Common use of Measures Clause in Contracts

Measures. As part of the SAP Security Policy, Personal Data requires at least the same protection level as “confidential” information according to the SAP Information Classification standard. • Access to Personal Data is granted on a need-to-know basis. Personnel have access to the information that they require in order to fulfill their duty. SAP uses authorization concepts that document grant processes and assigned roles per account (user ID). All Customer Data is protected in accordance with the SAP Security Policy. • All production servers are operated in the Data Centers or in secure server rooms. Security measures that protect applications processing Personal Data are regularly checked. To this end, SAP conducts internal and external security checks and penetration tests on its IT systems. • SAP does not allow the installation of software that has not been approved by SAP. • An SAP security standard governs how data and data carriers are deleted or destroyed once they are no longer required.

Measures. As part of the SAP Security Policy, Personal Data requires at least the same protection level as “confidential” information according to the SAP Information Classification standard. • Access to Personal Data is granted on a need-to-know basis. Personnel have access to the information that they require in order to fulfill their duty. SAP XXX uses authorization concepts that document grant processes and assigned roles per account (user ID). All Customer Data is protected in accordance with the SAP Security Policy. • All production servers are operated in the Data Centers or in secure server rooms. Security measures that protect applications processing Personal Data are regularly checked. To this end, SAP conducts internal and external security checks and penetration tests on its IT systems. • SAP does not allow the installation of software that has not been approved by SAP. • An SAP security standard governs how data and data carriers are deleted or destroyed once they are no longer required.

Measures. As part of the SAP Security Policy, Personal Data requires at least the same protection level as “confidential” information according to the SAP Information Classification standard. • Access to Personal Data personal, confidential or sensitive information is granted on a need-to-know basis. Personnel In other words, employees or external third parties have access to the information that they require in order to fulfill complete their dutywork. SAP uses authorization concepts that document grant processes how authorizations are assigned and assigned roles per account (user ID)which authorizations are assigned. All Customer Data personal, confidential, or otherwise sensitive data is protected in accordance with the SAP Security Policyrelevant security standards. Confidential information must be processed confidentially. • All production servers are operated in the Data Centers or in secure relevant data centers/server rooms. Security measures The security systems that protect applications for processing Personal Data personal, confidential or other sensitive data are regularly checked. To this end, SAP conducts internal and external security checks and penetration tests on its the IT systems. • SAP does not allow the installation of personal software that has or other software not been approved by SAP. • An SAP security standard governs how data and data carriers that are no longer required are deleted or destroyed once they are no longer requireddestroyed.

Measures. As part of the SAP Security Policy, Personal Data requires at least the same protection level as “confidential” information according to the SAP Information Classification standard. • Access to Personal Data is granted on a need-to-to- know basis. Personnel have access to the information that they require in order to fulfill their duty. SAP uses authorization concepts that document grant processes and assigned roles per account (user ID). All Customer Data is protected in accordance with the SAP Security Policy. • All production servers are operated in the Data Centers or in secure server rooms. Security measures that protect applications processing Personal Data are regularly checked. To this end, SAP conducts internal and external security checks and penetration tests on its IT systems. • SAP does not allow the installation of software that has not been approved by SAP. • An SAP security standard governs how data and data carriers are deleted or destroyed once they are no longer required.

Measures. As part of the SAP Security Policy, Personal Data requires at least the same protection level as “confidential” information according to the SAP Information Classification standard. • Access to Personal Data personal, confidential or sensitive information is granted on a need-to-know basis. Personnel In other words, employees or external third parties have access to the information that they require in order to fulfill complete their dutywork. SAP uses authorization concepts that document grant processes how authorizations are assigned and assigned roles per account (user ID)which authorizations are assigned. All Customer Data personal, confidential, or otherwise sensitive data is protected in accordance with the SAP Security Policyrelevant security standards. • Confidential information must be processed confidentially. All production servers are operated in the Data Centers or in secure relevant data centers/server rooms. Security measures The security systems that protect applications for processing Personal Data personal, confidential or other sensitive data are regularly checked. To this end, SAP conducts internal and external security checks and penetration tests on its the IT systems. • SAP does not allow the installation of personal software that has or other software not been approved by SAP. • An SAP security standard governs how data and data carriers that are no longer required are deleted or destroyed once they are no longer requireddestroyed.

Measures. As part of the SAP Security Policy, Personal Data requires at least the same protection level as “confidential” information according to the SAP Information Classification standard. • Access to Personal Data personal, confidential or sensitive information is granted on a need-to-know basis. Personnel In other words, employees or external third parties have access to the information that they require in order to fulfill complete their dutywork. SAP uses authorization concepts that document grant processes how authorizations are assigned and assigned roles per account (user ID)which authorizations are assigned. All Customer Data personal, confidential, or otherwise sensitive data is protected in accordance with the SAP Security Policysecurity policies and standards. • All production servers of any SAP Cloud Service are operated in the relevant Data Centers or in secure Centers/server rooms. Security measures that protect applications processing Personal Data personal, confidential or other sensitive information are regularly checked. To this end, SAP conducts internal and external security checks and penetration tests on its the IT systems. • SAP does not allow the installation of personal software that has or other software not been approved by SAPSAP to systems being used for any Cloud Service. • An A SAP security standard governs how data and data carriers are deleted or destroyed once they are no longer requireddestroyed.

Measures. As part of the SAP Security Policy, Personal Data requires at least the same protection level as “confidential” information according to the SAP Information Classification standard. • Access to Personal Data personal, confidential or sensitive information is granted on a need-to-know basis. Personnel In other words, employees or external third parties have access to the information that they require in order to fulfill complete their dutywork. SAP XXX uses authorization concepts that document grant processes how authorizations are assigned and assigned roles per account (user ID)which authorizations are assigned. All Customer Data personal, confidential, or otherwise sensitive data is protected in accordance with the SAP Security Policyrelevant security standards. • Confidential information must be processed confidentially. All production servers are operated in the Data Centers or in secure relevant data centers/server rooms. Security measures The security systems that protect applications for processing Personal Data personal, confidential or other sensitive data are regularly checked. To this end, SAP conducts internal and external security checks and penetration tests on its the IT systems. • SAP does not allow the installation of personal software that has or other software not been approved by SAP. • An SAP security standard governs how data and data carriers that are no longer required are deleted or destroyed once they are no longer requireddestroyed.