Common use of Organizational Measures Clause in Contracts

Organizational Measures. 2.1 Security plan and document (a) The measures adopted to comply with these security requirements shall be the subject of the Company’s Information Security Policies and set out in a security portal, which shall be kept up to date, and revised whenever relevant changes are made to the information system(s) or to technical or organizational measures. (b) The Information Security Policies shall address: (i) Security measures relating to the modification and maintenance of the system(s) used to Process Data, including development and maintenance of applications, appropriate vendor support and an inventory of hardware and software; (ii) Physical security, including security of the buildings or premises where Data Processing occurs, security of data equipment and telecommunication infrastructure and environmental controls; and (iii) Security of computers and telecommunication systems including procedures for managing back-up copies, procedures dealing with computer viruses, procedures for managing signal/codes, security for software implementation, security related to databases, security for connecting systems to the Internet, inspection of circumvention of data system(s), mechanisms for keeping account of attempts to break system security or gain unauthorized access. (c) The security plan shall include all Dynatrace policies, as updated from time to time, including but not limited to: (i) Code of Business Conduct and Ethics (ii) Global Data Protection Policy (iii) Dynatrace IT Acceptable Use Policy (iv) System Security Policies: • Dynatrace Network Access Policy • Dynatrace Physical Security Policy • Dynatrace Network Account Password Policy • Dynatrace Returning of Assets of Terminated Employees Policy • Dynatrace Security Policy • Dynatrace Security Awareness Policy • Dynatrace Vulnerability Management Policy • Dynatrace Workstation Security Policy (d) The security plan shall be available to staff who have access to Data and the information systems, and must cover the following aspects at a minimum: (i) The scope, with a detailed specification of protected resources; (ii) The measures, standards, procedures, code of conduct rules and norms to guarantee security, including the control, inspection and supervision of the information systems; (iii) The procedures for reporting, managing and responding to incidents; and (iv) The procedures for making back-up copies and recovering Data including the member of staff who undertook the Processing activity, the Data restored and, as appropriate, which data had to be input manually in the recovery process. 2.2 Functions and obligations of staff (a) Only members of staff that have a legitimate operational need to access the information systems or carry out any Processing of Data shall be authorized to do so (“Authorized Users”). (b) The necessary measures shall be adopted to train and make staff familiar with these minimum- security requirements, any relevant policies and applicable laws concerning the performance of their functions and duties in respect of the Processing of Data and the consequences of any breach of these requirements. (c) The functions and obligations of staff having access to Data and the information systems shall be clearly defined through application security roles. (d) Authorized Users shall be instructed to the effect that electronic equipment should not be left unattended or made accessible during Processing sessions. Physical access to areas where any Data are stored shall be restricted to Authorized Users. The disciplinary measures for a breach of the security plan shall be clearly defined and documented and communicated to staff.

Organizational Measures. 2.1 Security plan and document (a) The measures adopted to comply with these security requirements shall be the subject of the Company’s Information Security Policies and set out in a security portal, which shall be kept up to date, and revised whenever relevant changes are made to the information system(s) or to technical or organizational measures. (b) The Information Security Policies shall address: (i) Security measures relating to the modification and maintenance of the system(s) used to Process Data, including development and maintenance of applications, appropriate vendor support and an inventory of hardware and software; (ii) Physical security, including security of the buildings or premises where Data Processing occurs, security of data equipment and telecommunication infrastructure and environmental controls; and (iii) Security of computers and telecommunication systems including procedures for managing back-up copies, procedures dealing with computer viruses, procedures for managing signal/codes, security for software implementation, security related to databases, security for connecting systems to the Internet, inspection of circumvention of data system(s), mechanisms for keeping account of attempts to break system security or gain unauthorized access. (c) The security plan shall include all Dynatrace policies, as updated from time to time, including but not limited to: (i) Code of Business Conduct and Ethics (ii) Global Data Protection Policy (iii) Dynatrace IT Acceptable Use Policy (iv) System Security Policies: • Dynatrace Encryption Policy • Dynatrace Network Access Policy • Dynatrace Physical Security Policy • Dynatrace Network Account Password Policy • Dynatrace Returning of Assets of Terminated Employees Policy • Dynatrace Security Policy • Dynatrace Security Awareness Policy • Dynatrace Vulnerability Management Policy • Dynatrace Workstation Security Policy (d) The security plan shall be available to staff who have access to Data and the information systems, and must cover the following aspects at a minimum: (i) The scope, with a detailed specification of protected resources; (ii) The measures, standards, procedures, code of conduct rules and norms to guarantee security, including the control, inspection and supervision of the information systems; (iii) The procedures for reporting, managing and responding to incidents; and (iv) The procedures for making back-up copies and recovering Data including the member of staff who undertook the Processing activity, the Data restored and, as appropriate, which data had to be input manually in the recovery process. 2.2 Functions and obligations of staff (a) Only members of staff that have a legitimate operational need to access the information systems or carry out any Processing of Data shall be authorized to do so (“Authorized Users”). (b) The necessary measures shall be adopted to train and make staff familiar with these minimum- minimum-security requirements, any relevant policies and applicable laws concerning the performance of their functions and duties in respect of the Processing of Data and the consequences of any breach of these requirements. (c) The functions and obligations of staff having access to Data and the information systems shall be clearly defined through application security roles. (d) Authorized Users shall be instructed to the effect that electronic equipment should not be left unattended or made accessible during Processing sessions. Physical access to areas where any Data are stored shall be restricted to Authorized Users. The disciplinary measures for a breach of the security plan shall be clearly defined and documented and communicated to staff.