Common use of Duration and Termination of this Addendum Clause in Contracts

Duration and Termination of this Addendum. This Addendum is effective as of the Effective Date and shall remain in force during the term of the Agreement. This Addendum will terminate automatically with the termination or expiry of any SOW. Notwithstanding the termination of this Addendum, the Processor and any subcontractors (pursuant to Sections 6.1 and 9 of this Addendum) shall continue to be bound by their obligations of confidentiality. Instructions of the Controller The Processor will Process the Personal Data provided by the Controller solely in accordance with the Controller’s written instructions and the provisions contained in this Addendum and its Appendices and as may be communicated by the Controller from time to time (“Instructions”). The current Addendum constitutes written instructions. If the Processor believes that an Instruction infringes applicable Data Protection Rules, it will immediately notify the Controller. General Obligations of the Processor The Processor undertakes to Process the Personal Data in accordance with applicable Data Protection Rules; specifically, with respect to Personal Data from the European Economic Area, in accordance with its obligations as a data processor under the Europoean Economic Area’s Standard Contractual Clauses. The Processor undertakes that it will Process the Controller’s Personal Data on behalf of the Controller and only in compliance with its Instructions, as described in Appendix 1, and under the provisions of this Addendum. The Processor will also inform the Controller about any relevant changes concerning the Processing of its Personal Data. The Processor will neither transfer nor communicate the Personal Data to third parties nor Process or use it for its own purposes, unless otherwise stipulated in this Addendum and in accordance with the Data Protection Rules. The Processor will only onward transfer Personal Data in strict compliance with the Data Protection Rules and the requirements of the European Economic Union’s Standard Contractual Clauses and upon the prior written approval of the Controller. The Processor is not allowed to make copies or duplicates of the Personal Data without the prior written consent of the Controller, unless such copies or duplicates are necessary for the fulfillment of its obligations under this Addendum or the Agreement. The Processor will not obtain any rights or title to any Personal Data by virtue of providing the Services, and may not determine the purposes for which Personal Data it receives under the Addendum may be Processed or otherwise used. Confidentiality and Information Security Standards Processing will be subject to a strict duty of confidentiality: The Processor shall keep Personal Data strictly confidential and may only disclose Personal Data to third parties with the prior written consent of the Controller or as otherwise agreed in this Addendum. The Processor shall ensure that its employees are aware of the applicable privacy and information security requirements and are held by legally binding confidentiality obligations, which must survive the termination of their employment. The Processor will ensure appropriate protection of Personal Data in accordance with the requirements of the Data Protection Rules and must implement appropriate operational, technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or Information Security Incidents and in light of the relevant risks presented by the Processing. In particular, this includes, but is not limited to: Preventing access by unauthorized persons to Processing facilities and systems, where Personal Data is Processed or used (physical access control); Preventing unauthorized use of Processing systems (admission control); Ensuring that those persons authorized to use a Processing system are only able to access Personal Data within the scope of their access rights as determined by Controller, and that Personal Data cannot be read, copied, modified or deleted without authorization during Processing, use and after recording (virtual access control); Ensuring that, during electronic transfer, Personal Data cannot be read, copied, modified or deleted without authorization, and that it is possible to check and identify the points at which data transfer equipment is likely to be used to move Personal Data (transfer and disclosure control); Ensuring that it will subsequently be possible to check and ascertain whether and by whom Personal Data has been accessed, modified or deleted from Processing systems (input control); Ensuring that Personal Data Processed under the terms of this Addendum can only be Processed in accordance with the instructions issued by the Controller (assignment control); Ensuring that Personal Data is protected against accidental malfunctions or loss (availability control); and Ensuring that Personal Data collected for different purposes can be Processed separately (separation control). The Processor represents and warrants that it has implemented the technical and organizational security measures described in Appendix 2. The Processor will update the technical and organizational security measures in line with reasonable technological developments as determined by Processor. The Processor’s technical and organizational measures and any material amendments thereto must be documented by the Processor and the Processor should provide this documentation to the Controller on request (pursuant to Section 8.1 of this Addendum) in the form of its current ISO 27001 certification. Cooperation and Notification Obligations The Parties will co-operate with each other to promptly and effectively handle enquiries, complaints, and claims relating to the Processing of Personal Data from any government official or authority (including but not limited to any data protection or law enforcement agency), third parties or individuals (including but not limited to the Data Subjects). If a Data Subject should apply directly to the Processor to exercise his/her Personal Data rights, the Processor must forward this request to the Controller without delay, unless otherwise agreed between the Parties. The Processor will notify the Controller of an Information Security Incident that is determined to affect Controller’s Personal Data without undue delay. This notification must include the details of Personal Data compromised, including, but not limited to: (i) the nature of the Information Security Incident; (ii) the identity and contact details of a contact person; and (iii) the measures taken or proposed to minimize possible harm. The Processor will fully cooperate with and provide any additional information requested by the Controller to investigate the Information Security Incident. The Parties are aware that the applicable Data Protection Rules may impose a duty to inform the competent authorities or affected Data Subjects in the event of the loss or unlawful disclosure of Personal Data or access to it. These incidents should therefore be notified by the Processor to the Controller without undue delay Controller’s Audit and Inspection Rights The Processor must ensure that the Controller can confirm the Processor’s obligations under this Addendum and adherence to the information security measures and confidentially requirements under Sections 6 of this Addendum. For this purpose, the Processor must provide the Controller, upon request, with evidence of the implementation of these requirements which shall be evidenced by a current ISO 27001 certificate. The Controller may inspect or audit the Processing work flows in the Processor’s company at regular intervals in order to verify compliance by the Processor with the terms and conditions of this Addendum and in particular with the obligations relating to measures mentioned in Section 6. The inspection may be carried out by the Controller’s data protection officer or a representative of the Controller. No competitor of the Processor may be appointed as an auditor. The Controller will inform the Processor prior to any inspection. The Controller undertakes to carry out any inspection during normal working hours and without interfering with the course of the Processor’s business. The Controller and the Processor may be subject to control by public authorities. The Processor will notify the Controller immediately if the Personal Data is subject to a control or investigation by public authorities and will not disclose any Personal Data without the prior consent of the Controller. The Processor will provide the public authorities, upon request, with information regarding Processing under this Addendum as well as allow inspections within the scope stated in this Section 8. The Processor will work together with the Controller, as specified in Section 7.1.

Duration and Termination of this Addendum. This Addendum is effective as of the Effective Date and shall remain in force during the term of the Agreement. This Addendum will terminate automatically with the termination or expiry of any SOW. Notwithstanding the termination of this Addendum, the Processor and any subcontractors (pursuant to Sections 6.1 and 9 of this Addendum) shall continue to be bound by their obligations of confidentiality. Instructions of the Controller The Processor will Process the Personal Data provided by the Controller solely in accordance with the Controller’s written instructions and the provisions contained in this Addendum and its Appendices and as may be communicated by the Controller from time to time (“Instructions”). The current Addendum constitutes written instructions. If the Processor believes that an Instruction infringes applicable Data Protection Rules, it will immediately notify the Controller. General Obligations of the Processor The Processor undertakes to Process the Personal Data in accordance with applicable Data Protection Rules; specifically, with respect to Personal Data from the European Economic AreaArea or Switzerland, in accordance with its obligations as a data processor under the Europoean Economic Area’s Standard Contractual Clausesits Privacy Shield certification. The Processor undertakes that it will Process the Controller’s Personal Data on behalf of the Controller and only in compliance with its Instructions, as described in Appendix 1, and under the provisions of this Addendum. The Processor will also inform the Controller about any relevant changes concerning the Processing of its Personal Data. The Processor will neither transfer nor communicate the Personal Data to third parties nor Process or use it for its own purposes, unless otherwise stipulated in this Addendum and in accordance with the Data Protection Rules. The Processor will only onward transfer Personal Data in strict compliance with the Data Protection Rules and the requirements of the European Economic Union’s Standard Contractual Clauses Privacy Shield and upon the prior written approval of the Controller. The Processor is not allowed to make copies or duplicates of the Personal Data without the prior written consent of the Controller, unless such copies or duplicates are necessary for the fulfillment of its obligations under this Addendum or the Agreement. The Processor will not obtain any rights or title to any Personal Data by virtue of providing the Services, and may not determine the purposes for which Personal Data it receives under the Addendum may be Processed or otherwise used. Confidentiality and Information Security Standards Processing will be subject to a strict duty of confidentiality: The Processor shall keep Personal Data strictly confidential and may only disclose Personal Data to third parties with the prior written consent of the Controller or as otherwise agreed in this Addendum. The Processor shall ensure that its employees are aware of the applicable privacy and information security requirements and are held by legally binding confidentiality obligations, which must survive the termination of their employment. The Processor will ensure appropriate protection of Personal Data in accordance with the requirements of the Data Protection Rules and must implement appropriate operational, technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or Information Security Incidents and in light of the relevant risks presented by the Processing. In particular, this includes, but is not limited to: Preventing access by unauthorized persons to Processing facilities and systems, where Personal Data is Processed or used (physical access control); Preventing unauthorized use of Processing systems (admission control); Ensuring that those persons authorized to use a Processing system are only able to access Personal Data within the scope of their access rights as determined by Controller, and that Personal Data cannot be read, copied, modified or deleted without authorization during Processing, use and after recording (virtual access control); Ensuring that, during electronic transfer, Personal Data cannot be read, copied, modified or deleted without authorization, and that it is possible to check and identify the points at which data transfer equipment is likely to be used to move Personal Data (transfer and disclosure control); Ensuring that it will subsequently be possible to check and ascertain whether and by whom Personal Data has been accessed, modified or deleted from Processing systems (input control); Ensuring that Personal Data Processed under the terms of this Addendum can only be Processed in accordance with the instructions issued by the Controller (assignment control); Ensuring that Personal Data is protected against accidental malfunctions or loss (availability control); and Ensuring that Personal Data collected for different purposes can be Processed separately (separation control). The Processor represents and warrants that it has implemented the technical and organizational security measures described in Appendix 2. The Processor will update the technical and organizational security measures in line with reasonable technological developments as determined by Processor. The Processor’s technical and organizational measures and any material amendments thereto must be documented by the Processor and the Processor should provide this documentation to the Controller on request (pursuant to Section 8.1 of this Addendum) in the form of its current ISO 27001 certification. Cooperation and Notification Obligations The Parties will co-operate with each other to promptly and effectively handle enquiries, complaints, and claims relating to the Processing of Personal Data from any government official or authority (including but not limited to any data protection or law enforcement agency), third parties or individuals (including but not limited to the Data Subjects). If a Data Subject should apply directly to the Processor to exercise his/her Personal Data rights, the Processor must forward this request to the Controller without delay, unless otherwise agreed between the Parties. The Processor will notify the Controller of an Information Security Incident that is determined to affect Controller’s Personal Data without undue delay. This notification must include the details of Personal Data compromised, including, but not limited to: (i) the nature of the Information Security Incident; (ii) the identity and contact details of a contact person; and (iii) the measures taken or proposed to minimize possible harm. The Processor will fully cooperate with and provide any additional information requested by the Controller to investigate the Information Security Incident. The Parties are aware that the applicable Data Protection Rules may impose a duty to inform the competent authorities or affected Data Subjects in the event of the loss or unlawful disclosure of Personal Data or access to it. These incidents should therefore be notified by the Processor to the Controller without undue delay Controller’s Audit and Inspection Rights The Processor must ensure that the Controller can confirm the Processor’s obligations under this Addendum and adherence to the information security measures and confidentially requirements under Sections 6 of this Addendum. For this purpose, the Processor must provide the Controller, upon request, with evidence of the implementation of these requirements which shall be evidenced by a current ISO 27001 certificate. The Controller may inspect or audit the Processing work flows in the Processor’s company at regular intervals in order to verify compliance by the Processor with the terms and conditions of this Addendum and in particular with the obligations relating to measures mentioned in Section 6. The inspection may be carried out by the Controller’s data protection officer or a representative of the Controller. No competitor of the Processor may be appointed as an auditor. The Controller will inform the Processor prior to any inspection. The Controller undertakes to carry out any inspection during normal working hours and without interfering with the course of the Processor’s business. The Controller and the Processor may be subject to control by public authorities. The Processor will notify the Controller immediately if the Personal Data is subject to a control or investigation by public authorities and will not disclose any Personal Data without the prior consent of the Controller. The Processor will provide the public authorities, upon request, with information regarding Processing under this Addendum as well as allow inspections within the scope stated in this Section 8. The Processor will work together with the Controller, as specified in Section 7.1.

Duration and Termination of this Addendum. This Addendum is effective as of the Effective Date and shall remain in force during the term of the Agreement. This Addendum will terminate automatically with the termination or expiry of any SOW. Notwithstanding the termination of this Addendum, the Processor and any subcontractors (pursuant to Sections 6.1 and 9 of this Addendum) shall continue to be bound by their obligations of confidentiality. Instructions of the Controller The Processor will Process the Personal Data provided by the Controller solely in accordance with the Controller’s written instructions and the provisions contained in this Addendum and its Appendices and as may be communicated by the Controller from time to time (“Instructions”). The current Addendum constitutes written instructions. If the Processor believes that an Instruction infringes applicable Data Protection Rules, it will immediately notify the Controller. General Obligations of the Processor The Processor undertakes to Process the Personal Data in accordance with applicable Data Protection Rules; specifically, with respect to Personal Data from the European Economic Area, in accordance with its obligations as a data processor under the Europoean Economic Area’s Standard Contractual Clausesits Privacy Shield certification. The Processor undertakes that it will Process the Controller’s Personal Data on behalf of the Controller and only in compliance with its Instructions, as described in Appendix 1, and under the provisions of this Addendum. The Processor will also inform the Controller about any relevant changes concerning the Processing of its Personal Data. The Processor will neither transfer nor communicate the Personal Data to third parties nor Process or use it for its own purposes, unless otherwise stipulated in this Addendum and in accordance with the Data Protection Rules. The Processor will only onward transfer Personal Data in strict compliance with the Data Protection Rules and the requirements of the European Economic Union’s Standard Contractual Clauses Privacy Shield and upon the prior written approval of the Controller. The Processor is not allowed to make copies or duplicates of the Personal Data without the prior written consent of the Controller, unless such copies or duplicates are necessary for the fulfillment of its obligations under this Addendum or the Agreement. The Processor will not obtain any rights or title to any Personal Data by virtue of providing the Services, and may not determine the purposes for which Personal Data it receives under the Addendum may be Processed or otherwise used. Confidentiality and Information Security Standards Processing will be subject to a strict duty of confidentiality: The Processor shall keep Personal Data strictly confidential and may only disclose Personal Data to third parties with the prior written consent of the Controller or as otherwise agreed in this Addendum. The Processor shall ensure that its employees are aware of the applicable privacy and information security requirements and are held by legally binding confidentiality obligations, which must survive the termination of their employment. The Processor will ensure appropriate protection of Personal Data in accordance with the requirements of the Data Protection Rules and must implement appropriate operational, technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or Information Security Incidents and in light of the relevant risks presented by the Processing. In particular, this includes, but is not limited to: Preventing access by unauthorized persons to Processing facilities and systems, where Personal Data is Processed or used (physical access control); Preventing unauthorized use of Processing systems (admission control); Ensuring that those persons authorized to use a Processing system are only able to access Personal Data within the scope of their access rights as determined by Controller, and that Personal Data cannot be read, copied, modified or deleted without authorization during Processing, use and after recording (virtual access control); Ensuring that, during electronic transfer, Personal Data cannot be read, copied, modified or deleted without authorization, and that it is possible to check and identify the points at which data transfer equipment is likely to be used to move Personal Data (transfer and disclosure control); Ensuring that it will subsequently be possible to check and ascertain whether and by whom Personal Data has been accessed, modified or deleted from Processing systems (input control); Ensuring that Personal Data Processed under the terms of this Addendum can only be Processed in accordance with the instructions issued by the Controller (assignment control); Ensuring that Personal Data is protected against accidental malfunctions or loss (availability control); and Ensuring that Personal Data collected for different purposes can be Processed separately (separation control). The Processor represents and warrants that it has implemented the technical and organizational security measures described in Appendix 2. The Processor will update the technical and organizational security measures in line with reasonable technological developments as determined by Processor. The Processor’s technical and organizational measures and any material amendments thereto must be documented by the Processor and the Processor should provide this documentation to the Controller on request (pursuant to Section 8.1 of this Addendum) in the form of its current ISO 27001 certification. Cooperation and Notification Obligations The Parties will co-operate with each other to promptly and effectively handle enquiries, complaints, and claims relating to the Processing of Personal Data from any government official or authority (including but not limited to any data protection or law enforcement agency), third parties or individuals (including but not limited to the Data Subjects). If a Data Subject should apply directly to the Processor to exercise his/her Personal Data rights, the Processor must forward this request to the Controller without delay, unless otherwise agreed between the Parties. The Processor will notify the Controller of an Information Security Incident that is determined to affect Controller’s Personal Data without undue delay. This notification must include the details of Personal Data compromised, including, but not limited to: (i) the nature of the Information Security Incident; (ii) the identity and contact details of a contact person; and (iii) the measures taken or proposed to minimize possible harm. The Processor will fully cooperate with and provide any additional information requested by the Controller to investigate the Information Security Incident. The Parties are aware that the applicable Data Protection Rules may impose a duty to inform the competent authorities or affected Data Subjects in the event of the loss or unlawful disclosure of Personal Data or access to it. These incidents should therefore be notified by the Processor to the Controller without undue delay Controller’s Audit and Inspection Rights The Processor must ensure that the Controller can confirm the Processor’s obligations under this Addendum and adherence to the information security measures and confidentially requirements under Sections 6 of this Addendum. For this purpose, the Processor must provide the Controller, upon request, with evidence of the implementation of these requirements which shall be evidenced by a current ISO 27001 certificate. The Controller may inspect or audit the Processing work flows in the Processor’s company at regular intervals in order to verify compliance by the Processor with the terms and conditions of this Addendum and in particular with the obligations relating to measures mentioned in Section 6. The inspection may be carried out by the Controller’s data protection officer or a representative of the Controller. No competitor of the Processor may be appointed as an auditor. The Controller will inform the Processor prior to any inspection. The Controller undertakes to carry out any inspection during normal working hours and without interfering with the course of the Processor’s business. The Controller and the Processor may be subject to control by public authorities. The Processor will notify the Controller immediately if the Personal Data is subject to a control or investigation by public authorities and will not disclose any Personal Data without the prior consent of the Controller. The Processor will provide the public authorities, upon request, with information regarding Processing under this Addendum as well as allow inspections within the scope stated in this Section 8. The Processor will work together with the Controller, as specified in Section 7.1.