Common use of Operational Security Clause in Contracts

Operational Security. ● Hubilo runs an annual training program for its employees to treat data protection and security as the highest priorities. Hubilo is committed to implement tighter security standards across policies, procedures, technology, and people on an ongoing basis. ● Hubilo runs Vulnerability Assessment Penetration Testing (VAPT) on a quarterly basis through a third-party service provider, Xxxxx Xxxxxxxx LLP, who is globally empaneled with Computer Emergency Response and operate ● Applications and servers are regularly patched to provide ongoing protection from exploits with the help of a robust Change Management process in place. ● Hubilo has a disaster recovery strategy in place, which is tested on a yearly basis. Under any DR condition, our customer’s websites will not get affected and will work fine. Though the data collection might get stopped until Hubilo services are restored. ● All of Hubilo’s customer data is hosted in a secure cloud data centre service provider (AWS) and also logically segregated by the Hubilo application. ANNEX III TO THE STANDARD CONTRACTUAL CLAUSES LIST OF SUB-PROCESSORS List of Hubilo Sub-processors: ● xxxxx://xxx.xxxxxx.xxx/sub-processors [1] Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295 of 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision C(2021) 3972 final. [2] The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union's internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. [3] This requirement may be satisfied by the sub-processor according to these Clauses under the appropriate Module, in accordance with Clause 7. [4] As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.

Operational Security. ● Hubilo runs an annual training program for its employees to treat data protection and security as the highest priorities. Hubilo is committed to implement tighter security standards across policies, procedures, technology, and people on an ongoing basis. ● Hubilo runs Vulnerability Assessment Penetration Testing (VAPT) on a quarterly basis through a third-party service provider, Xxxxx Xxxxxxxx LLP, who is globally empaneled with Computer Emergency Response and operate ● Applications and servers are regularly patched to provide ongoing protection from exploits with the help of a robust Change Management process in place. ● Hubilo has a disaster recovery strategy in place, which is tested on a yearly basis. Under any DR condition, our customer’s websites will not get affected and will work fine. Though the data collection might get stopped until Hubilo services are restored. ● All of Hubilo’s customer data is hosted in a secure cloud data centre service provider (AWS) and also logically segregated by the Hubilo application. ANNEX III TO THE STANDARD CONTRACTUAL CLAUSES LIST OF SUB-PROCESSORS List of Hubilo Sub-processors: ● · xxxxx://xxx.xxxxxx.xxx/sub-processors [1] Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295 of 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision C(2021) 3972 final. [2] The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union's internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses. [3] This requirement may be satisfied by the sub-processor according to these Clauses under the appropriate Module, in accordance with Clause 7. [4] As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.as