INFORMATION SECURITY AND DATA PROTECTION REQUIREMENTS Sample Clauses

INFORMATION SECURITY AND DATA PROTECTION REQUIREMENTS a. The Data Processor must take the necessary technical and organisational security measures against Personal Data being accidentally or unlawfully destroyed, lost or impaired and against any unauthorised persons receiving the Personal Data, the Personal Data being abused or otherwise processed contrary to the Legislation. Such technical and organisational security measures include: i. Certification, including that the Data Processor is certified in accordance with the ISAE 3000 standard by KPMG, which means that KPMG has audited the internal security policies and security procedures of the Data Processor with a view to optimum protection of the documents of the Data Controller; ii. Network security, transmission and storage, including the establishment of a login and password procedure (two factor authentication) as well as firewalls and antivirus software. All documents are stored in encrypted form and all communication to and from the Data Processor’s server(s) is encrypted. The Data Processor observes the encryption standards that are defined by the National Institute of Standards and Technologies (NIST). The Data Processor uses only encryption algorithms that are approved by the Federal Information Processing Standards (FIPS) and recommended by NIST; iii. Matters relating to employees, including that only employees who are authorised have access to the Personal Data and that employees receive relevant training, adequate instructions in and guidelines for the processing of the personal data; cf. also clause G.; iv. Physical security, including that access to buildings and systems that are used in connection with the data processing is protected in an appropriate manner so that unauthorised third parties do not have access to them. b. The Data Processor must implement and observe a security policy and guidelines for the processing of Personal Data in the Data Processor’s organisation that are in accordance with and meet the terms and conditions that appear from this Data Processing Agreement and/or the instruction of the Data Controller at any time. c. The Data Processor evaluates the security level with a view to initiating any necessary measures to maintain sufficient data security at any time.