personal Data; 12.5.5 Assist 19.4.5 notify the Authority immediately if it receives: (a) a request from a Data Subject to have access to that person's Personal Data; (b) a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Controller at Protection Legislation (including any communication from the Data Controller’s cost, Information Commissioner); 19.4.6 assist the Authority in responding to any and all requests request from data subjects a Data Subject and in ensuring its compliance with the Authority's obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments, assessments and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office)regulators; 12.5.6 Notify 19.4.7 notify the Data Controller Authority without undue delay on becoming aware of a personal data breachPersonal Data Breach including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of this Agreement; 12.5.7 On 19.4.8 at the Data Controller’s written instructiondirection of the Authority, delete (or otherwise dispose of) or return all personal data Personal Data and any and all copies thereof to the Data Controller Authority on termination or expiry of this the Agreement unless it is required by Domestic Law to retain any of store the personal data by law; andPersonal Data; 12.5.8 Maintain 19.4.9 maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary information to demonstrate its compliance with this Clause 12 clause 19 and to allow for audits by the Data Controller and/or any party Authority or the Authority's designated by auditor pursuant to clause 21 and immediately inform the Data Controller. 12.7 The Data Processor shall not sub-contract any of its obligations to a sub- contractor with respect to Customer if, in the processing of personal data under this Clause 13 without the prior written consent opinion of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractorSupplier, the Data Processor shall: 12.7.1 Enter into a written agreement with the sub-contractor, which shall impose upon the sub-contractor the same obligations as are imposed upon the Data Processor by this Clause 13 and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and 12.7.2 Ensure that the sub-contractor complies fully with its obligations under that agreement and an instruction infringes the Data Protection Legislation. 12.8 Either Party may, at 19.5 Where the Supplier wishes to appoint a subprocessor to process any time, and on at least 30 calendar days’ notice, alter this Clause 13, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced by attachment Personal Data relating to this Agreement, such subprocessor shall constitute a Sub-Contractor and the Supplier shall: 19.5.1 notify the Authority in writing of the intended processing by the Sub- Contractor; 19.5.2 obtain prior written consent from the Authority; 19.5.3 enter into a written agreement incorporating terms which are substantially similar to those set out in this clause 19. 20.1 The provisions of this clause do not apply to any Confidential information: 20.1.1 is or becomes available to the public (other than as a result of its disclosure by the receiving party or its Representatives in breach of this clause); 20.1.2 was available to the receiving party on a non-confidential basis before disclosure by the disclosing party; 20.1.3 was, is, or becomes available to the receiving party on a non-confidential basis from a person who, to the receiving party's knowledge, is not bound by a confidentiality agreement with the disclosing party or otherwise prohibited from disclosing the information to the receiving party; 20.1.4 the parties agree in writing is not confidential or may be disclosed; 20.1.5 which is disclosed by the Authority on a confidential basis to any central government or regulatory body. 20.2 Each party shall keep the other party's Confidential Information secret and confidential and shall not: 20.2.1 use such Confidential Information except for the purpose of exercising or performing its rights and obligations under or in connection with this Agreement (Permitted Purpose); or 20.2.2 disclose such Confidential information in whole or in part to any third party, except as expressly permitted by this clause 20. 20.3 A party may disclose the other party's Confidential information to those of its Representatives who need to know such Confidential Information for the Permitted Purpose, provided that: 20.3.1 it consults the other party in advance and informs such Representatives of the confidential nature of the Confidential Information before disclosure; and 20.3.2 it procures that its Representatives shall, in relation to any Confidential Information disclosed to them, comply with the obligations set out in this clause as if they were a party to this Agreement, 20.3.3 and at all times, it is liable for the failure of any Representatives to comply with the obligations set out in this clause 20.2. 20.4 A party may disclose Confidential Information to the extent such Confidential Information is required to be disclosed by law (including under the FOIA or EIRs), by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction provided that, to the extent it is legally permitted to do so, it gives the other party as much notice of its intent to make such disclosure as possible and provides an opportunity for the other party to make representations before deciding whether to disclose.

Data Processing. 12.1 In 4.1 The parties acknowledge that, where this Clause 12, “personal data”, “data subject”, “data controller”, “data processor”, clause 4 applies and “personal data breach” shall have the meaning defined in the Data Protection Legislation. 12.2 The Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause 12 shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations. 12.3 For for the purposes of the Data Protection Legislation and for this Clause 12Legislation, the Service Provider is the “Data Processor” and the Client is the “Data Controller”controller, and The Company is the processor. Appendix 1 sets out the scope, nature, and purpose of processing by The Company, the duration of the processing and the types of personal data and categories of data subject. 12.4 4.2 Without prejudice to the generality of clause 4.1, the Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the personal data to The Data Controller Company and/or lawful collection of the personal data by The Company on behalf of the Client for the duration and purposes of the Contract. 4.3 Without prejudice to the generality of clause 4.1, The Company shall, in relation to any personal data processed in connection with the performance by The Company of its obligations under this agreement: (a) process that personal data only on the documented written instructions of the Client unless The Company is required by Applicable Law to otherwise process that personal data. Where The Company is relying on Applicable Law as the basis for processing personal data, The Company shall promptly notify the Client of this before performing the processing required by the Applicable Law unless the Applicable Law prohibits The Company from so notifying the Client; (b) ensure that it has in place all necessary consents appropriate technical and notices required organisational measures, reviewed and approved by the Client , to enable the lawful transfer protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data, appropriate to the Data Processor for harm that might result from the purposes described in this Agreement. 12.5 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreement: 12.5.1 Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law; 12.5.2 Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, processing or accidental loss, destruction or damage or destruction. Such measures shall and the nature of the data to be proportionate protected, having regard to the potential harm resulting from such events, taking into account the current state of the art in technology technological development and the cost of implementing any measures (those measures.measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 12.5.3 Ensure (c) ensure that any and all staff with personnel who have access to and/or process personal data are obliged to keep the personal data confidential; and (whether for processing purposes or otherwised) are contractually obliged to keep that personal data confidential; 12.5.4 Not not transfer any personal data outside of the UK without unless the prior written consent of the Data Controller Client has been obtained and only if the following conditions are satisfiedfulfilled: 12.5.4.1 (i) the Client or The Data Controller and/or Company has provided appropriate safeguards in relation to the Data Processor has/have provided suitable safeguards for the transfer of personal datatransfer; 12.5.4.2 Affected (ii) the data subjects have subject has enforceable rights and effective legal remedies; 12.5.4.3 (iii) The Data Processor Company complies with its obligations under the Data Protection Legislation, Legislation by providing an adequate level of protection to any and all personal data so that is transferred; and 12.5.4.4 (iv) The Data Processor Company complies with all reasonable instructions given notified to it in advance by the Data Controller Client with respect to the processing of the personal data.; 12.5.5 Assist (e) assist the Data Controller Client, at the Data Controller’s Client 's cost, in responding to any and all requests request from a data subjects subject and in ensuring its compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments, assessments and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office)regulators; 12.5.6 Notify (f) notify the Data Controller Client without undue delay on becoming aware of a personal data breach; 12.5.7 On (g) at the Data Controller’s written instructiondirection of the Client, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller Client on termination of this Agreement the agreement unless it is required by Applicable Law to retain any of store the personal data by lawdata; and 12.5.8 Maintain (h) maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary information to demonstrate its compliance with this Clause 12 and to allow for audits by the Data Controller and/or any party designated by the Data Controllerclause 4.3. 12.7 4.4 The Data Processor shall not sub-contract any of its obligations Client consents to a sub- contractor with respect to the processing The Company appointing third party processors of personal data under the Contract. The Company confirms that it will use reasonable endeavours when it enters in written agreements with third party processors to incorporate terms which are substantially similar to those set out in this Clause 13 without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractor, the Data Processor shall: 12.7.1 Enter into a written agreement with the sub-contractor, which shall impose upon the sub-contractor the same obligations as are imposed upon the Data Processor by this Clause 13 clause 4.4 and which shall permit both The Company undertakes will continue to reflect the Data Processor and the Data Controller to enforce those obligations; and 12.7.2 Ensure that the sub-contractor complies fully with its obligations under that agreement and requirements of the Data Protection Legislation. As between the Client and The Company, the Company shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this clause 4.4. 12.8 4.5 Either Party party may, at any time, and time on at least not less than 30 calendar (thirty) days’ notice, alter revise this Clause 13, clause 4 by replacing it with any applicable data processing controller to processor standard clauses or similar terms that form adopted under the Data Protection Legislation or forming part of an applicable certification scheme. Such terms scheme (which shall apply when replaced by attachment to this Agreementagreement).

Data Processing. 12.1 In this Clause 12, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” 4.1 The Supplier shall have notify the meaning defined in Practice immediately if it considers that any of the Practice's instructions infringe the Data Protection Legislation. 12.2 4.2 The Parties hereby agree Supplier shall provide all reasonable assistance to the Practice in the preparation of any Data Protection Impact Assessment prior to commencing any Processing. Such assistance may, at the discretion of the Practice, include: (a) a systematic description of the envisaged Processing operations and the purpose of the Processing; (b) an assessment of the necessity and proportionality of the Processing operations in relation to the Services; (c) an assessment of the risks to the rights and freedoms of Data Subjects; and (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of the Data. 4.3 The Supplier shall, in relation to any Data Processed in connection with its obligations under this Agreement and the Services Contract: (a) Process that they shall both comply Data only in accordance with all applicable data protection requirements Table A set out in Schedule 2, unless the Supplier is required to do otherwise by Law. If it is so required the Supplier shall, unless prohibited by Law, promptly notify the Practice before Processing the Data; (b) Process the Data Protection Legislation. This Clause 12 shall not relieve either Party only to the extent necessary for the purpose of any obligations set out providing the Services and in accordance with the Practice’s written instructions (including with respect to transfers of Data Protection Legislation and does not remove or replace any of those obligations.to a Third Country); 12.3 For the purposes of the Data Protection Legislation and for this Clause 12, the Service Provider is the “Data Processor” and the Client is the “Data Controller”. 12.4 The Data Controller shall (c) ensure that it has in place Protective Measures, which have been reviewed and approved by the Practice as appropriate to protect against a Data Loss Event having taken account of the: (i) nature of the Data to be protected; (ii) harm that might result from a Data Loss Event; (iii) state of technological development; and (iv) cost of implementing any measures; (d) ensure that: (i) the Supplier Personnel do not Process Data except in accordance with this Agreement (and in particular Table A); (ii) it takes all necessary consents reasonable steps to ensure the reliability and notices required to enable the lawful transfer integrity of personal data any Supplier Personnel who have access to the Data Processor for and ensure that they: (A) are aware of and comply with the purposes described in this Agreement. 12.5 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations Supplier’s duties under this Agreement:Agreement and the Services Contract; 12.5.1 Process (B) are subject to appropriate confidentiality undertakings with the personal data only on Supplier or any Sub-processor; (C) are informed of the written instructions confidential nature of the Data Controller unless and do not publish, disclose or divulge any of the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing any third party unless prohibited from doing directed in writing to do so by law;the Practice or as otherwise permitted by this Agreement; and 12.5.2 Ensure that it has (D) have undergone adequate training in place suitable technical the use, care, protection and organisational measures (as approved by handling of Personal Data including data security awareness training in accordance with the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state requirements of the art in technology NHS Data Security and the cost of implementing those measuresProtection Toolkit.; 12.5.3 Ensure that any and all staff with access to the personal data (whether for processing purposes e) not Process in, or otherwise) are contractually obliged to keep that personal data confidential; 12.5.4 Not otherwise transfer any personal data outside of the UK without Data to, a Third Country unless the prior written consent of the Data Controller Practice has been obtained and only if the following conditions are satisfiedfulfilled: 12.5.4.1 The Data Controller and/or (i) the Practice or the Supplier has provided appropriate safeguards in relation to the transfer (whether in accordance with Article 46 of the GDPR or Article 37 of the Law Enforcement Directive (Directive (EU) 2016/680)) as determined by the Authority; (ii) the Data Processor has/have provided suitable safeguards for the transfer of personal data; 12.5.4.2 Affected data subjects have Subject has enforceable rights and effective legal remedies; 12.5.4.3 The Data Processor (iii) the Supplier complies with its obligations under the Data Protection Legislation, Legislation by providing an adequate level of protection to any and all personal data Data that is transferred (or, if it is not so transferredbound, uses its best endeavours to assist the Practice in meeting its obligations); and 12.5.4.4 The Data Processor (iv) the Supplier complies with all any reasonable instructions given notified to it in advance by the Data Controller Practice with respect to the processing Processing of the personal dataData; (f) on termination of the Services Contract or the completion of the Processing envisaged under this Agreement, request in writing instructions from the Practice as to the return or destruction of any Data provided to the Supplier under this Agreement. The Supplier acknowledges that it may be required to retain the Data for up to three months upon completion of the Processing. Where further to the Practice’s directions the Supplier is to destroy the Data, the Supplier shall also delete such Data (to the fullest extent possible) from the Supplier’s systems. The Supplier may only retain any Data where required to do so by Law. 12.5.5 Assist 4.4 Subject to Clause 5.6, the Supplier shall notify the Practice immediately if it: (a) receives a Data Controller at the Subject Access Request (or purported Data Controller’s costSubject Access Request); (b) receives a request to rectify, in responding block or erase any Data; (c) receives any other request, complaint or communication relating to any and all requests from data subjects and in ensuring its compliance with either Party's obligations under the Data Protection Legislation; (d) receives any communication from the Information Commissioner or any other regulatory authority in connection with any Data Processed under this Agreement; (e) receives a request from any third party for disclosure of any Data where compliance with such request is required or purported to be required by Law; or (f) becomes aware of a Data Loss Event. 4.5 The Supplier’s obligation to notify under Clause 5.5 shall include the provision of further information to the Practice in phases, as details become available. 4.6 Taking into account the nature of the Processing, the Supplier shall provide the Practice with full assistance in relation to either Party's obligations under Data Protection Legislation and any complaint, communication or request made under Clause 5.5 (and insofar as possible within the timescales reasonably required by the Practice) including by promptly providing: (a) the Practice with full details and copies of the complaint, communication or request; (b) such assistance as is reasonably requested by the Practice to enable the Practice to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation; (c) the Practice, at its request, with any Data it holds in relation to a Data Subject; (d) assistance as requested by the Practice following any Data Loss Event; (e) assistance as requested by the Practice with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, any request from the Information Commissioner’s Office);, or any consultation by the Practice with the Information Commissioner's Office. 12.5.6 Notify the Data Controller without undue delay of a personal data breach; 12.5.7 On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law; and 12.5.8 Maintain 4.7 The Supplier shall maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary information to demonstrate its compliance with this Agreement and in particular this Clause 12 and to 5. 4.8 The Supplier shall allow for audits of its Processing activity by the Practice or the Practice’s designated auditor. 4.9 The Supplier shall designate a Data Protection Officer if required by the Data Controller and/or any party designated by the Data ControllerProtection Legislation. 12.7 The 4.10 Before allowing any Sub-processor to Process any Personal Data Processor shall not subrelated to this Contract, the Supplier must: (a) notify the Practice in writing of the intended Sub-contract any of its obligations to a sub- contractor with respect to processor and Processing; (b) obtain the processing of personal data under this Clause 13 without the prior written consent of the Data Controller Practice; (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractor, the Data Processor shall: 12.7.1 Enter c) enter into a written agreement with the subSub-contractor, processor which shall impose upon gives effect to the sub-contractor terms set out in this Agreement such that they apply to the same obligations as are imposed upon the Data Processor by this Clause 13 and which shall permit both the Data Processor and the Data Controller to enforce those obligationsSub- processor; and 12.7.2 Ensure that (d) provide the subPractice with such information regarding the Sub-contractor complies fully with its obligations under that agreement and processor as the Data Protection LegislationPractice may reasonably require. 12.8 Either Party 4.11 The Supplier shall remain fully liable for all acts or omissions of any Sub-processor. 4.12 The Practice may, at any time, and time on at least not less than 30 calendar daysBusiness Days’ notice, alter revise this Clause 13, 4 by replacing it with any applicable data processing controller to processor standard clauses or similar terms that form forming part of an applicable certification scheme. Such terms scheme (which shall apply when replaced incorporated by attachment to this Agreement). 4.13 The Parties agree to take account of any guidance issued by the Information Commissioner’s Office. The Practice may on not less than 30 Business Days’ notice to the Supplier amend this Clause 5 to ensure that it complies with any guidance issued by the Information Commissioner’s Office.

Data Processing. 12.1 15.1 In this Clause 1215, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in the Data Protection Legislation. 12.2 15.2 The Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause 12 15 shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations. 12.3 15.3 For the purposes of the Data Protection Legislation and for this Clause 1215, the Client is the “Data Controller” and the Service Provider is the “Data Processor” and the Client is the “Data Controller”. 12.4 15.4 The type(s) of personal data, the scope, nature and purpose of the processing, and the duration of the processing are set out in Schedule 4. 15.5 The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement. 12.5 15.6 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreement: 12.5.1 15.6.1 Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law; 12.5.2 15.6.2 Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures.. Measures to be taken are set out in Schedule 4; 12.5.3 15.6.3 Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential; 12.5.4 15.6.4 Not transfer any personal data outside of the UK without the prior written consent of the Data Controller and only if the following conditions are satisfied: 12.5.4.1 15.6.4.1 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data; 12.5.4.2 15.6.4.2 Affected data subjects have enforceable rights and effective legal remedies; 12.5.4.3 15.6.4.3 The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and 12.5.4.4 15.6.4.4 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data.; 12.5.5 15.6.5 Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects and in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office); 12.5.6 15.6.6 Notify the Data Controller without undue delay of a personal data breach; 12.5.7 15.6.7 On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law; and 12.5.8 15.6.8 Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 12 15 and to allow for audits by the Data Controller and/or any party designated by the Data Controller. 12.7 15.7 The Data Processor shall not sub-contract any of its obligations to a sub- contractor with respect to the processing of personal data under this Clause 13 15 without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractor, the Data Processor shall: 12.7.1 15.7.1 Enter into a written agreement with the sub-contractor, which shall impose upon the sub-contractor the same obligations as are imposed upon the Data Processor by this Clause 13 15 and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and 12.7.2 15.7.2 Ensure that the sub-contractor complies fully with its obligations under that agreement and the Data Protection Legislation. 12.8 15.8 Either Party may, at any time, and on at least 30 calendar days’ days notice, alter this Clause 1315, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced by attachment to this Agreement.

Data Processing. 12.1 In this Clause 12, “personal data”, “data subject”, “data controller”, “data processor”, 3.1 The Data Processor shall ensure that its internal operating systems only permit properly authorised personnel to access Personal Data. 3.2 The Data Processor shall provide appropriate training to its personnel with respect to: (i) the correct handling of Personal Data so as to minimise the risk of security breaches; and (ii) the requirements of the applicable Data Protection Laws. 3.3 The Data Processor acknowledges and “agrees that it will: (i) only Process Personal Data in accordance with the Data Controller’s written instructions including with regard to transfers of personal data breach” shall have the meaning defined in the Data Protection Legislation. 12.2 The Parties hereby agree that they shall both comply with all applicable data protection requirements to a Third Country or an international organisation (which may be specific instructions or instructions of a general nature as set out in the Data Protection Legislation. This Clause 12 shall not relieve either Party of any obligations set out in terms or as otherwise notified by the Data Protection Legislation and does not remove or replace any of those obligations. 12.3 For the purposes of Controller to the Data Protection Legislation and for this Clause 12, the Service Provider is the “Data Processor” Processor from time to time and the Client is the “Data Controller”. 12.4 The Data Controller shall ensure that it has gives only lawful written instructions); (ii) only use, reproduce or otherwise Process any Personal Data collected in place connection with providing the Services to the extent necessary to provide the Services; (iii) not modify, amend or alter the contents of the Personal Data, except as directed by the Data Controller; (iv) not, without the Data Controller’s written approval, Process any Personal Data on any Data Processor systems on which data (including any Personal Data) is Processed for any person outside of the Data Controller; and (v) implement and maintain a system for logging and identifying all necessary consents Data Processor personnel accessing any Personal Data through Data Processor systems and notices required to enable if requested by the lawful transfer of personal data Data Controller, the Data Processor shall provide to the Data Processor for Controller a copy of the purposes described in this Agreementaccess log. 12.5 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreement: 12.5.1 Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. 3.4 The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law; 12.5.2 Ensure that it has in place suitable implement appropriate technical and organisational measures (as approved by in particular those required under the GDPR) to assure a level of security appropriate to the risk to the security of Personal Data, in particular, from accidental or unlawful destruction, loss, alteration, unauthorised, disclosure of or access to Personal Data in accordance with the Data ControllerProcessor’s obligations under Data Protection Laws (the “Security Measures”). The Security Measures may also include as appropriate: (i) the pseudonymisation and encryption of Personal Data; (ii) the ability to ensure the ongoing confidentiality, integrity and availability of the Personal Data and resilience of the Data Processor systems used for such Processing; (iii) the ability to restore the availability and access to the Personal Data, in a timely manner but no later than forty eight (48) hours, in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 3.5 The Data Controller may notify the Data Processor immediately in the event that it does not consider that the Security Measures ensure an appropriate level of security for Personal Data and the Data Controller shall notify the Data Processor of any additional or amended security controls or measures which the Data Controller considers in its reasonable opinion is necessary to ensure compliance with Data Protection Laws. The Data Processor agrees to implement such additional security controls or measures. 3.6 The Data Processor agrees and warrants that the Security Measures are appropriate to protect the personal data from unauthorised Personal Data against accidental or unlawful processing, destruction or accidental loss, damage alteration, unauthorised disclosure or destruction. Such access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and that these measures shall be proportionate ensure a level of security appropriate to the potential harm resulting from such events, taking into account risks presented by the current Processing and the nature of the Personal Data to be protected having regard to the state of the art in technology and the cost of implementing their implementation. 3.7 Without limiting the Data Processor's other obligations under this Clause 3.7, the Data Processor: (i) may disclose Personal Data to its personnel but only those measures.who: a) need to know for the purpose of providing the Services (and only to that extent); 12.5.3 Ensure that any and all staff b) have been trained in accordance with access to the personal data (whether for processing purposes or otherwiseClause 3.2; c) are contractually obliged subject to a binding contract to keep that personal data confidentialthe Personal Data confidential (or are under an appropriate statutory obligation of confidentiality), and (ii) may only disclose Personal Data to any other person with the prior written consent of the Data Controller, and, where the Data Controller provides its consent, only where the person is subject to a binding commitment to keep the Personal Data confidential (or are under an appropriate statutory obligation of confidentiality). 3.8 If the Data Processor or Data Processor personnel are required by Law and/or an order of any court or competent jurisdiction or any regulatory, judicial or governmental body to disclose the Personal Data, the Data Processor shall, except where prohibited by Law, first: (i) give the Data Controller notice of the details of the proposed disclosure; 12.5.4 Not transfer (ii) give the Data Controller a reasonable opportunity to take any personal data outside steps it considers necessary to protect the confidentiality of the UK Personal Data including but not limited to seeking such judicial redress as the Data Controller may see fit in the circumstances; (iii) give any assistance reasonably required by the Data Controller to protect the confidentiality of the Personal Data; and (iv) inform the proposed disclosee that the information is confidential. 3.9 Without limiting the Data Processor's other obligations under these terms, the Data Processor shall not engage any third-party processors to Process Personal Data without the prior written consent of the Data Controller and only if the following conditions are satisfied: 12.5.4.1 The Data Controller and/or Controller. If the Data Processor has/have provided suitable safeguards for engages any third party to Process any Personal Data, the transfer of personal data; 12.5.4.2 Affected data subjects have enforceable rights and effective legal remedies; 12.5.4.3 The Data Processor complies with its shall impose on such third party, by means of a written contract, the same data protection obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and 12.5.4.4 The Data Processor complies with all reasonable instructions given as set out in advance by the Data Controller with respect to the processing of the personal datathese terms. 12.5.5 Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects and in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office); 12.5.6 Notify the Data Controller without undue delay of a personal data breach; 12.5.7 On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law; and 12.5.8 Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 12 and to allow for audits by the Data Controller and/or any party designated by the Data Controller. 12.7 3.10 The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of the any third-party processors and shall not sub-contract make any of its obligations to a sub- contractor with respect to the processing of personal data under this Clause 13 such changes without the prior written consent of the Data Controller. 3.11 The Data Processor shall remain liable to the Data Controller (for Processing by such consent not to be unreasonably withheld). In third parties as if the event Processing was being conducted by the Data Processor. 3.12 The Data Processor acknowledges and agrees that the Data Processor appoints a sub-contractor, the or Data Processor shall: 12.7.1 Enter into a written agreement with personnel may not transfer Personal Data to any Third Country except to the sub-contractor, which shall impose upon extent that the sub-contractor the same obligations as are imposed upon the Data Processor transfer is expressly approved by this Clause 13 and which shall permit both the Data Processor and the Data Controller in writing. If personal data processed under these terms is transferred from a country within the European Economic Area to enforce those obligations; and 12.7.2 Ensure a country outside the European Economic Area, the Parties shall ensure that the sub-contractor complies fully with its obligations under that agreement and personal data is adequately protected. To achieve this, the Data Protection LegislationParties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data. 12.8 Either Party may, at any time, and on at least 30 calendar days’ notice, alter this Clause 13, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced by attachment to this Agreement.

Data Processing. 12.1 In this Clause 12clause 12 and in the Agreement, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in the Chapter 2, Data Protection Legislation.Act 2018 12.2 The Both Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Neither this Clause 12 13 nor the Agreement shall not relieve either Party of any obligations set out in the Data Protection Legislation and does shall not remove or replace any of those obligations. 12.3 For the purposes of the Data Protection Legislation and for this Clause 1213 and the Agreement, the Service Provider is the “Data Processor” and the Client is the “Data Controller”. 12.4 The type(s) of personal data, the scope, nature and purpose of the processing, and the duration of the processing shall be set out in a Schedule to the Agreement. 12.5 The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this [these Terms and Conditions] AND/OR [the Agreement] [and the Schedule to the Agreement]. 12.5 12.6 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this [these Terms and Conditions] AND/OR [the Agreement]: 12.5.1 12.6.1 Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law;. 12.5.2 12.6.2 Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures. Measures to be taken shall be agreed between the Data Controller and the Data Processor and set out in the Schedule to the Agreement.; 12.5.3 12.6.3 Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential;; and 12.5.4 12.6.4 Not transfer any personal data outside of the UK UK, European Economic Area and India without the prior written consent of the Data Controller and only if the following conditions are satisfied: 12.5.4.1 12.6.4.1 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data; 12.5.4.2 12.6.4.2 Affected data subjects have enforceable rights and effective legal remedies; 12.5.4.3 12.6.4.3 The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and 12.5.4.4 12.6.4.4 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data. 12.5.5 Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects and in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office); 12.5.6 Notify the Data Controller without undue delay of a personal data breach; 12.5.7 On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law; and 12.5.8 Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 12 and to allow for audits by the Data Controller and/or any party designated by the Data Controller. 12.7 12.6.4.5 The Data Processor shall not sub-contract any of its obligations to a sub- contractor with respect to the processing of personal data under this Clause 13 without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractor, the Data Processor shall: 12.7.1 Enter into a written agreement complies with the sub-contractor, which shall impose upon the sub-contractor the same obligations as are imposed upon the Data Processor by this Clause 13 and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and 12.7.2 Ensure that the sub-contractor complies fully with its obligations under that agreement and the Data Protection Legislation. 12.8 Either Party may, at any time, and on at least 30 calendar days’ notice, alter this Clause 13, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced by attachment to this Agreement.Standard Contractual Clauses set out in Schedule 1

Data Processing. 12.1 29.1 In this Clause 1229 and in the Agreement, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in Article 4 of the Data Protection LegislationUK GDPR. 12.2 The 29.2 Both Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause 12 The Agreement shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations. 12.3 29.3 For the purposes of the Data Protection Legislation and for this Clause 1229 and the Agreement, the Customer is the “Data Controller” and the Service Provider is the “Data Processor” and the Client is the “Data Controller”. 12.4 29.4 The type(s) of personal data, the scope, nature and purpose of the processing, and the duration of the processing shall be set out Schedule 4 of this Agreement. 29.5 The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this AgreementSchedule 4. 12.5 29.6 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this the Agreement: 12.5.1 29.6.1 Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law;. 12.5.2 29.6.2 Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures.; 12.5.3 29.6.3 Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential;; and 12.5.4 29.6.4 Not transfer any personal data outside of the UK without the prior written consent of the Data Controller and only if the following conditions are satisfied: 12.5.4.1 29.6.4.1 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data; 12.5.4.2 29.6.4.2 Affected data subjects have enforceable rights and effective legal remedies; 12.5.4.3 29.6.4.3 The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and 12.5.4.4 29.6.4.4 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data. 12.5.5 29.6.5 Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects and in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office); 12.5.6 29.6.6 Notify the Data Controller without undue delay of a personal data breach; 12.5.7 29.6.7 On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this the Agreement unless it is required to retain any of the personal data by law; and 12.5.8 29.6.8 Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 12 the Agreement and to allow for audits by the Data Controller and/or any party designated by the Data Controller. 12.7 29.7 The Data Processor shall not sub-contract any of its obligations to a sub- contractor with respect to the processing of personal data under this Clause 13 without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractor, the Data Processor shall: 12.7.1 Enter into a written agreement with the sub-contractor, which shall impose upon the sub-contractor the same obligations as are imposed upon the Data Processor by this Clause 13 and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and 12.7.2 Ensure that the sub-contractor complies fully with its obligations under that agreement and the Data Protection Legislation29. 12.8 29.8 Either Party may, at any time, and on at least 30 calendar days’ days notice, alter this Clause 13the data protection provisions of the Agreement, replacing it them with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced and replace these provisions by attachment to the Agreement. The parties have indicated their acceptance of this Agreement.Agreement by executing it below. SIGNED by

Data Processing. 12.1 In this Clause 12, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in the Data Protection Legislation. 12.2 The Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause 12 shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations. 12.3 12.2 For the purposes of the Data Protection Legislation and for this Clause 12, the Service Provider is the “Data Processor” and the Client is the “Data Controller”. 12.3 The type(s) of personal data, the scope, nature and purpose of the processing, and the duration of the processing are set out in Schedule 4. 12.4 The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement. 12.5 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreement: 12.5.1 Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law;. 12.5.2 Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures. Measures to be taken are set out in Schedule 4.; 12.5.3 Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential;; and 12.5.4 Not transfer any personal data outside of the UK European Economic Area without the prior written consent of the Data Controller and only if the following conditions are satisfied: 12.5.4.1 12.5.5 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data; 12.5.4.2 12.5.5.1 Affected data subjects have enforceable rights and effective legal remedies; 12.5.4.3 12.5.5.2 The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and 12.5.4.4 12.5.5.3 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data. 12.5.5 12.5.6 Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects and in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office); 12.5.6 12.5.7 Notify the Data Controller without undue delay of a personal data breach; 12.5.7 12.5.8 On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law; and 12.5.8 12.5.9 Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 12 and to allow for audits by the Data Controller and/or any party designated by the Data Controller. 12.7 The Data Processor shall not sub-contract any of its obligations to a sub- contractor with respect to the processing of personal data under this Clause 13 without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractor, the Data Processor shall: 12.7.1 Enter into a written agreement with the sub-contractor, which shall impose upon the sub-contractor the same obligations as are imposed upon the Data Processor by this Clause 13 and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and 12.7.2 Ensure that the sub-contractor complies fully with its obligations under that agreement and the Data Protection Legislation. 12.8 Either Party may, at any time, and on at least 30 calendar days’ notice, alter this Clause 13, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced by attachment to this Agreement.

Data Processing. 12.1 In this Clause 12, “personal data”, “data subject”, “data controller”, “data processor”19.1 Both parties will comply with all applicable requirements of the Data Protection Legislation. This clause 19 is in addition to, and “personal data breach” shall have the meaning defined in does not relieve, remove or replace, a party's obligations or rights under the Data Protection Legislation. 12.2 19.2 The Parties hereby agree parties acknowledge that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause 12 shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations. 12.3 For for the purposes of the Data Protection Legislation and for this Clause 12Legislation, the Service Provider Authority is the “Data Processor” Controller and the Client Supplier is the “Processor. Schedule 10 sets out the scope, nature and purpose of processing by the Supplier, the duration of the processing and the types of Personal Data Controller”and categories of Data Subject. 12.4 The Data Controller shall 19.3 Without prejudice to the generality of clause 19.1, the Authority will ensure that it has in place all necessary appropriate consents and notices required in place to enable the lawful transfer of personal data the Personal Data to the Data Processor Supplier for the duration and purposes described in of this Agreement. 12.5 The Data Processor 19.4 Without prejudice to the generality of clause 19.1, the Supplier shall, with respect to any personal data processed by it in relation to its any Personal Data processed in connection with the performance of any by the Supplier of its obligations under this Agreement: 12.5.1 Process the personal data 19.4.1 process that Personal Data only on the documented written instructions of the Data Controller Authority which are set out in Schedule 10, unless the Data Processor Supplier is required by Domestic Law to otherwise required to process such personal data by lawthat Personal Data. The Data Processor Where the Supplier is relying on Domestic Law as the basis for processing Personal Data, the Supplier shall promptly notify the Data Controller Authority of such this before performing the processing required by Domestic Law unless prohibited the Domestic Law prohibits the Supplier from doing so by lawnotifying the Customer; 12.5.2 Ensure 19.4.2 ensure that it has in place suitable appropriate technical and organisational measures (as defined in the Data Protection Legislation), reviewed and approved by the Data Controller) Authority, to protect the personal data from against unauthorised or unlawful processingprocessing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage or destruction. Such measures shall and the nature of the data to be proportionate protected, having regard to the potential harm resulting from such events, taking into account the current state of the art in technology technological development and the cost of implementing any measures (those measures.measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it); 12.5.3 Ensure 19.4.3 ensure that any and all staff with personnel who have access to the personal data (whether for processing purposes or otherwise) and/or process Personal Data are contractually obliged to keep that personal data the Personal Data confidential; 12.5.4 Not 19.4.4 not transfer any personal data Personal Data outside of the UK without unless the prior written consent of the Data Controller Authority has been obtained and only if the following conditions are satisfiedfulfilled: 12.5.4.1 The Data Controller and/or (a) the Authority or the Supplier has provided appropriate safeguards in relation to the transfer; (b) the Data Processor has/have provided suitable safeguards for the transfer of personal data; 12.5.4.2 Affected data subjects have Subject has enforceable rights and effective legal remedies; 12.5.4.3 The Data Processor (c) the Supplier complies with its obligations under the Data Protection Legislation, Legislation by providing an adequate level of protection to any and all personal data so Personal Data that is transferred; and 12.5.4.4 The Data Processor (d) the Supplier complies with all the reasonable instructions given notified to it in advance by the Data Controller Authority with respect to the processing of the personal data.Personal Data; 12.5.5 Assist 19.4.5 notify the Authority immediately if it receives: (a) a request from a Data Subject to have access to that person's Personal Data; (b) a request to rectify, block or erase any Personal Data; (c) receives any other request, complaint or communication relating to either Party's obligations under the Data Controller at Protection Legislation (including any communication from the Data Controller’s cost, Information Commissioner); 19.4.6 assist the Authority in responding to any and all requests request from data subjects a Data Subject and in ensuring its compliance with the Authority's obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments, assessments and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office)regulators; 12.5.6 Notify 19.4.7 notify the Data Controller Authority without undue delay on becoming aware of a personal data breachPersonal Data Breach including without limitation any event that results, or may result, in unauthorised access, loss, destruction, or alteration of Personal Data in breach of this Agreement; 12.5.7 On 19.4.8 at the Data Controller’s written instructiondirection of the Authority, delete (or otherwise dispose of) or return all personal data Personal Data and any and all copies thereof to the Data Controller Authority on termination or expiry of this the Agreement unless it is required by Domestic Law to retain any of store the personal data by law; andPersonal Data; 12.5.8 Maintain 19.4.9 maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary information to demonstrate its compliance with this Clause 12 clause 19 and to allow for audits by the Data Controller and/or any party Authority or the Authority's designated by auditor pursuant to clause 21 and immediately inform the Data Controller. 12.7 The Data Processor shall not sub-contract any of its obligations to a sub- contractor with respect to Customer if, in the processing of personal data under this Clause 13 without the prior written consent opinion of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractorSupplier, the Data Processor shall: 12.7.1 Enter into a written agreement with the sub-contractor, which shall impose upon the sub-contractor the same obligations as are imposed upon the Data Processor by this Clause 13 and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and 12.7.2 Ensure that the sub-contractor complies fully with its obligations under that agreement and an instruction infringes the Data Protection Legislation. 12.8 Either Party may, at 19.5 Where the Supplier wishes to appoint a subprocessor to process any time, and on at least 30 calendar days’ notice, alter this Clause 13, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced by attachment Personal Data relating to this Agreement, such subprocessor shall constitute a Sub-Contractor and the Supplier shall: 19.5.1 notify the Authority in writing of the intended processing by the Sub- Contractor; 19.5.2 obtain prior written consent from the Authority; 19.5.3 enter into a written agreement incorporating terms which are substantially similar to those set out in this clause 19. 20.1 The provisions of this clause do not apply to any Confidential information: 20.1.1 is or becomes available to the public (other than as a result of its disclosure by the receiving party or its Representatives in breach of this clause); 20.1.2 was available to the receiving party on a non-confidential basis before disclosure by the disclosing party; 20.1.3 was, is, or becomes available to the receiving party on a non-confidential basis from a person who, to the receiving party's knowledge, is not bound by a confidentiality agreement with the disclosing party or otherwise prohibited from disclosing the information to the receiving party; 20.1.4 the parties agree in writing is not confidential or may be disclosed; 20.1.5 which is disclosed by the Authority on a confidential basis to any central government or regulatory body. 20.2 Each party shall keep the other party's Confidential Information secret and confidential and shall not: 20.2.1 use such Confidential Information except for the purpose of exercising or performing its rights and obligations under or in connection with this Agreement (Permitted Purpose); or 20.2.2 disclose such Confidential information in whole or in part to any third party, except as expressly permitted by this clause 20. 20.3 A party may disclose the other party's Confidential information to those of its Representatives who need to know such Confidential Information for the Permitted Purpose, provided that: 20.3.1 it consults the other party in advance and informs such Representatives of the confidential nature of the Confidential Information before disclosure; and 20.3.2 it procures that its Representatives shall, in relation to any Confidential Information disclosed to them, comply with the obligations set out in this clause as if they were a party to this Agreement, 20.3.3 and at all times, it is liable for the failure of any Representatives to comply with the obligations set out in this clause 20.2. 20.4 A party may disclose Confidential Information to the extent such Confidential Information is required to be disclosed by law (including under the FOIA or EIRs), by any governmental or other regulatory authority or by a court or other authority of competent jurisdiction provided that, to the extent it is legally permitted to do so, it gives the other party as much notice of its intent to make such disclosure as possible and provides an opportunity for the other party to make representations before deciding whether to disclose. 20.5 The provisions of this clause 20 shall survive for a period of 12 years from the Termination Date.

Data Processing. 12.1 11.1 In this Clause 12clause 11, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in the Data Protection Legislation. 12.2 11.2 The Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause 12 clause 11 shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations. 12.3 11.3 For the purposes of the Data Protection Legislation and for this Clause 12clause 11, the Service Provider Licensor is the “Data Processor” and the Client is You are the “Data Controller”. 12.4 11.4 The type(s) of personal data, the scope, nature and purpose of the processing, and the duration of the processing are set out in Schedule 2. 11.5 The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement. 12.5 11.6 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreement: 12.5.1 a) Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law; 12.5.2 b) Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures.. Measures to be taken are set out in Schedule 2; 12.5.3 c) Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential; 12.5.4 Not transfer d) Transfer any personal data outside of the UK without the prior written consent of (and the Data Controller and hereby consents to such transfer) only if the following conditions are satisfied: 12.5.4.1 11.6.d.1 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data; 12.5.4.2 11.6.d.2 Affected data subjects have enforceable rights and effective legal remedies; 12.5.4.3 11.6.d.3 The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and 12.5.4.4 11.6.d.4 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data. 12.5.5 e) Assist the Data Controller at the Data Controller’s cost, in responding to any and all the requests from data subjects where relevant and in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office)) to the extent the personal data processed by the Data Processor for the purposes of this Agreement is concerned; 12.5.6 f) Notify the Data Controller without undue delay of a personal data breach; 12.5.7 g) On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law; and 12.5.8 h) Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 12 clause 11 and to allow for audits by the Data Controller; 11.7 The Data Controller and/or any party designated by acknowledges and agrees, that the Data Controller. 12.7 The Data Processor shall not may sub-contract any of its obligations to a sub- contractor with respect to the processing of personal data under this Clause 13 without the prior written consent of the Data Controller (such consent not clause 11 to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractor, the . The initial list of Data Processor’s sub-contractors is attached in Schedule 2. The Data Processor shall: 12.7.1 Enter shall enter into a written agreement with the sub-contractorprocessor, which shall impose upon the sub-contractor processor the same obligations as are imposed upon the Data Processor by this Clause 13 clause 11 and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and 12.7.2 Ensure . Any additions or replacements of subcontractors will be notified to the Data Controller on the Data Processor’s webpage or via email. Customer may oppose the use of a new sub-processor, and shall notify the Data Processor thereof, in which case the Data Processor will use reasonable efforts to amend the Software product (if commercially possible) or service or offer an alternative, and if this is not possible within reasonable time, the Data Controller may terminate the applicable Order’s with a notice to the Data Processor, and the Data Processor will refund the Data Processor the pre-paid fees for the unused part of the Software in proportion from the effective date of termination. Data Processor shall ensure that the sub-contractor processor complies fully with its obligations under that agreement and the Data Protection Legislation.; and 12.8 Either Party 11.8 Licensor may, at any time, and on at least 30 calendar days’ a reasonable notice, alter this Clause 13clause 11, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced by attachment to this Agreementand published on Licensor’s webpage.

Data Processing. 12.1 In this Clause 12, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” 3.1 The Supplier shall have the meaning defined in the Data Protection Legislation. 12.2 The Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause 12 shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations. 12.3 For the purposes respect of the Processing of Personal Data Protection Legislation and on behalf of the Client:‌ (i) process that Personal Data during the term of this Contract only on the documented written instructions of the Client (which include this Contract) unless the Supplier is required by Laws to otherwise process that Personal Data. Where the Supplier is relying on Laws as the basis for this Clause 12processing Personal Data, the Service Provider is the “Data Processor” and Supplier shall promptly notify the Client is of this before performing the “Data Controller”.processing required by the Laws unless those Laws prohibit the Supplier from notifying the Client; 12.4 The Data Controller shall (ii) ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement. 12.5 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreement: 12.5.1 Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law; 12.5.2 Ensure that it has in place suitable appropriate technical and organisational measures (as approved by the Data Controller) to protect the personal data from against unauthorised or unlawful processingprocessing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage or destruction. Such measures shall and the nature of the Personal Data to be proportionate protected, having regard to the potential harm resulting from such events, taking into account the current state of the art in technology technological development and the cost of implementing those any measures.; 12.5.3 Ensure (iii) ensure that any and all staff with personnel who have access to the personal data (whether for processing purposes or otherwise) and/or process Personal Data are contractually obliged to keep that personal data the Personal Data confidential; 12.5.4 Not (iv) not transfer any personal data Personal Data outside of the UK without and/or European Economic Area unless the prior written consent of the Data Controller Client has been obtained and only if there are appropriate safeguards in relation to the following conditions are satisfied: 12.5.4.1 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal datatransfer; 12.5.4.2 Affected data subjects have enforceable rights and effective legal remedies; 12.5.4.3 The Data Processor complies with its obligations under (v) assist the Data Protection LegislationClient, providing an adequate level of protection to any and all personal data so transferred; and 12.5.4.4 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data. 12.5.5 Assist the Data Controller at the Data ControllerClient’s cost, in responding to any and all requests request from data subjects a Data Subject and in ensuring its compliance with its obligations under the Data Protection Legislation with respect to security, breach breach, notifications, impact assessments, assessments and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office)regulators; 12.5.6 Notify (vi) notify the Data Controller Client without undue delay on becoming aware of a personal data Personal Data breach; 12.5.7 On (vii) ensure that provisions which are equivalent to those set out in this paragraph 3.1 are imposed upon any subprocessor engaged by the Data ControllerSupplier (acknowledging that the Supplier shall remain primarily liable to the Client for the subprocessor’s compliance with such provisions);‌ (viii) inform the Client of any intended additions to or replacements of the Supplier’s subprocessors;‌ (ix) subject to Clause 8.2(e) of the Contract, at the written instructiondirection of the Client, delete (or otherwise dispose of) or return all personal data Personal Data and any and all copies thereof to the Data Controller Client on termination of this Agreement the Contract unless it is required by Laws to retain any of store the personal data by lawPersonal Data; and 12.5.8 Maintain (x) maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary information to demonstrate its compliance with this Clause 12 Schedule and to allow for audits by the Data Controller and/or any party designated by Client on reasonable notice and (but without thereby assuming the Data Controller. 12.7 The Data Processor shall not sub-contract any of its obligations to a sub- contractor with respect to the processing of personal data under this Clause 13 without the prior written consent primary liability of the Data Controller (such consent not Client to be unreasonably withheld). In only issue lawful instructions) immediately inform the event that Client if, in the Data Processor appoints a sub-contractoropinion of the Supplier, the Data Processor shall: 12.7.1 Enter into a written agreement with the sub-contractor, which shall impose upon the sub-contractor the same obligations as are imposed upon the Data Processor by this Clause 13 and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and 12.7.2 Ensure that the sub-contractor complies fully with its obligations under that agreement and an instruction infringes the Data Protection Legislation. 12.8 Either Party may, at any time, and on at least 30 calendar days’ notice, alter this Clause 13, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced by attachment to this Agreement.

Data Processing. 12.1 In this Clause 1212 and in the Agreement, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in the Article 4, EU Regulation 2016/679 General Data Protection LegislationRegulation (“GDPR”). 12.2 The Both Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Neither this Clause 12 nor the Agreement shall not relieve either Party of any obligations set out in the Data Protection Legislation and does shall not remove or replace any of those obligations. 12.3 For the purposes of the Data Protection Legislation and for this Clause 1212 and the Agreement, the Service Provider is the “Data Processor” and the Client Member is the “Data Controller”. 12.4 The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreementthese Terms and Conditions. 12.5 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreementthese Terms and Conditions: 12.5.1 Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law;. 12.5.2 Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures. Measures to be taken shall be agreed between the Data Controller and the Data Processor and set out in the Schedule to the Agreement.; 12.5.3 Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential;; and 12.5.4 Not transfer any personal data outside of the UK European Economic Area without the prior written consent of the Data Controller and only if the following conditions are satisfied: 12.5.4.1 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data; 12.5.4.2 Affected data subjects have enforceable rights and effective legal remedies; 12.5.4.3 The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and 12.5.4.4 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data. 12.5.5 Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects and in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s OfficeO±ce); 12.5.6 Notify the Data Controller without undue delay of a personal data breach; 12.5.7 On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this the Agreement unless it is required to retain any of the personal data by law; and 12.5.8 Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause 12 and to allow for audits by the Data Controller and/or any party designated by the Data Controller. 12.7 The Data Processor shall not sub-contract any of its obligations to a sub- contractor sub-processor with respect to the processing of personal data under this Clause 13 12 without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-contractor, the Data Processor shall: 12.7.1 Enter into a written agreement with the sub-contractor, which shall impose upon the sub-contractor the same obligations as are imposed upon the Data Processor by this Clause 13 and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and 12.7.2 Ensure that the sub-contractor complies fully with its obligations under that agreement and the Data Protection Legislation. 12.8 Either Party may, at any time, and on at least 30 calendar days’ notice, alter this Clause 13the data protection provisions of the Agreement, replacing it them with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply when replaced by attachment to this the Agreement.