Common use of INFORMATION AND DATA PROTECTION Clause in Contracts

INFORMATION AND DATA PROTECTION. 17.1 Digital Origin and the Client may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. 17.2 Each party will keep in strict confidence all technical or commercial know-how, specifications, inventions, processes or initiatives which are of a confidential nature and any other Confidential Information, whether written or oral, concerning the other party’s business or its products or its services which the other party may obtain, except to the extent any disclosure is required by law. This condition 17 shall survive termination of the Agreement. The Client and Digital Origin will not, without the consent of the other, disclose such information to any person other than: 17.2.1 their employees, contractors or professional advisers who shall require the information in order for the Client or Digital Origin to fulfill its obligations under the Agreement; or 17.2.2 in the case of the Client, its Users to the extent that they are required to use or access the Services. 17.3 Information shall not be treated as confidential if it is: 17.3.1 lawfully in the public domain; 17.3.2 lawfully in the possession of the Client or Digital Origin before disclosure from the other has taken place; 17.3.3 obtained from a third person who is entitled to disclose it; or 17.3.4 replicated independently by someone without access or knowledge of the information. 17.4 If the Client receives a request under the Freedom of Information Xxx 0000 which encompasses any information provided to the Client by Digital Origin in connection with the Contract the Client will notify Digital Origin immediately of the request and give Digital Origin at least ten Business Days to make representations before releasing the requested information (save to the extent otherwise required by law). The following terms shall mean: Data Processor shall take the meaning as defined in the Data Protection Legislation (“Process” or “Processing” shall be construed accordingly);

INFORMATION AND DATA PROTECTION. 17.1 Digital Origin Beyond Networks and the Client may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. 17.2 Each party will keep in strict confidence all technical or commercial know-how, specifications, inventions, processes or initiatives which are of a confidential nature and any other Confidential Information, whether written or oral, concerning the other party’s business or its products or its services which the other party may obtain, except to the extent any disclosure is required by law. This condition 17 shall survive termination of the Agreement. The Client and Digital Origin Beyond Networks will not, without the consent of the other, disclose such information to any person other than: 17.2.1 their employees, contractors or professional advisers who shall require the information in order for the Client or Digital Origin Beyond Networks to fulfill its obligations under the Agreement; or 17.2.2 in the case of the Client, its Users to the extent that they are required to use or access the Services. 17.3 Information shall not be treated as confidential if it is: 17.3.1 lawfully in the public domain; 17.3.2 lawfully in the possession of the Client or Digital Origin Beyond Networks before disclosure from the other has taken place; 17.3.3 obtained from a third person who is entitled to disclose it; or 17.3.4 replicated independently by someone without access or knowledge of the information. 17.4 If the Client receives a request under the Freedom of Information Xxx 0000 Act 2000 which encompasses any information provided to the Client by Digital Origin Beyond Networks in connection with the Contract the Client will notify Digital Origin Beyond Networks immediately of the request and give Digital Origin Beyond Networks at least ten Business Days to make representations before releasing the requested information (save to the extent otherwise required by law). The following terms shall mean: Data Controller shall take the meaning as defined in the Data Protection Legislation; Data Processor shall take the meaning as defined in the Data Protection Legislation (“Process” or “Processing” shall be construed accordingly); Data Protection Legislation means the UK Data Protection Legislation and any other European Union Legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); Data Subject shall take the meaning as defined in the Data Protection Legislation; GDPR means EU Regulation 2016/679 General Data Protection Regulation; Personal Data Breach means unauthorised or unlawful Processing of Personal Data or accidental loss or destruction of, or damage to, Personal Data; and UK Data Protection Legislation means all applicable data protection and privacy legislation in force from time Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended. 17.5 This clause only applies to the extent that Beyond Networks is Processing Personal Data on behalf of the Client. 17.6 Both Parties will comply with all applicable requirements of the Data Protection Legislation. 17.7 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the Data Controller and Beyond Networks is the Data Processor. 17.8 The Privacy & Data Policy sets out the scope, nature and purpose of Processing by Beyond Networks, the duration of the Processing, the types of Personal Data and the categories of Data Subject. 17.9 Without prejudice to the generality of condition 17.6: 17.9.1 The Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Beyond Networks for the purposes of this Agreement; and 17.9.2 Beyond Networks will: 17.9.2.1 Process Personal Data only on the written instructions of the Client, including regarding transfers of Personal Data outside of the European Economic Area, unless Beyond Networks is required to do so by a legal obligation and, if so, Beyond Networks will notify Client of this before such Processing, unless a legal obligation prohibits this; 17.9.2.2 ensure that all personnel authorised by Beyond Networks to Process Personal Data are obliged to keep the Personal Data confidential; 17.9.2.3 ensure that it has in place appropriate technical and organisational measures designed to protect against a Personal Data Breach, appropriate to the harm that might result from such Personal Data Breach and the nature of the Personal Data to be protected where Beyond Networks shall have regard to the state of technological development and the cost of implementing any measures, including, where appropriate: (A) pseudonymising and encrypting Personal Data; (B) ensuring confidentiality, integrity, availability and resilience of its systems and services; (C) ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident; and (D) regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it; 17.9.2.4 notify the Client without undue delay if it becomes aware of a Personal Data Breach; 17.9.2.5 assist the Client in responding to any requests from Data Subjects and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators, save that if this is not within the reasonable remit of the Services, this will be at Client’s cost; 17.9.2.6 at Client’s written direction, delete (or put Beyond Use) or return Personal Data to Client once provision of the Services has ceased, unless required by a legal obligation tostore the Personal Data; and 17.9.2.7 maintain records and information to demonstrate it compliance with this condition 10 and, where this is not sufficient, allow for audits by Client or Client’s auditor solely to demonstrate compliance, at Client’s cost, provided that the Client: (A) will not exercise its audit rights more than once in any three (3) year period, save where Client reasonably believes that a further audit is required due to Personal Data Breach; (B) gives at least thirty (30) days’ written notice of its intention to audit, including specific details on the scope of the audit and any required evidence; (C) conducts its audit during normal business hours and limits it audit to a maximum of 2 Business Days; and (D) takes all reasonable measures to prevent material business interruption to Beyond Networks. 17.10 Beyond Networks retains all administration and executive password and access privileges for all its clients. Passwords and secure information are stored in a multi-level encrypted enterprise environment, backed up across multiple datacentres globally, with full redundancy. As an additional layer of security passwords are changed regularly and never shared outside our organisation. Within Beyond Networks only specific accredited users have access via additional levels of MFA access and all access is monitored, time, data and user stamped. 17.10.1 From time to time clients ask that an additional layer of security is provided to remit against a scenario where Beyond Networks is compromised and unable to operate or continue to service its clients infrastructure as a result of being forced into administration. This is catered for by Beyond Networks’s client escrow / holding service which is subject to scoping, setup, registration and delivery. All pricing is POA.

INFORMATION AND DATA PROTECTION. 17.1 Digital Origin and the Client may be given access to Confidential Information from the other party in order to perform its obligations under this Agreement. 17.2 Each party will keep in strict confidence all technical or commercial know-how, specifications, inventions, processes or initiatives which are of a confidential nature and any other Confidential Information, whether written or oral, concerning the other party’s business or its products or its services which the other party may obtain, except to the extent any disclosure is required by law. This condition 17 shall survive termination of the Agreement. The Client and Digital Origin will not, without the consent of the other, disclose such information to any person other than: 17.2.1 their employees, contractors or professional advisers who shall require the information in order for the Client or Digital Origin to fulfill its obligations under the Agreement; or 17.2.2 in the case of the Client, its Users to the extent that they are required to use or access the Services. 17.3 Information shall not be treated as confidential if it is: 17.3.1 lawfully in the public domain; 17.3.2 lawfully in the possession of the Client or Digital Origin before disclosure from the other has taken place; 17.3.3 obtained from a third person who is entitled to disclose it; or 17.3.4 replicated independently by someone without access or knowledge of the information. 17.4 If the Client receives a request under the Freedom of Information Xxx 0000 Act 2000 which encompasses any information provided to the Client by Digital Origin in connection with the Contract the Client will notify Digital Origin immediately of the request and give Digital Origin at least ten Business Days to make representations before releasing the requested information (save to the extent otherwise required by law). The following terms shall mean: Data Controller shall take the meaning as defined in the Data Protection Legislation; Data Processor shall take the meaning as defined in the Data Protection Legislation (“Process” or “Processing” shall be construed accordingly); Data Protection Legislation means the UK Data Protection Legislation and any other European Union Legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications); Data Subject shall take the meaning as defined in the Data Protection Legislation; GDPR means EU Regulation 2016/679 General Data Protection Regulation; Personal Data Breach means unauthorised or unlawful Processing of Personal Data or accidental loss or destruction of, or damage to, Personal Data; and UK Data Protection Legislation means all applicable data protection and privacy legislation in force from time to time in the UK including the GDPR; the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended. 17.5 This clause only applies to the extent that Digital Origin is Processing Personal Data on behalf of the Client. 17.6 Both Parties will comply with all applicable requirements of the Data Protection Legislation. 17.7 The Parties acknowledge that for the purposes of the Data Protection Legislation, the Client is the Data Controller and Digital Origin is the Data Processor. 17.8 The Privacy & Data Policy sets out the scope, nature and purpose of Processing by Digital Origin, the duration of the Processing, the types of Personal Data and the categories of Data Subject. 17.9 Without prejudice to the generality of condition 17.6: 17.9.1 The Client will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Digital Origin for the purposes of this Agreement; and 17.9.2 Digital Origin will: 17.9.2.1 Process Personal Data only on the written instructions of the Client, including regarding transfers of Personal Data outside of the European Economic Area, unless Digital Origin is required to do so by a legal obligation and, if so, Digital Origin will notify Client of this before such Processing, unless a legal obligation prohibits this; 17.9.2.2 ensure that all personnel authorised by Digital Origin to Process Personal Data are obliged to keep the Personal Data confidential; 17.9.2.3 ensure that it has in place appropriate technical and organisational measures designed to protect against a Personal Data Breach, appropriate to the harm that might result from such Personal Data Breach and the nature of the Personal Data to be protected where Digital Origin shall have regard to the state of technological development and the cost of implementing any measures, including, where appropriate: (A) pseudonymising and encrypting Personal Data; (B) ensuring confidentiality, integrity, availability and resilience of its systems and services; (C) ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident; and (D) regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it; 17.9.2.4 notify the Client without undue delay if it becomes aware of a Personal Data Breach; 17.9.2.5 assist the Client in responding to any requests from Data Subjects and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators, save that if this is not within the reasonable remit of the Services, this will be at Client’s cost; 17.9.2.6 at Client’s written direction, delete (or put Beyond Use) or return Personal Data to Client once provision of the Services has ceased, unless required by a legal obligation tostore the Personal Data; and 17.9.2.7 maintain records and information to demonstrate it compliance with this condition 10 and, where this is not sufficient, allow for audits by Client or Client’s auditor solely to demonstrate compliance, at Client’s cost, provided that the Client: (A) will not exercise its audit rights more than once in any three (3) year period, save where Client reasonably believes that a further audit is required due to Personal Data Breach; (B) gives at least thirty (30) days’ written notice of its intention to audit, including specific details on the scope of the audit and any required evidence; (C) conducts its audit during normal business hours and limits it audit to a maximum of 2 Business Days; and (D) takes all reasonable measures to prevent material business interruption to Digital Origin. 17.10 Digital Origin retains all administration and executive password and access privileges for all its clients. Passwords and secure information are stored in a multi-level encrypted enterprise environment, backed up across multiple datacentres globally, with full redundancy. As an additional layer of security passwords are changed regularly and never shared outside our organisation. Within Digital Origin only specific accredited users have access via additional levels of MFA access and all access is monitored, time, data and user stamped. 17.10.1 From time to time clients ask that an additional layer of security is provided to remit against a scenario where Digital Origin is compromised and unable to operate or continue to service its clients infrastructure as a result of being forced into administration. This is catered for by Digital Origin’s client escrow / holding service which is subject to scoping, setup, registration and delivery. All pricing is POA.