Common use of Obligations of Processor Clause in Contracts

Obligations of Processor. (a) The Processor shall use commercially reasonable efforts that persons authorized by the Processor to process the personal data on behalf of the Controller, in particular the Processor's employees as well as employees of any Subprocessors, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons who have access to the personal data, process such personal data in compliance with this DPA. (b) The Processor shall use commercially reasonable efforts to implement and maintain the technical and organizational measures as specified in Annex 1 to this DPA. The Processor may amend the technical and organizational measures from time to time, provided that the amended technical and organizational measures are in overall not less protective as those set out in Exhibit 2. Substantial amendments to the technical and organizational measures shall be notified to the Controller. (c) The Processor shall use commercially reasonable efforts to make available to the Controller any information necessary to demonstrate compliance with the obligations of Processor laid down in Art. 28 GDPR and in this DPA. (d) The Processor shall use commercially reasonable efforts to provide an independent third-party audit report upon Controller`s request, where such audit report shall only be requested once per calendar year and at Controller`s costs. (e) The Processor is obliged to notify the Controller within forty-eight (48) hours: • about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and • about any complaints and requests received directly from a data subject (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, unless the Processor has been otherwise authorized by the Controller to do so, or (ii) in case of a Security breach the Processor is becoming aware of. (f) The Processor shall use commercially reasonable efforts to assist the Controller with its obligation to carry out a data protection impact assessment as may be required by Art. 35 GDPR and prior consultation as may be required by Art. 36 GDPR that relates to the Services provided by the Processor to the Controller under this DPA by means of providing the necessary and available information to the Controller, where any extraordinary costs hereto shall be xxxxx by Customer. (g) The Processor shall use commercially reasonable efforts to not further process the personal data, after the end of the provision of Services, and delete any existing copies unless European Union or Member State law requires the Processor to retain such personal data.

Obligations of Processor. (a) The Processor shall use commercially reasonable efforts that persons authorized by the Processor to process the personal data on behalf of the Controller, in particular the Processor's employees as well as employees of any Subprocessors, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons who have access to the personal data, data process such personal data in compliance with this DPA. (b) The Processor shall use commercially reasonable efforts to implement and maintain the technical and organizational measures as specified in Annex 1 to this DPAExhibit 2. The Processor may amend the technical and organizational measures from time to time, provided that the amended technical and organizational measures are in overall not less protective as those set out in Exhibit 2. Substantial amendments to the technical and organizational measures shall be notified to the Controller. (c) The Processor shall use commercially reasonable efforts to make available to the Controller any information necessary to demonstrate compliance with the obligations of Processor laid down in Art. 28 GDPR and in this DPA. (d) The Processor shall use commercially reasonable efforts to provide an independent third-party audit report upon Controller`s request, where such audit report shall only be requested once per calendar year and at Controller`s costs. (e) The Processor is obliged to notify the Controller within forty-eight (48) 48 hours: • about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and • and (i) about any complaints and requests received directly from a data subject (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, unless the Processor has been otherwise authorized by the Controller to do so, or (ii) in case of a Security breach the Processor is becoming aware of. (f) The Processor shall use commercially reasonable efforts to assist the Controller with its obligation to carry out a data protection impact assessment as may be required by Art. 35 GDPR and prior consultation as may be required by Art. 36 GDPR that relates to the Services provided by the Processor to the Controller under this DPA by means of providing the necessary and available information to the Controller, where any extraordinary costs hereto shall be xxxxx by Customer. (g) The Processor shall use commercially reasonable efforts to not further process the personal data, after the end of the provision of Services, and delete any existing copies unless European Union or Member State law requires the Processor to retain such personal data.

Obligations of Processor. (a) The Processor shall use commercially reasonable efforts that persons authorized by the Processor to process the personal data on behalf of the Controller, in particular the Processor's employees as well as employees of any Subprocessors, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons who have access to the personal data, data process such personal data in compliance with this DPA. (b) The Processor shall use commercially reasonable efforts to implement and maintain the technical and organizational measures as specified in Annex 1 to this DPAExhibit 2. The Processor may amend the technical and organizational measures from time to time, provided that the amended technical and organizational measures are in overall not less protective as those set out in Exhibit 2. Substantial amendments to the technical and organizational measures shall be notified to the Controller. (c) The Processor shall use commercially reasonable efforts to make available to the Controller any information necessary to demonstrate compliance with the obligations of Processor laid down in Art. 28 GDPR and in this DPA. (d) The Processor shall use commercially reasonable efforts to provide an independent third-party audit report upon Controller`s request, where such audit report shall only be requested once per calendar year and at Controller`s costs. (e) The Processor is obliged to notify the Controller within forty-eight (48) 48 hours: •  about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and • and (i) about any complaints and requests received directly from a data subject (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, unless the Processor has been otherwise authorized by the Controller to do so, or (ii) in case of a Security breach the Processor is becoming aware of. (f) The Processor shall use commercially reasonable efforts to assist the Controller with its obligation to carry out a data protection impact assessment as may be required by Art. 35 GDPR and prior consultation as may be required by Art. 36 GDPR that relates to the Services provided by the Processor to the Controller under this DPA by means of providing the necessary and available information to the Controller, where any extraordinary costs hereto shall be xxxxx by Customer. (g) The Processor shall use commercially reasonable efforts to not further process the personal data, after the end of the provision of Services, and delete any existing copies unless European Union or Member State law requires the Processor to retain such personal data.

Obligations of Processor. MentorcliQ shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Controller’s documented instructions for the following purposes: (a) The Processor shall use commercially reasonable efforts that persons authorized by Processing in accordance with the Processor to process the personal data on behalf Agreement and applicable Order Form(s) of the Controller, in particular the Processor's employees as well as employees Statement(s) of any Subprocessors, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons who have access to the personal data, process such personal data in compliance with this DPA. Work; (b) The Processing initiated by Data Subjects in their use of the Services; and (c) Processing to comply with other documented reasonable instructions provided by Controller (e.g., via email) where such instructions are consistent with the terms of the Agreement and otherwise lawful. Processor shall use commercially reasonable efforts to implement and maintain take the appropriate technical and organizational measures as specified in Annex 1 to this DPA. The Processor may amend the technical and organizational measures from time adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to timePersonal Data, provided that the amended technical and organizational measures are in overall not less protective as those set out in Exhibit 2. Substantial amendments described under Appendix 2 to the technical and organizational measures shall be notified to the Standard Contractual Clauses. Processor will facilitate Controller. (c) The Processor shall use commercially reasonable efforts to make available to the Controller any information necessary to demonstrate ’s compliance with the Controller’s obligation to implement security measures with respect to Personal Data (including if applicable Controller’s obligations pursuant to Articles 32 to 34 (inclusive) of Processor laid down the GDPR), by implementing and maintaining the security measures described under Appendix 2, complying with the terms relation to Personal Data Breaches below; and providing the Controller with information in Artrelation to the Processing in accordance with Section 5 (Audits). 28 GDPR and in this DPA. (d) The Processor shall use commercially reasonable efforts ensure that any personnel whom Processor authorizes to provide an independent third-party audit report upon Controller`s request, where such audit report process Personal Data on its behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall only be requested once per calendar year and at Controller`s costs. (e) The continue after the termination of the Agreement. Processor is obliged to will notify the Controller within forty-eight (48) hours: • about as soon as practicable after it becomes aware of any of any Personal Data Breach affecting any Personal Data. At the Controller’s request, Processor will promptly provide the Controller with all reasonable assistance necessary to enable the Controller to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Controller is required to do so under the Data Protection Law. MentorcliQ shall, to the extent legally binding permitted, promptly notify Controller if MentorcliQ, receives a request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and • about any complaints and requests received directly from a data subject (e.g., regarding Data Subject to exercise the Data Subject's right of access, right to rectification, erasure, restriction of processingProcessing, erasure (“right to be forgotten”), data portability, objection object to processing the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). MentorcliQ shall assist Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of dataController’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, automated decision-making) without responding to that the extent Controller, in its use of the Services, does not have the ability to address a Data Subject Request, MentorcliQ shall, upon Controller’s request, unless the Processor has been otherwise authorized by the Controller to do so, or (ii) in case of a Security breach the Processor is becoming aware of. (f) The Processor shall use provide commercially reasonable efforts to assist Controller in responding to such Data Subject Request, to the extent MentorcliQ is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. Processor shall be entitled to engage sub-Processors to fulfil Processor’s obligations defined in the Agreement only with Controller’s written consent. For these purposes, Controller consents to the engagement as sub-Processors of Processor’s affiliated companies and the third parties listed in Exhibit 2. For the avoidance of doubt, the above authorization constitutes Controller’s prior written consent to the sub-Processing by Processor for purposes of Clause 11 of the Standard Contractual Clauses. Where Processor engages sub-Processors, Processor will enter into a contract with the sub-Processor that imposes on the sub-Processor the same obligations that apply to Processor under this DPA. Where the sub-Processor fails to fulfil its obligation to carry out a data protection impact assessment as may be required by Art. 35 GDPR and prior consultation as may be required by Art. 36 GDPR that relates to the Services provided by the obligations, Processor will remain liable to the Controller for the performance of such sub- Processors obligations. Controller acknowledges and agrees that, in connection with the performance of the services under this DPA the Agreement, Personal Data will be transferred to MentorcliQ in the United States. MentorcliQ. Is a part of the EU-U.S. and Swiss- U.S. Privacy Shield Frameworks, in order to implement appropriate safeguards for such transfers pursuant to Article 46 of the GDPR. The Standard Contractual Clauses at Exhibit 1 will apply with respect to Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by means the European Commission as providing an adequate level of providing protection for personal data (as described in the necessary and available information Data Protection Law). Other than to the Controllerextent required to comply with Data Protection Law, where any extraordinary costs hereto shall be xxxxx by Customer. (g) The Processor shall use commercially reasonable efforts to not further process the personal data, after the end following termination or expiry of the provision of ServicesAgreement, Processor will return data to the Controller in a mutually agreeable format (e.g. .csv flat-file) and delete any existing all Personal Data (including copies unless European Union or Member State law requires the Processor thereof) processed pursuant to retain such personal datathis DPA.

Obligations of Processor. (a) The Processor shall use commercially reasonable efforts that persons authorized by the Processor to process the personal data on behalf of the Controller, in particular the Processor's employees as well as employees of any Subprocessors, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons who have access to the personal data, process such personal data in compliance with this DPA. (b) The Processor shall use commercially reasonable efforts to implement and maintain the technical and organizational measures as specified in Annex 1 to this DPA. The Processor may amend the technical and organizational measures from time to time, provided that the amended technical and organizational measures are in overall not less protective as those set out in Exhibit 2. Substantial amendments to the technical and organizational measures shall be notified to the Controller. (c) The Processor shall use commercially reasonable efforts to make available to the Controller any information necessary to demonstrate compliance with the obligations obligatio ns of Processor laid down in Art. 28 GDPR and in this DPA. (d) The Processor shall use commercially reasonable efforts to provide an independent third-party audit report upon Controller`s request, where such audit report shall only be requested once per calendar year and at Controller`s costs. (e) The Processor is obliged to notify the Controller within forty-eight (48) hours: • about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and • about any complaints and requests received directly from a data subject (e.g., regarding access, rectification, erasure, restriction of processingp rocessing, data portability, objection to processing of data, automated decision-making) without responding to that request, unless the Processor has been otherwise authorized by the Controller to do so, or (ii) in case of a Security breach the Processor is becoming aware of. (f) The Processor shall use commercially reasonable efforts to assist the Controller with its obligation to carry out a data protection impact assessment as may be required by Art. 35 GDPR and prior consultation as may be required by Art. 36 GDPR that relates to the Services provided by the Processor to the Controller under this DPA by means of providing the necessary and available information to the Controller, where any extraordinary costs hereto shall be xxxxx by Customer. (g) The Processor shall use commercially reasonable efforts to not further process the personal data, after the end of the provision provis ion of Services, and delete any existing copies unless European Union or Member State law requires the Processor to retain such personal data.

Obligations of Processor. Processor represents and warrants that: Processor will Process the Personal Data only (a) The for the purpose of fulfilling its obligations under the Services Agreement, (b) as authorized under the Services Agreement, (c) as required to comply with an order of a court, governmental agency, or law enforcement agency, (d) as otherwise instructed in writing by Controller and agreed to by Processor, and (e) in accordance with the GDPR and all other applicable data privacy and security laws, and the terms of this Addendum. Processor shall use commercially reasonable efforts will request from Controller and/or Process only the minimum necessary Personal Data required to perform the Services. Processor will notify Controller in writing immediately upon making a determination that persons authorized it has not met, or can no longer meet, its obligations under Section 2.6, and, in such case, will abide by the Processor Controller’s written instructions, including instructions to process the personal data on behalf cease further Processing of the ControllerPersonal Data, and take any necessary steps to remediate any Processing of such Personal Data not in particular the Processor's employees as well as employees accordance with Section 2.6 of this Addendum. Processor will submit its data processing facilities, data files and documentation needed for Processing Personal Data to auditing and/or review by Controller or any Subprocessors, have committed themselves independent auditor or inspection entity reasonably selected by Controller to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons who have access to the personal data, process such personal data in ascertain compliance with this DPA. (b) The Processor shall use commercially Addendum upon the written request of Controller, with reasonable efforts to implement notice and maintain the technical and organizational measures as specified in Annex 1 to this DPA. The Processor may amend the technical and organizational measures from time to timeduring normal business hours; provided, provided however, that the amended technical and organizational measures are in overall not less protective as those set out in Exhibit 2. Substantial amendments to the technical and organizational measures such audit shall be notified at Controller’s sole cost and expense, shall be subject to any confidentiality/non-disclosure provisions set forth in the Controller. Services Agreement, and Controller and any auditor maybe required to execute a mutually agreed upon confidentiality/non-disclosure agreement. Processor will obtain the prior written approval of Controller to disclose Personal Data to any Third Party Processor, or otherwise allow any third party to access Personal Data; and, in such an event, it shall (ca) The Processor shall use commercially reasonable efforts impose, in writing, the same data privacy and security requirements on any such third party to make available to the Controller any information necessary to demonstrate compliance with the obligations of Processor laid down in Art. 28 GDPR and in this DPA. (d) The Processor shall use commercially reasonable efforts to provide an independent third-party audit report upon Controller`s request, where such audit report shall only be requested once per calendar year and at Controller`s costs. (e) The which Processor is obliged to notify the Controller within forty-eight (48) hours: • about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and • about any complaints and requests received directly from a data subject (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, unless the Processor has been otherwise authorized by the Controller to do so, or (ii) in case of a Security breach the Processor is becoming aware of. (f) The Processor shall use commercially reasonable efforts to assist the Controller with its obligation to carry out a data protection impact assessment as may be required by Art. 35 GDPR and prior consultation as may be required by Art. 36 GDPR that relates to the Services provided by the Processor to the Controller under this DPA by means of providing the necessary and available information to the Controller, where any extraordinary costs hereto shall be xxxxx by Customer. (g) The Processor shall use commercially reasonable efforts to not further process the personal data, after the end of the provision of Services, and delete any existing copies unless European Union or Member State law requires the Processor to retain such personal data.Addendum;

Obligations of Processor. The Processor will process the Personal Data as follows: (a) The Processor shall Not retain, use commercially reasonable efforts that or otherwise disclose any Personal Data for any purpose other than to provide the services specified in the Agreement; (b) Keep the Personal Data secure and accessible only to authorized persons authorized by the Processor to process the personal data on behalf of the Controller, in particular the Processor's employees as well as employees of any Subprocessors, have who are committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons who have access to the personal data, process such personal data in compliance with this DPA. (b) The Processor shall use commercially reasonable efforts to implement and maintain the technical and organizational measures as specified in Annex 1 to this DPA. The Processor may amend the technical and organizational measures from time to time, provided that the amended technical and organizational measures are in overall not less protective as those set out in Exhibit 2. Substantial amendments to the technical and organizational measures shall be notified to the Controller.confidentiality; (c) The Process such Personal Data only on documented instructions from the Controller. For Customers that are European this shall include matters concerning transfers of Personal Data to third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall use commercially reasonable efforts inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; (d) At the expiration of the term or during the term of the Agreement, comply with Controller instruction to make available and/or delete the Personal Data as soon as reasonably practicable and within a maximum period of 180 days, unless applicable Data Protection Laws required storage. The cost shall be borne by the Controller; (e) Make available to the Controller any Controller, upon its express request, information necessary to demonstrate compliance with the obligations of Processor laid down in Art. 28 GDPR and this document by appropriate means in this DPA. (d) The Processor shall use commercially reasonable efforts to provide an independent third-party audit report upon Controller`s request, where such audit report shall only be requested once per calendar year and at Controller`s costs. (e) The Processor is obliged to notify compliance with the Controller within forty-eight (48) hours: • about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and • about any complaints and requests received directly from a data subject (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, unless the Processor has been otherwise authorized by the Controller to do so, or (ii) in case of a Security breach the Processor is becoming aware of.Processor’s internal organization; (f) The Immediately inform the Controller if, in its opinion, an instruction of the Controller infringes the applicable Data Protection Laws. Once informed that one of its instructions may be in breach of the applicable Data Protection Laws, the Controller shall assess the situation and determine whether the instruction actually violates a Data Protection Law. If the Controller persists with an unlawful instruction, the Processor shall use commercially reasonable efforts be entitled to assist the Controller with its obligation to carry out a data protection impact assessment as may be required by Art. 35 GDPR and prior consultation as may be required by Art. 36 GDPR that relates to the Services provided by the Processor to the Controller under terminate this DPA by means of providing or the necessary and available information to the Controller, where any extraordinary costs hereto shall be xxxxx by Customer.related Agreement; (g) The Ensure that such Personal Data is only used for purposes authorized by the Controller; (h) Implement and maintain appropriate Physical, Technical and Organizational Security Measures. Notwithstanding any provision to the contrary, the Processor shall use commercially reasonable efforts to may modify or update the Physical, Technical and Organizational Security Measures at its discretion provided that such modification or update does not further process result in a material degradation in the personal dataprotection offered by the Physical, Technical and Organizational Security Measures; (i) Notify the Controller without undue delay, after becoming aware, with all available information regarding a Security Incident and provide cooperation as necessary to enable it to comply with any obligation to report information regarding such a Security Incident to the end appropriate regulatory agency and/or to the relevant data subjects in accordance with the requirements of the provision applicable Data Protection Laws; (j) Return or with regard to Linkers Software, provide access to retrieve the Personal Data to Controller during the three (3) months after the termination or the expiry of Servicesthe Agreement, and delete any existing copies unless European Union or Member State law requires the Processor required to retain such personal data.be stored under other applicable Data Protection Laws;

Obligations of Processor. (a) The Processor shall: a. Comply with and act on any written instruction from and on behalf of the Controller regarding the Processing of Personal Data. Such obligation also applies to the transfer of Personal Data to a third country. Processor shall use commercially reasonable efforts transfer Personal Data to the US via its IT Network. Instructions are provided in the Agreement, this DPA and/or otherwise in documented form. b. Not Process Personal Data for any other purposes other than to provide the Services to Controller. c. Immediately notify Controller, where Processor in its opinion believes that an instruction of Controller would result in a violation of Applicable Data Protection Law and request Controller to withdraw, amend or confirm the relevant instruction. Pending the decision on the withdrawal, amendment or confirmation of the relevant instruction, Processor shall be entitled to suspend the implementation of the relevant instruction. d. Ensure that persons authorized by the Processor to process Process the personal data Personal Data on behalf of the ControllerController are suitably informed, trained and instructed in particular the Processor's employees as well as employees respect of any Subprocessors, Applicable Data Protection Law and have committed themselves in writing to confidentiality or are under an appropriate statutory obligation of confidentiality and confidentiality. Processor will procure that such authorized persons who have access to the personal data, process such personal data in compliance with this DPAobserve any Applicable Data Protection Law beyond their respective employment periods. (b) The Processor shall use commercially reasonable efforts to implement e. Implement the Technical and maintain Organizational Security Measures which will meet the technical and organizational measures requirements of Applicable Data Protection Law as further specified in Annex 1 2 before Processing the Personal Data and ensure to this DPA. The Processor may amend the technical provide sufficient guarantees to Controller on such Technical and organizational measures from time to time, provided that the amended technical and organizational measures are in overall not less protective as those set out in Exhibit 2. Substantial amendments to the technical and organizational measures shall be notified to the ControllerOrganizational Security Measures. (c) The f. Assist Controller by appropriate Technical and Organizational Security Measures, insofar as this is possible, for the fulfillment of Controller’s obligation to respond to requests for exercising Data Subjects’ rights concerning information, access, rectification and erasure, restriction of Processing, notification, data portability, objection and automated decision-making. g. Take actions requested or instructed by Controller in order to comply with Data Subject’s rights under Applicable Data Protection Law. In particular, Processor shall use commercially reasonable efforts to make must provide the information on action taken on such request without undue delay, respectively in a timely manner. h. Make available to the Controller any all information necessary to demonstrate compliance with the obligations of Processor laid down in this DPA and in Art. 28 GDPR and in this DPA. (d) The Processor shall use commercially reasonable efforts to provide an independent third-party audit report upon Controller`s request, where such audit report shall only be requested once per calendar year and at Controller`s costs. (e) The Processor is obliged to notify the Controller within forty-eight (48) hours: • about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and • about any complaints and requests received directly from a data subject (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, unless the Processor has been otherwise authorized by the Controller to do so, or (ii) in case of a Security breach the Processor is becoming aware of. (f) The Processor shall use commercially reasonable efforts to assist the Controller with its obligation to carry out a data protection impact assessment as may be required by Art. 35 GDPR and prior consultation as may be required by Art. 36 GDPR that relates to the Services provided by the Processor to the Controller under this DPA by means of providing the necessary and available information to the Controller, where any extraordinary costs hereto shall be xxxxx by Customer. (g) The Processor shall use commercially reasonable efforts to not further process the personal data, after the end of the provision of Services, and delete any existing copies unless European Union or Member State law requires the Processor to retain such personal data.28

Obligations of Processor. (a) The Processor shall use commercially reasonable efforts that persons authorized by the Processor to process the personal data on behalf of the Controller, in particular the Processor's employees as well as employees of any Subprocessors, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons who have access to the personal data, data process such personal data in compliance with this DPA. (b) The Processor shall use commercially reasonable efforts to implement and maintain the technical and organizational measures as specified in Annex 1 to this DPAExhibit 2. The Processor may amend the technical and organizational measures from time to time, provided that the amended technical and organizational measures are in overall not less protective as those set out in Exhibit 2. Substantial amendments to the technical and organizational measures shall be notified to the Controller. (c) The Processor shall use commercially reasonable efforts to make available to the Controller any information necessary to demonstrate compliance with the obligations of Processor laid down in Art. 28 GDPR the relevant applicable local data protection laws and provisions, and in this DPA. (d) The Processor shall use commercially reasonable efforts to provide an independent third-party audit report upon Controller`s request, where such audit report shall only be requested once per calendar year and at Controller`s costs. (e) The Processor is obliged to notify the Controller within forty-eight (48) 48 hours: • about any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as by a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and • and (i) about any complaints and requests received directly from a data subject (e.g., regarding access, rectification, erasure, restriction of processing, data portability, objection to processing of data, automated decision-making) without responding to that request, unless the Processor has been otherwise authorized by the Controller to do so, or (ii) in case of a Security breach the Processor is becoming aware of. (f) The Processor shall use commercially reasonable efforts to assist the Controller with its obligation to carry out a data protection impact assessment as may be required by Art. 35 GDPR the relevant applicable local data protection laws and provisions and prior consultation as may be required by Art. 36 GDPR the relevant applicable local data protection laws and provisions that relates to the Services provided by the Processor to the Controller under this DPA by means of providing the necessary and available information to the Controller, where any extraordinary costs hereto shall be xxxxx by Customer. (g) The Processor shall use commercially reasonable efforts to not further process the personal data, after the end of the provision of Services, and delete any existing copies unless European Union or Member State law applicable local data protection laws and provisions requires the Processor to retain such personal data.