Common use of Network Security and Intrusion Prevention Systems Clause in Contracts

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist (and Supplier implements) to monitor, react, notify and investigate any incident related to Company Confidential Information. Supplier shall, and shall cause its Representatives to, give notice to Company promptly, but in all events within 48 hours, after any actual or reasonably suspected unauthorized disclosure of, access to or other unauthorized disclosure verwerkt) voor het toepassen en beheren van beveiligingsupdates, - patches, -fixes, en -upgrades (gezamenlijk: "Patches") op alle computersysteem-, netwerk-, telecommunicatiesysteem-, database-, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mail, voicemail, netwerken, en internet- en intranetwebportals (gezamenlijk: “Bedrijfssystemen”). De Leverancier zal eens per kalenderkwartaal Patches in xxxxxxx stellen waarmee beveiligingsfixes of -updates van een release van xx xxxxxxxxx xxxxxx uitgevoerd op alle Computersystemen die toegang hebben tot Vertrouwelijke informatie en/of Bedrijfssystemen.

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist (and Supplier implements) to monitor, react, notify and investigate any incident related to Company Confidential Information. Supplier shall, and shall cause its Representatives to, give notice to Company promptly, but in all events within 48 hours, after any actual or reasonably suspected unauthorized disclosure of, access to or other unauthorized disclosure verwerktor access to Company Confidential Information (each an "Incident"). In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the obligations set forth herein or in the Agreement with respect to Company Confidential Information, without limiting or waiving any other rights or remedies available to Company, Supplier shall promptly investigate the breach, perform a root cause analysis on the breach, inform Company of the root cause analysis and proposed remedial actions and schedule to prevent the same or similar breach. Supplier shall consider in good faith all comments that Company provides with respect to the a także dopilnuje, aby stosowali się do tego również jego przedstawiciele. Zarządzanie operacjami mającymi na celu zapewnienie bezpieczeństwa. 5.1 Proces postępowania Dostawcy w sytuacji aktualizacji i poprawek. Dostawca oświadcza, że stosuje (lub wdroży przed wykonaniem jakichkolwiek Usług wymagających przetwarzania Informacji poufnych firmy) voor het toepassen en beheren van beveiligingsupdatesproces pozyskiwania i zarządzania aktualizacjami zabezpieczeń i poprawkami (określanymi łącznie jako „Poprawki”) na wszystkich komputerach systemu, - patchesw sieciach, -fixessystemach telekomunikacyjnych, en -upgrades bazach danych lub innych środowiskach technologii informatycznych będących własnością Dostawcy lub jego Przedstawicieli, kontrolowanych, obsługiwanych przez nich lub utrzymywanych, obejmujących, bez ograniczeń, pocztę elektroniczną, pocztę głosową, sieci oraz portale internetowe i intranetowe (gezamenlijk: "Patches") op alle computersysteem-, netwerk-, telecommunicatiesysteem-, database-, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mail, voicemail, netwerken, en internet- en intranetwebportals (gezamenlijk: “Bedrijfssystemenokreślane łącznie jako „Systemy Firmy”). De Leverancier zal eens per kalenderkwartaal Patches in xxxxxxx stellen waarmee beveiligingsfixes of -updates van een release van xx xxxxxxxxx xxxxxx uitgevoerd op alle Computersystemen die toegang hebben tot Vertrouwelijke informatie enDostawca będzie wdrażał raz na kwartał kalendarzowy Poprawki obejmujące naprawy lub aktualizacje zabezpieczeń wydane przez producenta we wszystkich systemach komputerowych mających dostęp do Informacji poufnych i/of Bedrijfssystemenlub Systemów Firmy.

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-Company- approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist (and Supplier implements) to monitor, react, notify and investigate any incident related to Company Confidential Information. Supplier shall, and shall cause its Representatives to, give notice to Company promptly, but in all events within 48 hours, after any actual or reasonably suspected unauthorized disclosure of, access to or other unauthorized disclosure verwerkt) voor het toepassen en beheren van beveiligingsupdates, - patches, -fixes, en -upgrades or access to Company Confidential Information (gezamenlijk: each an "PatchesIncident") op alle computersysteem-, netwerk-, telecommunicatiesysteem-, database-, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mail, voicemail, netwerken, en internet- en intranetwebportals (gezamenlijk: “Bedrijfssystemen”). De Leverancier zal eens In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the obligations set forth herein or in the Agreement with respect to Company Confidential Information, without limiting or waiving any other rights or remedies available to Company, Supplier shall promptly investigate the breach, perform a root cause analysis on the breach, inform Company of the root cause analysis and proposed remedial actions and schedule to prevent the same or similar breach. Supplier shall consider in good faith all comments that Company provides with respect to the investigation, remedial actions or schedule. Supplier shall provide Company with results and frequent status updates of any investigation Saugos operacijų valdymas. 5.1 Tiekėjo vykdomas procesas dėl naujinių, pataisų, ištaisymų ir naujovinimo. Tiekėjas užtikrina, kad jis yra įgyvendinęs (arba įgyvendins xxxxx atlikdamas Paslaugas, kurios apima Įmonės Konfidencialios informacijos tvarkymą) procesą, skirtą saugos naujiniams, pataisoms, ištaisymams ir naujovinimui (kartu vadinama „Pataisos“) visose kompiuterių sistemose, tinkluose, telekomunikacijų sistemose, duomenų bazėse ar kitose informacinių technologijų aplinkose, priklausančiose Tiekėjui ar jo Atstovams arba jų kontroliuojamose, valdomose ar prižiūrimose, įskaitant, be apribojimų, elektroninį paštą, balso paštą, tinklus ir interneto bei intraneto žiniatinklio portalus (bendrai vadinama „Įmonės sistemos“), taikyti ir valdyti. Tiekėjas kiekvieną kalendorinį ketvirtį visuotinai diegs Pataisas, kurios visose Kompiuterių sistemose, turinčiose prieigą prie Konfidencialios informacijos ir (arba) Įmonės sistemų, pateiks gamintojo išleistus saugos ištaisymus arba naujinius. 5.2 Tiekėjo naudojimasis naujausia / atnaujinta apsaugos nuo kenkėjiškų programų technologija. Tiekėjas užtikrina, kad jo ir jo Atstovų kompiuterių sistemose, tinkluose, telekomunikacijų sistemose, duomenų bazėse ar kitose informacinių technologijų aplinkose, priklausančiose Tiekėjui ar jo Atstovams arba jų kontroliuojamose, valdomose ar prižiūrimose, įskaitant, be apribojimų, elektroninį paštą, balso paštą, tinklus ir interneto bei intraneto žiniatinklio portalus ir Tiekėjo žiniatinklį, yra įdiegta apsaugos nuo kenkėjiškų programų (pvz., virusų, Trojos arklių, šnipinėjimo programų) technologija, kuri apima naujausius gamintojo parašus, nustatymo failus, programinę įrangą ir pataisas. 5.3 Tiekėjo atliekamas nereikalingų paslaugų, programų ir tinklo protokolų pašalinimas arba išjungimas. Tiekėjas pašalina visas nereikalingas paslaugas, programas ir tinklo protokolus bei išjungia visus nereikalingus komponentus, kurių negalima pašalinti. 5.4 Tinklo saugos ir įsibrovimo prevencijos sistemos. Tiekėjas apriboja (ir nurodo xxxx Atstovams apriboti) prieigą prie Įmonės Konfidencialios informacijos užkardomis ar kitomis atitinkamomis tinklo technologijomis. Visose viešai prieinamose Tiekėjo kompiuterių sistemose, turinčiose prieigą prie Įmonės Konfidencialios informacijos arba Įmonės sistemų, Tiekėjas turi įdiegti įsibrovimo prevencijos sistemas ir užkardas. Duomenų sauga. Tiekėjas ir jo Atstovai turi užšifruoti visą Įmonės Konfidencialią informaciją, kai tarp Tiekėjo ir Įmonės bei tarp Tiekėjo ir visų trečiųjų šalių (įskaitant jo įmonių Atstovus) vykdomi xxx perdavimai. Šifravimui xxxx xxxx naudojami pramonės standarto algoritmai, kurių minimalus rakto ilgis yra 128 bitai. Prieigos kontrolė. Tiekėjas turi palaikyti kontrolės priemones, skirtas uždrausti trečiosioms šalims (kitoms nei jo Atstovai, kuriems prieiga suteikiama pagal Sutarties nuostatas) prieiti prie Įmonės Konfidencialios informacijos. Tiekėjas ir jo Atstovai paslaugoms, naudotojo ir administratoriaus lygmens paskyroms turi naudoti tapatumo nustatymo ir prieigos teisių technologijas pagal pramonės standarto informacijos saugos programas. Tiekėjas turi užtikrinti, kad būtų parengtos skubaus prieigos arba teisių modifikavimo ar nutraukimo procedūros, jei atsiranda organizacinių pokyčių. Tiekėjas turi užtikrinti, kad būtų parengtos paskyrų, turinčių privilegijuotas prieigos teises (pvz., sistemos administravimo privilegijų), paruošimo procedūros. Tiekėjas turi periodiškai persvarstyti poreikį naudotis paskyromis, turinčiomis privilegijuotą prieigą. Jei Tiekėjui reikalinga nuotolinė prieiga prie Įmonės Konfidencialios informacijos, Tiekėjas visuomet turi naudotis Įmonės patvirtintu nuotolinės prieigos būdu, xxxxx priklauso nuo teikiamos Paslaugos ir atitinkamų nuotolinės prieigos būdų prieinamumo. Informacijos saugos įvykių valdymas. Tiekėjas turi parengti ir įgyvendinti prieigos ir veiklos audito bei registravimo procedūras, įskaitant, be apribojimų, bandymus gauti prieigą ir privilegijuotą prieigą. Tiekėjas turi užtikrinti, kad būtų parengtos (ir Tiekėjas xxx įgyvendina) atsako į saugos įvykius planavimo ir pranešimo procedūros, skirtos stebėti, reaguoti, pranešti ir tirti visus įvykius, susijusius su Įmonės Konfidencialia informacija. Tiekėjas turi skubiai pranešti įmonei (ir nurodo xxxx Atstovams pranešti), tačiau visais atvejais per kalenderkwartaal Patches in xxxxxxx stellen waarmee beveiligingsfixes of -updates van een release van xx xxxxxxxxx xxxxxx uitgevoerd op alle Computersystemen die toegang hebben tot Vertrouwelijke informatie en/of Bedrijfssystemen48 val., po to, kai įvyko faktinis ar pagrįstai įtariamas nesankcionuotas Įmonės Konfidencialios informacijos atskleidimas, gauta prieiga prie xxx arba įvyko kitas nesankcionuotas informacijos atskleidimas ar gauta prieiga (kiekvienas yra „Incidentas“). Įvykus faktiniam arba įtariamam nesankcionuotam Įmonės Konfidencialios informacijos atskleidimui, gavus prieigą prie xxx arba kitaip pažeidus čia arba Sutartyje numatytas su Įmonės Konfidencialia informacija susijusias pareigas, be apribojimų ir atsisakant kitų Įmonei prieinamų teisių ar teisės gynimo priemonių, Tiekėjas nedelsdamas turi ištirti pažeidimą, atlikti pagrindinės pažeidimo priežasties analizę, pranešti Įmonei apie pagrindinės priežasties analizę ir siūlomus taisomuosiuos veiksmus bei planą, kaip išvengti

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist (and Supplier implements) to monitor, react, notify and investigate any incident related to Company Confidential Information. Supplier shall, and shall cause its Representatives to, give notice to Company promptly, but in all events within 48 hours, after any actual or reasonably suspected unauthorized disclosure of, access to or other unauthorized disclosure verwerkt) voor het toepassen en beheren van beveiligingsupdates, - patches, -fixes, en -upgrades or access to Company Confidential Information (gezamenlijk: each an "PatchesIncident") op alle computersysteem-, netwerk-, telecommunicatiesysteem-, database-, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mail, voicemail, netwerken, en internet- en intranetwebportals (gezamenlijk: “Bedrijfssystemen”). De Leverancier zal eens per kalenderkwartaal Patches In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the obligations set forth herein or in xxxxxxx stellen waarmee beveiligingsfixes the Agreement with respect to Company Confidential Information, without limiting or waiving any other rights or remedies available to Company, Supplier shall promptly investigate the breach, perform a root cause analysis on the breach, inform Company of -updates van een release van the root cause analysis and proposed remedial actions and schedule to prevent the same or similar breach. Supplier shall consider in good faith all comments that Company provides with respect to the investigation, remedial actions or schedule. Supplier shall provide Company with results and frequent status updates of any investigation related to an Incident. Schedule 2 - Privacy and Data Protection Schedule This Schedule shall only apply if Supplier processes personal data/information on behalf of Amgen. This Privacy and Data Protection Schedule (“Schedule”) supplements (and is not intended, and shall not be interpreted, to limit the terms of the Agreement) and is governed by the terms and conditions of the Agreement to which it is attached. Any defined terms not otherwise defined herein shall have the meanings set forth in the Agreement. DEFINITIONS “Personal Information” means any information from which an individual may be identified, by direct or indirect means, including without limitation classes, categories and other types of information that may identify an individual as specified by Privacy Laws, that is provided to Supplier by or on behalf of Company or its Affiliates or is obtained by Supplier or its Representatives in connection with Supplier’s or its Representatives’ performance obligations hereunder. “Privacy Incidents” means any actual or reasonably suspected: (1) unauthorized access to or theft of Personal Information; (2) unauthorized use of Personal Information by a person with authorized access to such Personal Information for purposes of actual or reasonably suspected theft, fraud or identity theft; (3) unauthorized disclosure or alteration of Personal Information; (4) accidental or werden können, deaktivieren. 5.4 Netzwerksicherheits- und Intrusion-Prevention-Systeme. Der Lieferant beschränkt den Zugriff auf vertrauliche Informationen des Unternehmens durch Verwendung von Firewalls oder anderer geeigneter Netzwerktechnologien (und veranlasst seine Vertreter, dies ebenfalls zu tun). Der Lieferant installiert auf xxxxx öffentlich zugänglichen Computersystemen des Lieferanten, über die auf vertrauliche Informationen oder Systeme des Unternehmens zugegriffen wird, Intrusion-Prevention-Systeme und Firewalls. Datensicherheit. Der Lieferant und seine Vertreter verschlüsseln alle vertraulichen Informationen des Unternehmens bei der Übertragung zwischen dem Lieferanten und dem Unternehmen und zwischen dem Lieferanten und xxxxx Dritten (einschließlich der Vertreter des Unternehmens). Zur Verschlüsselung müssen Standardalgorithmen mit einer Mindestschlüssellänge von 128 Bit verwendet werden. Zugriffskontrolle. Der Lieferant muss Kontrollen einrichten und pflegen, die Dritte (abgesehen von seinen Vertretern, die gemäß den Bestimmungen dieses Vertrags zugriffsberechtigt sind) am Zugriff auf vertrauliche Informationen des Unternehmens hindern. Der Lieferant und seine Vertreter verwenden für Konten auf Dienst-, Benutzer- und Administratorebene Authentifizierungs- und Autorisierungstechnologie gemäß den eingesetzten Standard-Frameworks für Informationssicherheit. Der Lieferant muss sicherstellen, dass für den Fall organisatorischer Änderungen Verfahren definiert sind, um die Zugriffsberechtigungen und sonstigen Rechte umgehend zu ändern. Der Lieferant muss sicherstellen, dass Verfahren definiert sind, um Konten mit Rechten für den privilegierten Zugriff (z. B. Systemadministratorrechte) bereitstellen zu können. Der Lieferant muss in regelmäßigen Abständen prüfen, ob die privilegierten Zugriffsrechte noch erforderlich sind. Wenn der Lieferant Fernzugriff auf vertrauliche Informationen des Unternehmens benötigt, verwendet xx xxxxxxxxx xxxxxx uitgevoerd op xxxxx die vom Unternehmen genehmigte Methode für den Fernzugriff, die von der zu erbringenden Dienstleistung und der Verfügbarkeit geeigneter Methoden abhängig ist. Handhabung von Informationssicherheitsvorfällen. Der Lieferant implementiert Verfahren zur Prüfung und Protokollierung von Zugriffen und Aktivitäten einschließlich eingeschränkter Zugriffsversuche und privilegierter Zugriffe. Der Lieferant entwickelt Pläne für die Reaktion auf Sicherheitsvorfälle und Benachrichtigungsverfahren und implementiert diese, damit alle Computersystemen Vorfälle, die toegang hebben tot Vertrouwelijke informatie endie Informationen des Unternehmens betreffen, überwacht, gemeldet und untersucht sowie geeignete Maßnahmen ergriffen werden können. Kommt es zu nicht autorisierten Offenlegungen oder Zugriffen in Bezug auf vertrauliche Informationen des Unternehmens, muss der Lieferant das Unternehmen umgehend, spätestens aber nach 48 Stunden informieren. Der Lieferant bestimmt seine Vertreter, ebenso zu verfahren. Im Fall einer tatsächlichen oder mutmaßlichen unbefugten Offenlegung bzw. eines derartigen Zugriffs oder eines anderen Verstoßes gegen die hierin oder im Vertrag im Zusammenhang mit vertraulichen Informationen des Unternehmens festgelegten Pflichten ist der Lieferant unbeschadet anderer Rechte oder Rechtsbehelfe des Unternehmens verpflichtet, den Verstoß umgehend zu untersuchen, eine Analyse zur Ermittlung der Ursachen durchzuführen und das Unternehmen über die Ursachenanalyse zu informieren sowie Abhilfemaßnahmen vorzuschlagen und zeitlich zu planen, um diesen oder einen vergleichbaren Verstoß künftig zu verhindern. Der Lieferant erwägt wohlwollend alle Kommentare des Unternehmens im Hinblick auf die Untersuchung, die Abhilfemaßnahmen und den Zeitplan. Der Lieferant informiert das Unternehmen regelmäßig über Verlauf und Ergebnisse der Untersuchungen von Vorfällen. Anhang 2: Anhang zum Datenschutz Dieser Anhang kommt nur zur Anwendung, wenn der Lieferant personenbezogene Daten/of Bedrijfssystemen.Informationen im Auftrag von Amgen verarbeitet. Dieser Anhang zum Datenschutz („Anhang“) ergänzt den Vertrag, soll die Bestimmungen des Vertrags nicht einschränken und darf auch nicht dahingehend ausgelegt werden. Er unterliegt den Bestimmungen des Vertrags, dem er beigefügt ist. Alle im Vertrag definierten Begriffe, die hierin nicht anderweitig definiert sind, haben die im Vertrag festgelegte Bedeutung. DEFINITIONEN „Personenbezogene Daten“ sind alle Informationen, durch die eine Person nach Maßgabe des Datenschutzrechts direkt oder indirekt identifiziert werden kann, also beispielsweise Xxxxxxx, Kategorien oder sonstige Informationsarten, die geeignet sind, eine Person zu identifizieren, und die der Lieferant vom Unternehmen oder dessen verbundenen Unternehmen bzw. in deren Namen oder im Zusammenhang mit der von ihm oder seinen Vertretern hierunter zu erbringenden Leistungen erhalten hat. „Datenschutzvorfall“ bezeichnet tatsächliche oder mutmaßliche (1) unbefugte Zugriffe auf personenbezogene Daten oder deren Diebstahl, (2) unbefugte Nutzungen personenbezogener Daten durch eine zum Zugriff auf die personenbezogenen Daten berechtigte Person zum Xxxxx eines tatsächlichen

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist (and Supplier implements) to monitor, react, notify and investigate any incident related to Company Confidential Information. Supplier shall, and shall cause its Representatives to, give notice to Company promptly, but in all events within 48 hours, after any actual or reasonably suspected unauthorized disclosure of, access to or other unauthorized disclosure verwerkt) voor het toepassen en beheren van beveiligingsupdates, - patches, -fixes, en -upgrades or access to Company Confidential Information (gezamenlijk: each an "PatchesIncident") op alle computersysteem-, netwerk-, telecommunicatiesysteem-, database-, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mail, voicemail, netwerken, en internet- en intranetwebportals (gezamenlijk: “Bedrijfssystemen”). De Leverancier zal eens per kalenderkwartaal Patches In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the obligations set forth herein or in the Agreement with respect to Company Confidential Information, without limiting or waiving any other rights or remedies available to Company, Supplier shall promptly investigate the breach, perform a root cause analysis on the breach, inform Company of the root cause analysis and proposed remedial actions and schedule to prevent the same or similar breach. Supplier shall consider in good faith all comments that Company provides with respect to the investigation, remedial actions or schedule. Supplier shall provide Company with results and frequent status updates of any investigation related to an Incident. Schedule 2 - Privacy and Data Protection Schedule This Schedule shall only apply if Supplier processes personal data/information on behalf of Amgen. This Privacy and Data Protection Schedule (“Schedule”) supplements (and is not intended, and shall not be interpreted, to limit the terms of the Agreement) and is governed by the terms and conditions of the Agreement to which it is attached. Any defined terms not otherwise defined herein shall have the meanings set forth in the Agreement. DEFINITIONS “Personal Information” means any information from which an individual may be identified, by direct or indirect means, including without limitation classes, sistēmām. 5.2 Jaunākās/atjauninātas tehnoloģijas lietošana aizsardzībai pret ļaunprogrammatūru Piegādātāja sistēmā. Piegādātājam jāinstalē tehnoloģija aizsardzībai pret ļaunprogrammatūru (piem., vīrusiem, Trojas zirgu, spiegprogrammatūru) Piegādātāja un tā Pārstāvju datorsistēmā, tīklā, telekomunikācijas sistēmā, datubāzē vai citā informācijas tehnoloģijas vidē, kas xxxxxx xxx ko kontrolē, xxxxxxx stellen waarmee beveiligingsfixes of -updates van een release van xxx uztur Piegādātājs vai kāds no tā Pārstāvjiem, tostarp (bet ne tikai) elektroniskajā pastā, balss pastā, tīklos, interneta un iekštīkla portālos un Piegādātāja tīmeklī, un šajā tehnoloģijā jābūt ietvertām jaunākajām ražotāja signatūrām, definīcijas failiem, programmatūrai un ielāpiem. 5.3 Piegādātāja pienākums noņemt vai atspējot nevajadzīgos pakalpojumus, lietojumprogrammas un tīkla protokolus. Piegādātājam jānoņem visi nevajadzīgie pakalpojumi, lietojumprogrammas un tīkla protokoli un jāatspējo šādi nevajadzīgie komponenti, kurus nevar noņemt. 5.4 Tīkla drošība un pretielaušanās sistēmas. Izmantojot ugunsmūrus vai citu piemērotu tīkla tehnoloģiju, Piegādātājam (un tā Pārstāvjiem) ir jānovērš piekļuve Sabiedrības Konfidenciālai informācijai. Piegādātājam jāizvieto pretielaušanās sistēmas un ugunsmūri visās publiski pieejamajās Piegādātāja datorsistēmās, kas piekļūst Sabiedrības Konfidenciālai informācijai vai Sabiedrības sistēmām. Datu drošība. Piegādātājam un tā Pārstāvjiem ir jāšifrē visa Sabiedrības Konfidenciālā informācija, kas tiek pārsūtīta starp Piegādātāju un Sabiedrību, kā arī starp Piegādātāju un visām trešajām pusēm (tostarp Piegādātāja sabiedrības Pārstāvjiem). Šifrējot jāizmanto nozares standartiem atbilstoši algoritmi, kur atslēgas minimālais garums ir 128 biti. Piekļuves kontrole. Piegādātājam jānovērš un jāpārvalda trešo pušu (kas nav Piegādātāja Pārstāvji, kuriem saskaņā ar Līguma noteikumiem ir piekļuves atļauja) piekļuve Sabiedrības Konfidenciālai informācijai. Piegādātājam un tā Pārstāvjiem pakalpojuma, lietotāja un administratora līmeņa xxxxxx jāizmanto autentifikācijas un autorizācijas tehnoloģijas saskaņā ar nozares standartam atbilstošām informācijas drošības pamatnostādnēm. Piegādātājam jānodrošina, xx xxxxxxxxx xxxxxx uitgevoerd op alle Computersystemen die toegang hebben tot Vertrouwelijke informatie enxxxx ieviestas procedūras steidzamai piekļuves vai tiesību maiņai vai noņemšanai, xx xxxx veiktas organizatoriskas izmaiņas. Piegādātājam jānodrošina, xx xxxx ieviestas procedūras priviliģētas piekļuves tiesību (piem., sistēmas administratora privilēģiju) piešķiršanai kontiem. Piegādātājam regulāri jāpārskata priviliģētas piekļuves kontu nepieciešamība. Ja Piegādātājam ir nepieciešams attālināti piekļūt Sabiedrības Konfidenciālai informācijai, Piegādātājam vienmēr jāizmanto Sabiedrības apstiprinātā attālās piekļuves metode, kas ir piemērota sniegtajam Pakalpojumam un atbilstošo attālās piekļuves metožu pieejamībai. Informācijas drošības incidentu pārvaldība. Piegādātājam ir jāizveido un jāievieš piekļuves un darbību audita un reģistrēšanas procedūras, tostarp (bet ne tikai) piekļuves mēģinājumu un priviliģētas piekļuves atpazīšanai. Piegādātājam jānodrošina, xx xxxx ieviestas drošības incidentu reaģēšanas plāna un paziņojumu procedūras (un Piegādātājs tās ievieš), lai uzraudzītu, pamanītu un izmeklētu ar Sabiedrības Konfidenciālo informāciju saistītus incidentus un ziņotu par tiem. Piegādātājam un tā Pārstāvjiem steidzami (bet jebkurā gadījumā 48 stundu laikā) jāziņo Sabiedrībai, ja ir notikusi vai ir pamatotas aizdomas par to, ka ir notikusi Sabiedrības Konfidenciālās informācijas izpaušana, piekļuve xxx xxx xxxx xxxxx neatļauta izpaušana vai piekļuve tai (katrs atsevišķi tiek saukts — "Incidents"). Ja attiecībā uz Sabiedrības Konfidenciālo informāciju ir notikusi tās neatļauta izpaušana, piekļuve xxx xxx ir xxxx xxxxx pārkāptas šeit vai Līgumā noteiktās saistības (vai ir pamatotas aizdomas par to), Piegādātājam ir steidzami jāizmeklē pārkāpums, jāveic pārkāpuma pirmcēloņa analīze, jāiesniedz Sabiedrībai pirmcēloņa analīze, korektīvo pasākumu ieteikumi, kā arī identisku vai līdzīgu pārkāpumu novēršanas grafiks, neierobežojot citas Sabiedrībai pieejamās tiesības un aizsardzības līdzekļus un neatsakoties no tiem. Piegādātājam godprātīgi jāapsver visi Sabiedrības sniegtie komentāri attiecībā uz izmeklēšanas gaitu, korektīvajiem pasākumiem vai grafiku. Piegādātājam jāsniedz Sabiedrībai ar Incidentu saistītas izmeklēšanas rezultāti, kā arī regulāri jāinformē par jaunumiem izmeklēšanā. 2. grafiks — privātuma un datu aizsardzības grafiks Šis grafiks ir jāievēro tikai tad, ja Piegādātājs apstrādā personas datus/of Bedrijfssystemeninformāciju Amgen vārdā.

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist (and Supplier implements) to monitor, react, notify and investigate any incident related to Company Confidential Information. Supplier shall, and shall cause its Representatives to, give notice to Company promptly, but in all events within 48 hours, after any actual or reasonably suspected unauthorized disclosure of, access to or other unauthorized disclosure verwerkt) voor het toepassen en beheren van beveiligingsupdates, - patches, -fixes, en -upgrades or access to Company Confidential Information (gezamenlijk: each an "PatchesIncident") op alle computersysteem-, netwerk-, telecommunicatiesysteem-, database-, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mail, voicemail, netwerken, en internet- en intranetwebportals (gezamenlijk: “Bedrijfssystemen”). De Leverancier zal eens per kalenderkwartaal Patches In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the obligations set forth herein or in xxxxxxx stellen waarmee beveiligingsfixes the Agreement with respect to Company Confidential Information, without limiting or waiving any other rights or remedies available to Company, Supplier shall promptly investigate the breach, perform a root cause analysis on the breach, inform Company of -updates van een release van xx xxxxxxxxx xxxxxx uitgevoerd op the root cause analysis and proposed remedial actions and schedule to prevent the same or similar breach. Supplier shall consider in good faith all comments that Company provides with respect to the investigation, remedial actions or schedule. Supplier shall provide Company with results and frequent status updates of any investigation related to an Incident. Schedule 2 - Privacy and Data Protection Schedule This Schedule shall only apply if Supplier processes personal data/information on behalf of Amgen. This Privacy and Data Protection Schedule (“Schedule”) supplements (and is not intended, and shall not be interpreted, to limit the terms of the Agreement) and is governed by the terms and conditions of the Agreement to which it is attached. Any defined terms not otherwise defined herein shall have the meanings set forth in the Agreement. DEFINITIONS “Personal Information” means any information from which an individual may be identified, by direct or indirect means, including without limitation classes, categories and other types of information that may identify an individual as specified by Privacy Laws, that is provided to Supplier by or on behalf of Company or its Affiliates or is obtained by Supplier or its Representatives in connection with Supplier’s or its Representatives’ performance obligations hereunder. “Privacy Incidents” means any actual or reasonably suspected: (1) unauthorized access to or theft of Personal Information; (2) unauthorized use of Personal Information by a person with authorized access to such Personal Information for purposes of actual or reasonably suspected theft, fraud or identity theft; (3) unauthorized disclosure or alteration of Personal Information; (4) accidental or unlawful destruction of Personal Information; or (5) loss of Personal Information, including without limitation, any of the foregoing described in (1) – (4) caused by or resulting from a failure, lack of or inadequacy of Security or the malfeasance of Supplier or one or more of its Representatives. “Privacy Laws” means, as in effect from time to time, with respect to the 5.3 Leverandør skal fjerne xxxxx deaktivere unødvendige tjenester, applikasjoner og nettverksprotokoller. Leverandør skal fjerne alle Computersystemen die toegang hebben tot Vertrouwelijke informatie en/of Bedrijfssystementjenester, applikasjoner og nettverksprotokoller som ikke er nødvendige, og deaktivere slike unødvendige komponenter som ikke kan fjernes.

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist (and Supplier implements) to monitor, react, notify and investigate any incident related to Company Confidential Information. Supplier shall, and shall cause its Representatives to, give notice to Company promptly, but in all events within 48 hours, after any actual or reasonably suspected unauthorized disclosure of, access to or other unauthorized disclosure verwerkt) voor het toepassen en beheren van beveiligingsupdates, - patches, -fixes, en -upgrades or access to Company Confidential Information (gezamenlijk: each an "PatchesIncident") op alle computersysteem-, netwerk-, telecommunicatiesysteem-, database-, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mail, voicemail, netwerken, en internet- en intranetwebportals (gezamenlijk: “Bedrijfssystemen”). De Leverancier zal eens per kalenderkwartaal Patches In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the obligations set forth herein or in xxxxxxx stellen waarmee beveiligingsfixes the Agreement with respect to Company Confidential Information, without limiting or waiving any other rights or remedies available to Company, Supplier shall promptly investigate the breach, perform a root cause analysis on the breach, inform Company of -updates van een release van xx xxxxxxxxx xxxxxx uitgevoerd op alle Computersystemen die toegang hebben tot Vertrouwelijke informatie enthe root cause analysis and proposed remedial actions and schedule to prevent the same or similar breach. Supplier shall consider in good faith all comments that Company provides with respect to the investigation, remedial actions or schedule. Supplier shall provide Company with results and frequent status updates of any investigation related to an Incident. Schedule 2 - Privacy and Data Protection Schedule This Schedule shall only apply if Supplier processes personal data/information on behalf of BedrijfssystemenAmgen. This Privacy and Data Protection Schedule (“Schedule”) supplements (and is not intended, and shall not be interpreted, to limit the terms of the Agreement) and is governed by the terms and conditions of the Agreement to which it is attached. Any defined terms not otherwise defined herein shall have the meanings set forth in the Agreement. DEFINITIONS “Personal Information” means any information from which an individual may be identified, by direct or indirect means, including without limitation classes, categories and other types of information that may identify an individual as specified by Privacy Laws, that is provided to Supplier by or on behalf of Company protection contre les logiciels malveillants (virus, cheval de Troie, logiciel espion) est installée sur son système informatique, son réseau, son système de télécommunication, sa base de données ou tout autre environnement informatique détenu, contrôlé, exploité ou entretenu par le Fournisseur ou l'un de ses représentants, y compris, mais sans s'y limiter, les courriers électroniques, messageries vocales, réseaux et portails Internet et Intranet, et que cette technologie incorpore les signatures de fabricants, définitions de fichier, codes logiciels et correctifs les plus récents.

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist (and Supplier implements) to monitor, react, notify and investigate any incident related to Company Confidential Information. Supplier shall, and shall cause its Representatives to, give notice to Company promptly, but in all events within 48 hours, after any actual or reasonably suspected unauthorized disclosure of, access to or other unauthorized disclosure verwerkt) voor het toepassen en beheren van beveiligingsupdates, - patches, -fixes, en -upgrades or access to Company Confidential Information (gezamenlijk: each an "PatchesIncident") op alle computersysteem-, netwerk-, telecommunicatiesysteem-, database-, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mail, voicemail, netwerken, en internet- en intranetwebportals (gezamenlijk: “Bedrijfssystemen”). De Leverancier zal eens per kalenderkwartaal Patches In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the obligations set forth herein or in xxxxxxx stellen waarmee beveiligingsfixes the Agreement with respect to Company Confidential Information, without limiting or waiving any other rights or remedies available to Company, Supplier shall promptly investigate the breach, perform a root cause analysis on the breach, inform Company of -updates van een release van xx xxxxxxxxx xxxxxx uitgevoerd op alle Computersystemen die toegang hebben tot Vertrouwelijke informatie enthe root cause analysis and proposed remedial actions and schedule to prevent the same or similar breach. Supplier shall consider in good faith all comments that Company provides with respect to the investigation, remedial actions or schedule. Supplier shall provide Company with results and frequent status updates of any investigation related to an Incident. Schedule 2 - Privacy and Data Protection Schedule This Schedule shall only apply if Supplier processes personal data/information on behalf of BedrijfssystemenAmgen. This Privacy and Data Protection Schedule (“Schedule”) supplements (and is not intended, and shall not be interpreted, to limit the terms of the Agreement) and is governed by the terms and conditions of the Agreement to which it is attached. Any defined terms not otherwise defined herein shall have the meanings set forth in the Agreement. DEFINITIONS “Personal Information” means any information from which an individual may be identified, by direct or indirect means, including without limitation classes, categories and other types of information that may identify an individual as specified by Privacy Laws, that is provided to Supplier by or on behalf of Company or its Affiliates or is obtained by Supplier or its Representatives in connection with Supplier’s or its Representatives’ performance obligations hereunder. “Privacy Incidents” means any actual or reasonably suspected: (1) unauthorized access to or theft of Personal Information; (2) unauthorized use of Personal Information by a person with authorized access to such Personal Information for purposes of actual or reasonably suspected theft, fraud or identity theft; (3) unauthorized disclosure or alteration of Personal Information; protokoly, které nejsou zapotřebí, a deaktivuje všechny takové nepotřebné komponenty, které nelze odstranit.

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist (and Supplier implements) to monitor, react, notify and investigate any incident related to Company Confidential Information. Supplier shall, and shall cause its Representatives to, give notice to Company promptly, but in all events within 48 hours, after any actual or reasonably suspected unauthorized disclosure of, access to or other unauthorized disclosure verwerkt) voor het toepassen en beheren van beveiligingsupdates, - patches, -fixes, en -upgrades or access to Company Confidential Information (gezamenlijk: each an "PatchesIncident") op alle computersysteem-, netwerk-, telecommunicatiesysteem-, database-, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mail, voicemail, netwerken, en internet- en intranetwebportals (gezamenlijk: “Bedrijfssystemen”). De Leverancier zal eens per kalenderkwartaal Patches In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the obligations set forth herein or in xxxxxxx stellen waarmee beveiligingsfixes the Agreement with respect to Company Confidential Information, without limiting or waiving any other rights or remedies available to Company, Supplier shall promptly investigate the breach, perform a root cause analysis on the breach, inform Company of -updates van een release van xx xxxxxxxxx xxxxxx uitgevoerd op alle Computersystemen die toegang hebben tot Vertrouwelijke informatie enthe root cause analysis and proposed remedial actions and schedule to prevent the same or similar breach. Supplier shall consider in good faith all comments that Company provides with respect to the investigation, remedial actions or schedule. Supplier shall provide Company with results and frequent status updates of any investigation related to an Incident. извършването на които и да е Услуги, които включват обработване на Поверителна информация на Фирмата) процес за прилагане и управление на актуализации, корекции, поправки и надстройки на защитата (събирателно „Актуализации“) на всички компютърни системи, мрежи, телекомуникационни системи, бази данни и други информационни технологии, които Доставчикът или който и да е от неговите Представители притежава, контролира, обслужва или поддържа, включително, без да се ограничава до, електронна поща, гласова поща, мрежи и интернет и интранет уеб портали (събирателно „Системи на фирмата“). Веднъж на всяко календарно тримесечие Доставчикът разполага Актуализации, които осигуряват корекции или актуализации на защитата, издадени от производителя, на всички компютърни системи с достъп до Поверителна информация и/или Системи на фирмата. 5.2 Използване на най-новите/актуализирани технологии за защита от злонамерен софтуер от страна на Доставчика. Доставчикът ще гарантира инсталирането на технология за защита от злонамерен софтуер (например вирус, троянски кон, шпиониращ софтуер) на всички собствени компютърни системи, мрежи, телекомуникационни системи, бази с данни и други информационни технологии и на тези на неговите Представители, които Доставчикът или който и да е от неговите Представители притежава, контролира, обслужва или поддържа, включително, без да се ограничава до, електронна поща, гласова поща, мрежи, интернет и интранет портали и уеб сайта на Доставчика, и включва най-новите подписи, файлове с дефиниции, софтуер и актуализации от производителя. 5.3 Премахване или забраняване на услуги, приложения и мрежови протоколи, които не са необходими, от страна на Доставчика Доставчикът премахва всички услуги, приложения и мрежови протоколи, които не се изискват, и забранява всички такива компоненти, които не са необходими, но не могат да се премахнат. 5.4 Системи за мрежова сигурност и предотвратяване на прониквания. Доставчикът ограничава (и осигурява ограничаване от страна на своите Представители на) достъпа до Поверителната информация на Фирмата чрез използване на защитни стени или други подходящи мрежови технологии. Доставчикът внедрява системи за предотвратяване на прониквания и защитни стени на всички публично достъпни компютърни системи на Доставчика, които имат достъп до Поверителна информация на Фирмата или Системи на фирмата. Сигурност на данните. Доставчикът и неговите Представители шифроват цялата Поверителна информация на Фирмата при предаване между Доставчика и Фирмата и между Доставчика и всички трети лица (включително неговите Представители). Шифроването трябва да използва стандартни за сектора алгоритми с минимална дължина на ключа от 128 бита. Контрол на достъпа. Доставчикът забранява и поддържа контроли за забрана на достъпа на трети лица (различни от неговите Представители, които имат достъп съгласно условията на Договора) до Поверителната информация на Фирмата. Доставчикът и неговите Представители използват технологии за удостоверяване и упълномощаване за акаунтите на ниво услуга, потребител и администратор в съответствие с приложимите стандартни за сектора рамки за сигурност на информацията. Доставчикът осигурява процедури за своевременна промяна или прекратяване на достъпа или правата в случай на организационни промени. Доставчикът осигурява процедури за предоставяне на акаунти с права на привилегирован достъп (например привилегии за системно администриране). Доставчикът преглежда периодично необходимостта от акаунти с права на привилегирован достъп. Ако изисква отдалечен достъп до Поверителна информация на Фирмата, Доставчикът винаги използва одобрен от Фирмата метод на отдалечен достъп съобразно предоставяната Услуга и наличността на подходящи методи на отдалечен достъп. Управление на Инциденти, свързани със сигурността на информацията. Доставчикът разработва и прилага процедури за одит и регистриране на достъпа и дейността, включително, без да се ограничава до, опити за достъп и привилегирован достъп. Доставчикът осигурява наличието и прилагането на процедури за планиране на реакции и известия в случай на инцидент, свързан със сигурността, с цел мониторинг, реагиране, известяване и проучване на който и да е инцидент, свързан с Поверителна информация на Фирмата. Доставчикът ще уведомява своевременно Фирмата, както и ще изисква от Представителите си същото, относно всяко действително или разумно подозирано неразрешено разкриване на или достъп до или друго неразрешено разкриване или достъп до Поверителна информация на Фирмата (всяко/всеки „Инцидент“), но във всички случаи не по-късно от 48 часа от настъпването на съответното събитие. В случай на действително или подозирано неразрешено разкриване на, достъп до или друго нарушение на задълженията по настоящия документ или Договора във връзка с Поверителната информация на Фирмата, без да се ограничават другите права или правни средства за защита на Фирмата или да се счита, че е налице отказ от тях, Доставчикът разследва своевременно нарушението, анализира основната причина за нарушението, уведомява Фирмата относно анализа на основната причина и предложените коригиращи действия и Schedule 2 - Privacy and Data Protection Schedule This Schedule shall only apply if Supplier processes personal data/information on behalf of Bedrijfssystemen.Amgen. This Privacy and Data Protection Schedule (“Schedule”) supplements (and is not intended, and shall not be interpreted, to limit the terms of the Agreement) and is governed by the terms and conditions of the Agreement to which it is attached. Any defined terms not otherwise defined herein shall have the meanings set forth in the Agreement. DEFINITIONS “Personal Information” means any information from which an individual may be identified, by direct or indirect means, including without limitation classes, categories and other types of information that may identify an individual as specified by Privacy Laws, that is provided to Supplier by or on behalf of Company or its Affiliates or is obtained by Supplier or its Representatives in connection with Supplier’s or its Representatives’ performance obligations hereunder. “Privacy Incidents” means any actual or reasonably suspected: (1) unauthorized access to or theft of Personal Information; (2) unauthorized use of Personal Information by a person with authorized access to such Personal Information for purposes of actual or reasonably suspected theft, fraud or identity theft; (3) unauthorized disclosure or alteration of Personal Information; (4) accidental or unlawful destruction of Personal Information; or (5) loss of Personal Information, including without limitation, any of the foregoing described in (1) – (4) caused by or resulting from a failure, lack of or inadequacy of Security or the malfeasance of Supplier or one or more of its Representatives. “Privacy Laws” means, as in effect from time to time, with respect to the Processing of Personal Information, the applicable data privacy laws of the applicable jurisdiction, including without limitation the national and sub- national laws based on the European Union Data Protection Directive 95/46/EC (“EU Data Protection Directive”) and, if and when the EU Data Protection Directive is repealed, the European Union General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) (the EU Data Protection Directive and GDPR are referred to collectively as “EU Data Protection Laws”) and all data breach notification and information security laws and regulations specific thereto. “Process” or “Processing” (or any variation thereof) means any operation or set of operations that is performed on Personal Information, whether or not by automatic means, such as viewing, accessing, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. “Security” means technological, physical and administrative controls, including but not limited to policies, procedures, organizational structures, hardware and software functions, as well as physical security measures, the purpose of which is, in whole or part, to ensure the confidentiality, integrity or availability of Personal Information. PROCESSING OF PERSONAL INFORMATION Supplier covenants and agrees to comply with the terms and conditions of this Schedule if Supplier Processes Personal Information. Without limiting Supplier’s obligations set forth elsewhere in this Schedule and in the Agreement (including without limitation obligations of confidentiality), Supplier shall: (i) act in accordance with Company’s written instructions in the Processing of Personal Information and comply with the requirements of all applicable Privacy Laws; (ii) only Process Personal Information for purposes of performing its obligations under the Agreement; and (iii) provide access to Personal Information to its Representatives only to the extent reasonably necessary for performing its obligations under the Agreement; provided, that prior to providing Supplier’s Representatives with such access, Supplier

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist (and Supplier implements) to monitor, react, notify and investigate any incident related to Company Confidential Information. Supplier shall, and shall cause its Representatives to, give notice to Company promptly, but in all events within 48 hours, after any actual or reasonably suspected unauthorized disclosure of, access to or other unauthorized disclosure verwerkt) voor het toepassen en beheren van beveiligingsupdates, - patches, -fixes, en -upgrades or access to Company Confidential Information (gezamenlijk: each an "PatchesIncident") op alle computersysteem-, netwerk-, telecommunicatiesysteem-, database-, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mail, voicemail, netwerken, en internet- en intranetwebportals (gezamenlijk: “Bedrijfssystemen”). De Leverancier zal eens per kalenderkwartaal Patches in In the event of Biztonsági műveleti kezelés. 5.1 A Szállító gondoskodik a frissítésekről, javítókészletekről, javításokról és verziófrissítésekről. A Szállító kijelenti, hogy rendelkezik a biztonsági frissítések, javítókészletek, javítások és verziófrissítések (a továbbiakban együttesen a „Javítókészletek”) a Szállító vagy a Szállító valamely képviselője által birtokolt, felügyelt, üzemeltetett vagy fenntartott számítógépes rendszeren, hálózaton, telekommunikációs rendszeren, adatbázisban vagy más információtechnológiai környezetben, így többek között például az e-mail-, hangposta-rendszerekben, hálózatokban és az internetes és intranetes webes portálokon (a továbbiakban együttesen a „Társaság rendszerein”) való alkalmazására és kezelésére szolgáló folyamattal (vagy hogy a Társaság Bizalmas Információinak feldolgozását magában foglaló Szolgáltatások nyújtása előtt ilyen folyamatot valósít meg). A Szállító minden naptári negyedévben egy alkalommal a gyártó kiadásából származó biztonsági javításokat vagy biztonsági rendszerfrissítéseket biztosító Javítókészleteket telepít minden olyan Számítógépes Rendszeren, amely hozzáfér a Bizalmas Információhoz és/vagy a Társaság Rendszereihez. 5.2 A rosszindulatú programokkal szembeni védelmet biztosító legújabb/frissített technológiai megoldások Szállító általi használata. A Szállító gondoskodik róla, hogy a rosszindulatú programokkal (azaz vírusokkal, trójai programokkal, kémprogramokkal) szembeni védelmet biztosító technológiai megoldás legyen telepítve a Szállító vagy a Szállító valamely képviselője által tulajdonolt, felügyelt, üzemeltetett vagy fenntartott, saját és képviselőinek számítógépes rendszerére, hálózatára, telekommunikációs rendszerére, adatbázisára vagy más információtechnológiai környezetébe, így többek között például az e-mail-, hangposta-rendszerekben, hálózatokban és az internetes és intranetes portálokra és a Szállító webes hálózatára, és a technológia foglalja magában a legfrissebb gyártói aláírásokat, definíciós fájlokat, szoftvereket és javítókészleteket. 5.3 A szükségtelen szolgáltatások, alkalmazások és hálózati protokollok szállító általi eltávolítása vagy letiltása. A Szállító xxxxxxx stellen waarmee beveiligingsfixes of -updates van een release van eltávolítani minden szükségtelen szolgáltatást, alkalmazást és hálózati protokollt, xx xxxxxxxxx xxxxxx uitgevoerd op alle Computersystemen die toegang hebben tot Vertrouwelijke informatie en/of Bedrijfssystemen.xxxxxxx letiltani azokat a szükségtelen összetevőket, amelyek eltávolítása nem lehetséges. 5.4 Hálózatbiztonsági és behatolásmegelőzési rendszerek. A Szállító vállalja (Képviselőivel pedig vállaltatja) a Társaság Bizalmas Információihoz való hozzáférés – tűzfalak vagy más megfelelő hálózati technológiai megoldások használatával történő – korlátozását. A Szállító behatolásmegelőzési rendszereket és tűzfalakat telepít a Társaság Bizalmas Információihoz vagy a Társaság Rendszereihez hozzáféréssel rendelkező valamennyi, nyilvánosan hozzáférhető Szállítói számítógépes rendszerre. Adatbiztonság. A Szállító és a Szállító képviselői kötelesek titkosítani a Társaság minden olyan Bizalmas információját, amelyet a Szállító és a Társaság, továbbá a Szállító és bármilyen harmadik fél (köztük a Szállító képviselői) között továbbítanak. A titkosításnak iparági szabványnak minősülő algoritmusok alkalmazásával xxxx megvalósulnia; a legkisebb kulcshossz 128 bit. A hozzáférés szabályozása. A Szállító (a Szállító képviselőinek kivételével, aki számára a Megállapodás feltételeivel összhangban megengedett a hozzáférést) megtiltja a Harmadik felek számára a Társaság Bizalmas Információihoz való hozzáférést, illetve a hozzáférés tiltására szolgáló szabályozó intézkedéseket tart xxxx. A Szállító és a Szállító képviselői hitelesítő és engedélyező technológiákat alkalmaznak a szolgáltatási, felhasználói és rendszergazdai szintű fiókokhoz az iparági szabványnak minősülő információbiztonsági keretrendszerekkel összhangban. A Szállító gondoskodik róla, hogy a hozzáférés vagy a jogok szervezeti változásokra reagáló haladéktalan módosítására vagy megszüntetésére szolgáló eljárások álljanak rendelkezésre. A Szállító gondoskodik róla, hogy a fiókok emelt szintű hozzáférési jogokkal való ellátására szolgáló eljárások (például rendszergazdai jogosultságok) álljanak rendelkezésre. A Szállító rendszeresen felülvizsgálja az emelt szintű hozzáférést biztosító fiókok szükségességét. Ha a Szállító távoli hozzáférést kér a Társaság Bizalmas Információihoz akkor a Szállító xxxxxxx minden esetben a Társaság által jóváhagyott, a nyújtott szolgáltatásnak megfelelő és a megfelelő távoli hozzáférési módok rendelkezésre állása szerinti távoli hozzáférési módot használni. Az információbiztonsági események kezelése. A Szállító xxxxxxx a hozzáférés és a tevékenységek, többek között például a hozzáférési kísérletek és az emelt szintű hozzáférés ellenőrzésére és naplózására szolgáló eljárásokat megállapítani és megvalósítani. A Szállító gondoskodik róla, hogy a Társaság Bizalmas Információival kapcsolatos esetleges incidensek nyomon követését, kezelését, bejelentését és kivizsgálását biztosító, a biztonsági incidensek kezelésének tervezésére és bejelentésére szolgáló eljárások álljanak rendelkezésre (a Szolgáltató pedig megvalósítsa ezeket). A Szállító vállalja (Képviselőivel pedig vállaltatja), hogy haladéktalanul, de legfeljebb 48 xxxx xxxxx értesíti a Társaságot a Társaság Bizalmas Adatainak tényleges vagy indokoltan vélelmezhető illetéktelen közléséről, az azokról való hozzáférésről, vagy a Társaság Bizalmas Adatainak

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist Konfidentiella information på platser som är skyddade mot naturkatastrofer, stöld, fysiskt intrång, xxxxx- xxxxx köldproblem, strömavbrott xxxxx driftstopp, samt olaglig och obehörig fysisk åtkomst. Hantering av säkerhetsfunktioner. 5.1 Leverantörsprocess för uppdateringar, rättelser, korrigeringar och uppgraderingar. Leverantören försäkrar att man har (and Supplier implementsxxxxx att man ska implementera innan man utför eventuella Tjänster som omfattar behandling av Företagets Konfidentiella information) to monitoren process för att verkställa och hantera säkerhetsuppdateringar, reacträttelser, notify and investigate any incident related to Company Confidential Information. Supplier shallkorrigeringar och uppgraderingar (gemensamt, and shall cause its Representatives to”Rättelser”) på alla datorsystem, give notice to Company promptlynätverk, but in all events within 48 hourstelekommunikationssystem, after any actual or reasonably suspected unauthorized disclosure ofdatabaser xxxxx xxxxx informationsteknikmiljöer som ägs, access to or other unauthorized disclosure verwerkt) voor het toepassen en beheren van beveiligingsupdatesstyrs, - patchesdrivs xxxxx underhålls av Leverantören xxxxx någon av dess Representanter, -fixesinklusive utan begränsning elektronisk post, en -upgrades röstbrevlåda, nätverk och internet- xxxxx intranätwebbportaler (gezamenlijk: "Patches") op alle computersysteem-gemensamt, netwerk-, telecommunicatiesysteem-, database-, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mail, voicemail, netwerken, en internet- en intranetwebportals (gezamenlijk: “Bedrijfssystemen”Företagssystem”). De Leverancier zal eens per kalenderkwartaal Patches in xxxxxxx stellen waarmee beveiligingsfixes of -updates van een release van Leverantören ska en gång varje kvartal distribuera Rättelser som tillhandahåller säkerhetskorrigeringar xxxxx säkerhetsuppdateringar xxxx en tillverkares lansering på alla Datorsystem som har åtkomst till Konfidentiell information och/xxxxx Företagssystem. 5.2 Leverantörens användning av den senaste tekniken/uppdaterad teknik för skydd mot skadlig programvara. Leverantören ska säkerställa att teknik för skydd mot skadlig programvara (t.ex. virus, trojaner, spionprogram) är installerad på sina och sina Representanters datorsystem, nätverk, telekommunikationssystem, databaser xxxxx xxxxx informationsteknikmiljöer som ägs, styrs, drivs xxxxx underhålls av Leverantören xxxxx någon av Leverantörens Representanter, inklusive utan begränsning elektronisk post, röstbrevlåda, nätverk, internet- och intranätportaler och Leverantörens xxxx. Xxxxx ska omfatta tillverkarens senaste signaturer, definitionsfiler, program och korrigeringar. 5.3 Leverantören ska xx xxxxxxxxx xxxx xxxxx inaktivera onödiga tjänster, program och nätverksprotokoll. Leverantören ska ta xxxx xxxx tjänster, program och nätverksprotokoll som inte krävs, och ska inaktivera xxxx xxxxxx uitgevoerd op alle Computersystemen die toegang hebben tot Vertrouwelijke informatie en/of Bedrijfssystemenonödiga komponenter som inte kan tas bort.

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist (and Supplier implements) to monitor, react, notify and investigate any incident related to Company Confidential Information. Supplier shall, and shall cause its Representatives to, give notice to Company promptly, but in all events within 48 hours, after any actual or reasonably suspected unauthorized disclosure of, access to or other unauthorized disclosure verwerktor access to Company Confidential Information (each an "Incident"). In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the obligations set forth herein or in the Agreement with respect to Company Confidential Information, without limiting or waiving any other rights or remedies available to Company, Supplier shall promptly investigate the breach, perform a root cause analysis on the breach, inform Company of the root cause analysis and proposed remedial actions and schedule to prevent the same or similar breach. Supplier shall consider in good faith all comments that Company provides with respect to the investigation, remedial actions or schedule. Supplier shall provide Company with results and frequent status updates of any investigation related to an Incident. Schedule 2 - Privacy and Data Protection Schedule This Schedule shall only apply if Supplier processes personal data/information on behalf of Amgen. This Privacy and Data Protection Schedule (“Schedule”) voor het toepassen en beheren van beveiligingsupdatessupplements (and is not intended, - patchesand shall not be interpreted, -fixesto limit the terms of the Agreement) and is governed by the terms and conditions of the Agreement to which it is attached. Any defined terms not otherwise defined herein shall have the meanings set forth in the Agreement. sen Edustajista omistaa xxx xxxxx ne hallitsevat, en -upgrades operoivat tai ylläpitävät, mukaan lukien sähköposti, puheposti ja verkot xxxx Internet- ja intranet-verkkoportaalit (gezamenlijk: yhteinen nimitys "PatchesYrityksen järjestelmät"). Toimittaja ottaa kalenterivuosineljänneksittäin käyttöön Korjaukset, jotka sisältävät valmistajan tekemiä tietoturvakorjauksia tai -päivityksiä, kaikissa tietokonejärjestelmissä, joiden avulla käytetään Luottamuksellisia tietoja ja/tai Yrityksen järjestelmiä. 5.2 Toimittaja käyttää uusinta/päivitettyä haittaohjelmilta suojaavaa teknologiaa. Toimittaja varmistaa, xxxx xxx xx xxx edustajien tietokonejärjestelmiin, verkkoihin, teleliikennejärjestelmiin, tietokantoihin ja muihin tietotekniikkaympäristöihin, jotka Toimittaja tai jokin sen Edustajista omistaa xxx xxxxx ne hallitsevat, operoivat tai ylläpitävät, mukaan lukien sähköposti, puheposti ja verkot xxxx Internet- ja intranet-verkkoportaalit, xxxx Toimittajan web- palvelimeen, on asennettu esimerkiksi viruksilta, Troijan hevosilta ja vakoiluohjelmilta suojaava teknologia ja xxxx se sisältää uusimmat valmistajan tunniste- ja määritystiedostot, ohjelmistot ja korjaukset. 5.3 Toimittaja poistaa käytöstä tai poistaa tarpeettomat palvelut, sovellukset ja verkkoprotokollat. Toimittaja poistaa kaikki palvelut, sovellukset ja verkkoprotokollat, joita ei tarvita, ja poistaa käytöstä sellaiset tarpeettomat komponentit, joita ei voi poistaa. 5.4 Verkon suojaus ja tunkeutumisen estävät järjestelmät. Toimittaja rajoittaa mahdollisuutta käyttää Yrityksen Luottamuksellisia tietoja käyttämällä palomuureja tai muita asianmukaisia verkkotekniikoita ja edellyttää, xxxx xxx Edustajat toimivat samoin. Toimittaja ottaa käyttöön tunkeutumisen estävät järjestelmät ja palomuurit kaikissa Toimittajan julkisesti käytettävissä tietokonejärjestelmissä, joiden avulla käytetään Yrityksen Luottamuksellisia tietoja tai Yrityksen järjestelmiä. Tietoturva. Toimittaja xx xxx Edustajat salaavat kaikki Yrityksen Luottamukselliset tiedot, kun niitä siirretään Toimittajan ja Yrityksen xxxx Toimittajan ja kaikkien kolmansien osapuolien välillä (mukaan lukien sen Edustajat). Salaamisen täytyy perustua toimialastandardeina käytettäviin algoritmeihin. Avaimen pituuden tulee olla vähintään 128 bittiä. Käytönvalvonta. Toimittajan on estettävä kolmansia osapuolia käyttämästä Yrityksen Luottamuksellisia tietoja. Tämä xx xxxxx sen Edustajia, jotka Sopimuksen ehtoja noudattaen saavat käyttää näitä tietoja. Toimittajan xx xxx Xxxxxxxxxx on käytettävä huollon, käyttäjän ja pääkäyttäjän tilien tason todennus- ja valtuutustekniikoita, jotka täyttävät teollisuusstandardeissa tietoturvalle asetettavat vaatimukset. Toimittajan on varmistettava, xxxx käyttöoikeuksiin voidaan tehdä muutoksia nopeasti ja ne voidaan kumota organisaatiomuutosten vuoksi. Toimittajan on varmistettava, xxxx tileille voidaan antaa erilaisia käyttöoikeustasoja (esimerkiksi järjestelmän pääkäyttäjän oikeudet). Toimittajan on arvioitava etuoikeutettujen tilien tarve säännöllisesti. Xxx Toimittajan on muodostettava etäyhteys Yrityksen Luottamuksellisiin tietoihin, Toimittajan on aina käytettävä Yrityksen hyväksymää etäyhteysmenetelmää, joka määräytyy tarjottavan Palvelun ja etäyhteysmenetelmien saatavuuden mukaan. Tietoturvaonnettomuuksien hallinta. Toimittajan on otettava käyttöön xxxxxx xx aktiivisuuden auditointi- ja lokiinkirjaamiskäytännöt, jotka sisältävät rajoituksetta käyttöyritykset xx xxxxxx etuoikeuksin. Toimittajan tulee varmistaa, xxxx suunnittelu- ja ilmoitustoimenpiteisiin tietoturvaonnettomuuksien on ryhdytty (ja Toimittajan tulee ottaa toimenpiteet käyttöön) Yrityksen Luottamuksellisiin tietoihin liittyvien onnettomuuksien tarkkailemiseksi, niihin reagoimiseksi, niistä ilmoittamiseksi ja niiden tutkimiseksi. Toimittajan xx xxx Xxxxxxxxxx tulee ilmoittaa Yritykselle viivytyksettä ja viimeistään 48 tunnin kuluessa todellisesta tai todennäköisin syin epäillystä Yrityksen Luottamuksellisten tietojen käyttämisestä tai luvattomasta paljastamisesta ("Onnettomuus"). Xxx Yrityksen luottamuksellisia tietoja paljastetaan tai käytetään xxx xxxxx Yrityksen Luottamuksellisiin tietoihin liittyvään sopimukseen perustuvia velvoitteita ei muulla tavoin noudateta tai näin epäillään tapahtuneen, Yrityksen on viipymättä tutkittava rikkomus, analysoitava rikkomuksen juurisyy, ilmoitettava Yritykselle juurisyyanalyysin xxxxx xx ehdotettava korjaustoimenpiteitä xxxx aikataulua xxxxx xxx samanlaisen rikkomuksen ehkäisemiseksi. Tämä ei sulje pois Yrityksen muita oikeuksia tai muita korjaustoimenpiteitä. Toimittajan on otettava huomioon kaikki Yrityksen tutkinnasta, korjaustoimenpiteistä ja aikataulusta antamat kommentit. Toimittajan on tiedotettava Yritykselle Onnettomuuden vuoksi mahdollisesti tehtävän tutkimuksen tulokset ja pidettävä Yritys ajan tasalla. Käytäntö 2 – yksityisyys ja tietosuoja Tätä käytäntöä sovelletaan vain, xxx Toimittaja käsittelee Henkilötietoja Xxxxxxx toimeksiannosta. Tämä Yksityisyys- ja tietosuojakäytäntö ("Tietoturvavaatimuskäytäntö") op alle computersysteem-täydentää Sopimusta eikä rajoita sen ehtoja, netwerk-, telecommunicatiesysteem-, database-, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mail, voicemail, netwerken, en internet- en intranetwebportals (gezamenlijk: “Bedrijfssystemen”)eikä sitä saa tulkita ehtoja rajoittavaksi. De Leverancier zal eens per kalenderkwartaal Patches in xxxxxxx stellen waarmee beveiligingsfixes of -updates van een release van xx xxxxxxxxx xxxxxx uitgevoerd op alle Computersystemen die toegang hebben tot Vertrouwelijke informatie en/of Bedrijfssystemen.Sen

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist (and Supplier implements) to monitor, react, notify and investigate any incident related to Company Confidential Information. Supplier shall, and shall cause its Representatives to, give notice to Company promptly, but in all events within 48 hours, after any actual or reasonably suspected unauthorized disclosure of, access to or other unauthorized disclosure verwerktor access to Company Confidential Information (each an "Incident"). In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the obligations set forth herein or in the Agreement with respect to Company Confidential Information, without limiting or waiving any other rights or remedies available to Company, Supplier shall promptly investigate the breach, perform a root cause analysis on the breach, inform Company of the root cause analysis and proposed remedial actions and schedule to prevent the same or similar breach. Supplier shall consider in good faith all comments that Company provides with respect to the investigation, remedial actions or schedule. Supplier shall provide Company with results and frequent status updates of any investigation related to an Incident. mod malware (for eksempel virus, trojanske heste, spyware) voor het toepassen en beheren van beveiligingsupdatespå dennes xx xxxxxx repræsentanters computersystem, - patchesnetværk, -fixestelekommunikationssystem, en -upgrades (gezamenlijk: "Patches") op alle computersysteem-database og andre informationsteknologimiljøer, netwerk-der ejes, telecommunicatiesysteem-kontrolleres, database-drives xxxxx vedligeholdes af Leverandøren xxxxx xxxxxx repræsentanter, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mailherunder uden begrænsning elektronisk post, voicemail, netwerkennetværk og internet- og intranetwebportaler og Leverandørens websted, en internet- en intranetwebportals og omfatter de seneste producentsignaturer, definitionsfiler, software og programrettelser. 5.3 Leverandøren fjerner og deaktiverer unødvendige Tjenesteydelser, programmer og netværksprotokoller. Leverandøren fjerner alle tjenesteydelser, programmer og netværksprotokoller, der ikke er nødvendige, og deaktiverer alle unødvendige komponenter, der ikke kan fjernes. 5.4 Netværkssikkerhed og systemer til forhindring af indtrængen. Leverandøren forhindrer (gezamenlijk: “Bedrijfssystemen”og sikrer, at dennes repræsentanter forhindrer) ved hjælp af firewalls xxxxx xxxxx relevante netværksteknologier adgang til firmaets fortrolige oplysninger. Leverandøren installerer systemer til forhindring af indtrængen og firewalls på alle Leverandørens offentligt tilgængelige computersystemer, som giver adgang til firmaets fortrolige oplysninger xxxxx systemer. Datasikkerhed. Leverandøren xx xxxxxx repræsentanter krypterer alle firmaets fortrolige oplysninger i overførsler xxxxxx Leverandøren og firmaet xx xxxxxx Leverandøren og alle tredjeparter (inklusive firmaets repræsentanter). De Leverancier zal eens per kalenderkwartaal Patches in xxxxxxx stellen waarmee beveiligingsfixes of -updates van een release van Til krypteringen anvendes industristandardalgoritmer med en minimumsnøglelængde på 128 bit. Adgangskontrol. Leverandøren xxxxxx for kontrolforanstaltninger, der forhindrer tredjeparter (andre end dennes repræsentanter, der i henhold til Aftalens vilkår har adgang) i at få adgang til firmaets fortrolige oplysninger. Leverandøren xx xxxxxxxxx xxxxxx uitgevoerd op repræsentanter bruger godkendelses- og autorisationsteknologier til konti på tjeneste-, bruger- og administratorniveau i overensstemmelse med informationssikkerhedsmodeller baseret på industristandarder. Leverandøren xxxxxx for, at der er procedurer for xxxxxx ændring xxxxx ophør af adgang xxxxx rettigheder som følge af organisatoriske ændringer. Leverandøren xxxxxx for tilvejebringelse af konti med adgangsrettigheder (for eksempel systemadministrationsrettigheder). Leverandøren vurderer periodisk nødvendigheden af konti med adgangsrettigheder. Hvis Leverandøren kræver fjernadgang til firmaets fortrolige oplysninger, anvender Leverandøren altid firmaets godkendte metode til fjernadgang, som er specifik for den Tjenesteydelse, der leveres, og tilgængeligheden af relevante metoder til fjernadgang. Hændelsesstyring for informationssikkerhed. Leverandøren etablerer og implementerer procedurer for godkendelse og logning af adgang og aktiviteter, herunder uden begrænsning adgangsforsøg og privilegeret adgang. Leverandøren xxxxxx for og implementerer sikkerhedsprocedurer for planlægning af aktiviteter i forbindelse med hændelser og for underretning herom med henblik på at overvåge, reagere på, informere om og undersøge hændelser i forbindelse med firmaets fortrolige oplysninger. Leverandøren xx xxxxxx repræsentanter underretter omgående, men under alle Computersystemen die toegang hebben tot Vertrouwelijke informatie en/of Bedrijfssystemenomstændigheder inden 48 timer, firmaet om enhver faktisk xxxxx rimelig mistanke om uautoriseret afsløring af, adgang til xxxxx anden uautoriseret afsløring xxxxx adgang til firmaets fortrolige oplysninger (alle kaldet "hændelse"). I tilfælde af faktisk xxxxx mistanke om uautoriseret afsløring af, adgang til xxxxx xxxxx xxxx på de forpligtelser, der er beskrevet xxxx xxxxx i Aftalen, med hensyn til firmaets fortrolige oplysninger, informerer Leverandøren uden at begrænse xxxxx afstå fra andre rettigheder xxxxx retsmidler, som firmaet har til rådighed, omgående undersøge bruddet, analysere den grundlæggende årsag til bruddet firmaet om analysen af den grundlæggende årsag og de foreslåede afhjælpende foranstaltninger og planer for at forhindre det xxxxx xxxxx et lignende brud. Leverandøren overvejer i god tro alle de kommentarer, som firmaet kommer med i forbindelse med undersøgelsen, afhjælpende handlinger xxxxx planen. Leverandøren xxxxxx for, at firmaet får resultaterne af og jævnlig status for alle undersøgelser af en hændelse.

Network Security and Intrusion Prevention Systems. Supplier shall (and shall cause its Representatives to) restrict, through the use of firewalls or other appropriate network technologies, access to Company Confidential Information. Supplier shall deploy intrusion prevention systems and firewalls on all publically accessible Supplier computer systems that access Company Confidential Information or Company Systems. Data Security. Supplier and its Representatives shall encrypt all Company Confidential Information in transmissions between Supplier and Company and between Supplier and all third parties (including its company’s Representatives). Encryption must utilize industry standard algorithms with a minimal key length of 128 bit. Access Control. Supplier shall, and shall maintain controls to, prohibit third parties (other than its Representatives, who, pursuant to the terms of the Agreement, are permitted access) from accessing Company Confidential Information. Supplier and its Representatives shall use authentication and authorization technologies for service, user and administrator level accounts in accordance with industry standard information security frameworks. Supplier shall ensure procedures exist for prompt modification or termination of access or rights in response to organizational changes. Supplier shall ensure procedures exist for provisioning accounts with privileged access rights (e.g., system administration privileges). Supplier shall periodically review the necessity of privileged access accounts. If Supplier requires remote access to Company Confidential Information, Supplier shall always use the Company-approved method of remote access that is specific to the Service being provided and the availability of appropriate remote access methods. Information Security Incident Management. Supplier shall establish and implement access and activity audit and logging procedures, including without limitation access attempts and privileged access. Supplier shall ensure security incident response planning and notification procedures exist (and Supplier implements) to monitor, react, notify and investigate any incident related to Company Confidential Information. Supplier shall, and shall cause its Representatives to, give notice to Company promptly, but in all events within 48 hours, after any actual or reasonably suspected unauthorized disclosure of, access to or other unauthorized disclosure verwerkt) voor het toepassen en beheren van beveiligingsupdates, - patches, -fixes, en -upgrades or access to Company Confidential Information (gezamenlijk: each an "PatchesIncident") op alle computersysteem-, netwerk-, telecommunicatiesysteem-, database-, of andere omgevingen die in het bezit zijn van, of xxxxxx bestuurd, bediend of onderhouden door de Leverancier of een van diens Vertegenwoordigers, inclusief en niet beperkt tot elektronische mail, voicemail, netwerken, en internet- en intranetwebportals (gezamenlijk: “Bedrijfssystemen”). De Leverancier zal eens per kalenderkwartaal Patches In the event of actual or suspected unauthorized disclosure of, access to, or other breach of the obligations set forth herein or in xxxxxxx stellen waarmee beveiligingsfixes the Agreement with respect to Company Confidential Information, without limiting or waiving any other rights or remedies available to Company, Supplier shall promptly investigate the breach, perform a root cause analysis on the breach, inform Company of -updates van een release van xx xxxxxxxxx the root cause analysis and proposed remedial actions and schedule to prevent the same or similar breach. Supplier shall consider in good faith all comments that Company provides with respect to the investigation, remedial actions or schedule. Supplier shall provide Company with results and frequent status updates of any investigation related to an Incident. Schedule 2 - Privacy and Data Protection Schedule This Schedule shall only apply if Supplier processes personal data/information on behalf of Amgen. This Privacy and Data Protection Schedule (“Schedule”) supplements (and is not intended, and shall not be interpreted, to limit the terms of the Agreement) and is governed by the terms and conditions of the Agreement to which it is attached. Any defined terms not otherwise defined herein shall have the meanings set forth in the Agreement. DEFINITIONS “Personal Information” means any information from which an individual may be identified, by direct or indirect means, including without limitation classes, categories and other types of information that may identify an individual as specified by Privacy Laws, that is provided to Supplier by or on behalf of Company or its Affiliates or is obtained by Supplier or its Representatives in connection with Supplier’s or its Representatives’ performance obligations hereunder. “Privacy Incidents” means any actual or reasonably suspected: (1) unauthorized access to or theft of Personal Information; (2) unauthorized use of Personal Information by a person with authorized access to such Personal Information for purposes of actual or reasonably suspected theft, fraud or identity theft; (3) unauthorized disclosure or alteration of Personal Information; (4) accidental or unlawful destruction of Personal Information; or (5) loss of Personal Information, including without limitation, any of the foregoing described in (1) – (4) caused by or resulting from a failure, lack of or inadequacy of Security or the malfeasance of Supplier or one or more of its Representatives. “Privacy Laws” means, as in effect from time to time, with respect to the Processing of Personal Information, the applicable data privacy laws of the applicable jurisdiction, including without limitation the national and sub- national laws based on the European Union Data Protection Directive vse storitve, aplikacije in omrežne protokole, ki niso potrebni, ter onemogočiti vse take elemente, ki jih ni mogoče odstraniti. 5.4 Omrežna varnost in sistemi za preprečevanje vdorov. Dobavitelj xxxx z uporabo požarnih zidov ali drugih ustreznih omrežnih tehnologij omejiti dostop do zaupnih podatkov družbe in poskrbeti, da se tega držijo tudi njegovi predstavniki. Dobavitelj xxxx uvesti sisteme za preprečevanje vdorov in požarne zidove v vseh javno dostopnih računalniških sistemih dobavitelja, prek katerih se dostopa do zaupnih podatkov družbe ali sistemov družbe. Varnost podatkov. Dobavitelj in njegovi predstavniki morajo šifrirati vse zaupne podatke družbe v primeru prenosa teh podatkov med dobaviteljem in družbo ter med dobaviteljem in vsemi tretjimi osebami (vključno s predstavniki družbe). Pri šifriranju morajo biti uporabljeni algoritmi, ki ustrezajo tehničnim standardom, z najmanjšo dolžino ključa v velikosti 128 bitov. Nadzor dostopa. Dobavitelj xxxx tretjim osebam (razen svojim predstavnikom, ki imajo na podlagi pogojev pogodbe odobren dostop) prepovedati dostop do zaupnih podatkov družbe in izvajati ustrezen nadzor za zagotavljanje prepovedi. Dobavitelj in njegovi predstavniki morajo uporabljati tehnologije preverjanja pristnosti in pooblaščanja za račune na ravni storitev, uporabnikov in skrbnikov v skladu z okviri tehničnih standardov informacijske varnosti. Dobavitelj xxxx zagotoviti, da obstajajo postopki za takojšnjo spremembo ali preklic dostopa xxx xxxxxx uitgevoerd op alle Computersystemen die toegang hebben tot Vertrouwelijke informatie env primeru organizacijskih sprememb. Dobavitelj xxxx zagotoviti, da obstajajo postopki za nastavitev in omogočanje uporabe računov za dostop z več pravicami (npr. pravice skrbnika sistema). Dobavitelj xxxx redno pregledovati nujnost obstoja računov za dostop z več pravicami. Če dobavitelj zahteva oddaljeni dostop do zaupnih podatkov družbe, xxxx vedno uporabiti način oddaljenega dostopa, ki ga je odobrila družba in je določen glede na storitev, ki se zagotavlja, in glede na razpoložljivost ustreznih načinov oddaljenega dostopa. Upravljanje dogodkov glede informacijske varnosti. Dobavitelj xxxx vzpostaviti in uvesti postopke preverjanja in beleženja dostopov in dejavnosti, kar med drugim vključuje poskuse dostopov in dostopov z več pravicami. Dobavitelj xxxx zagotoviti obstoj (in izvajanje) postopkov za obveščanje in načrtovanje odziva v primeru dogodka glede varnosti z namenom upravljanja, odzivanja, obveščanja in preiskovanja v povezavi s kakršnim xxxx dogodkom glede zaupnih podatkov družbe. Dobavitelj xxxx družbo obvestiti nemudoma oziroma v vsakem primeru v 48 urah po kakršnem xxxx nepooblaščenem razkritju ali dostopu do zaupnih podatkov družbe, ki se je dejansko zgodil ali zanj obstaja utemeljeni sum, oziroma po kakršnem xxxx drugem nepooblaščenem razkritju ali dostopu do zaupnih podatkov družbe (posamezni se imenuje »dogodek«). V primeru nepooblaščenega razkritja ali dostopa do zaupnih podatkov družbe, ki se je dejansko zgodil ali zanj obstaja utemeljeni sum, oziroma v primeru drugih kršitev obveznosti, ki so navedene v tem načrtu ali pogodbi v zvezi z zaupnimi podatki družbe, brez omejevanja ali odpovedi katerim xxxx drugim pravicam ali pravnim sredstvom, ki so družbi na voljo, xxxx dobavitelj takoj raziskati kršitev, izvesti analizo osnovnega vzroka kršitve ter družbo obvestiti o analizi osnovnega vzroka, predlaganih popravnih ukrepih in načrtu za preprečitev enake ali podobne kršitve. Dobavitelj xxxx v xxxxx xxxx preučiti vse pripombe družbe, ki jih ta navede v povezavi s preiskavo, popravnimi ukrepi ali načrtom. Dobavitelj xxxx družbi zagotoviti rezultate in redne posodobitve stanja preiskav, ki so povezane z dogodkom. Načrt 2 – Načrt za zasebnost in varstvo podatkov Ta načrt velja le, če dobavitelj obdeluje osebne podatke/of Bedrijfssystemen.informacije v imenu družbe Amgen. Ta načrt za zasebnost in varstvo podatkov (»načrt«) je dopolnitev pogojev in določb pogodbe, h xxxxxx je načrt priložen (in ni namenjen omejevanju pogojev pogodbe in se ga tako ne sme razlagati), in zanj veljajo pogoji in določila te pogodbe. Za xxxxxx xxxx določene izraze, ki niso drugače opredeljeni v tem načrtu, velja pomen iz pogodbe. OPREDELITVE »Xxxxxx podatki« so vsi podatki, na podlagi katerih je mogoče neposredno ali posredno določiti posameznika, kar med drugim vključuje skupine, kategorije in druge vrste podatkov, ki lahko določajo posameznika, kot to opredeljuje zakonodaja o zasebnosti, in ki jih dobavitelju zagotovi družba/xxxxxx xxxx od povezanih družb te družbe ali tretja oseba v imenu družbe/povezanih družb te družbe oziroma ki jih dobavitelj ali xxxxxx xxxx od njegovih predstavnikov pridobi v povezavi z obveznostmi delovanja, ki so v tem besedilu določene za dobavitelja ali njegove predstavnike. »Dogodki, ki ogrožajo zasebnost« so naslednji dogodki, ki so se dejansko zgodili oziroma xxxxx obstaja utemeljeni sum: (1) nepooblaščen dostop do osebnih podatkov xxx xxxxx; (2) nepooblaščena uporaba osebnih podatkov, ki jo izvede oseba s pooblaščenim dostopom do teh osebnih podatkov, z namenom kraje, goljufije xxx xxxxx identitete, ki se je dejansko zgodila ali zanjo obstaja utemeljeni sum; (3) nepooblaščeno razkritje ali sprememba osebnih podatkov; (4) nenamerno ali nezakonito uničenje osebnih podatkov; ali (5) izguba osebnih podatkov, kar med drugim vključuje vse zgoraj navedeno od (1) do (4), do xxxxx xxxxx zaradi napake, pomanjkanja ali neustreznosti varnosti ali nezakonitega ravnanja dobavitelja oziroma enega ali več njegovih predstavnikov. »Zakonodaja o zasebnosti« pomeni, glede na določena obdobja veljave in v povezavi z obdelavo osebnih podatkov, veljavne zakone o varstvu podatkov v ustrezni jurisdikciji, kar med drugim vključuje nacionalne in podnacionalne