Common use of Protection of Personal Data Clause in Contracts

Protection of Personal Data. The Company shall, in relation to Personal Data: fully comply with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with the written instructions given by IHiS and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.

Protection of Personal Data. As a result of this Agreement, Seller and Seller Parties may obtain certain information relating to identified or identifiable individuals (“Personal Data”), including but not limited to, from Apple on Apple’s or its affiliate(s)’ behalf and/or from Apple affiliates located in any jurisdiction. Seller shall have no right, title or interest in Personal Data obtained by it as a result of this Agreement. The Company shalldetails of the type of Personal Data and categories of data subjects shall be determined in a PO, statements of work or other contractual instruments executed in relation connection with this Agreement. Seller may only disclose Personal Data to third parties (including Seller Parties), who have a need to know and have signed agreements that require them to protect Personal Data in the same manner as detailed in this Agreement. Seller shall not engage any third party to perform any portion of the Services if such party may obtain or otherwise process Personal Data, without Apple’s prior written consent. Notwithstanding such consent, Seller shall not be relieved of any obligations under this Section and shall remain solely liable to Apple if the third party fails to fulfil its obligations with respect to Personal Data. Seller and Seller Parties shall: fully (i) comply with Apple’s or its affiliate’s reasonable instructions regarding Personal Data, unless otherwise required by applicable law, in which case, Seller shall promptly notify Apple of the applicable legal requirement before processing Personal Data, unless such applicable legal requirement prohibits such notification for public interest reasons; (ii) immediately inform Apple if, in its opinion, an instruction from Apple infringes Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or other applicable data protection laws; (iii) collect, access, maintain, use, process and transfer Personal Data solely for the purpose of performing Seller’s obligations under this Agreement; (iv) comply with all requirements of the PDPAapplicable laws, including the requirements concerning the collectionregulations and international accords or treaties pertaining to Personal Data; (v) take all appropriate legal, use organizational and disclosure technical measures to protect against unlawful and unauthorized processing of Personal Data; process and (vi) promptly notify Apple’s Privacy Counsel at xxxxxxx_xxxxxxxxxxxxx@xxxxx.xxx if it receives any requests from an individual with respect to Personal Data, including but not limited to, “opt-out” specifications, information access requests, information rectification requests and all like requests. Seller shall work with Apple to promptly and effectively handle such requests with respect to Personal Data, and only respond to any such requests if expressly authorized to do so by Apple. If Personal Data only in accordance with is transferred from the written instructions given European Economic Area or Switzerland to or by IHiS Seller and/or Seller Parties, as processor and/or sub-processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, have not determined as ensuring an adequate level of protection of personal data, then Seller shall either: (a) subscribe to such extent necessary and the appropriate legal instruments for the completion international transfer of data (such as the PurposeEU-U.S. Privacy Shield Framework); promptly deal with or (b) execute: (1) the Standard Contractual Clauses as approved by the European Commission; and (2) where relevant, the Swiss Transborder Data Flow Agreement; or (c) execute mutually agreeable contractual instruments or Binding Corporate Rules (BCR) as such BCR are approved by the relevant supervisory authority. Seller shall be liable for the damage caused to any enquiry from IHiS relating to the Companyindividual as a result of Seller’s processing of Personal Data; , where Seller has not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company complied with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; Section or expiry any applicable laws, regulations and international accords or termination of the NDAtreaties pertaining to Personal Data, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that where it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose acted outside or return of the documents and materials as aforesaid, the Company shall continue contrary to be bound by the undertakings set out in Clauses 3 and 4 abovelawful instructions from Apple.

Protection of Personal Data. Where any Personal Data are processed with respect to the Parties' rights and obligations under this Call Off Contract, the Parties agree that the Customer is the Data Controller and that the Supplier is the Data Processor. The Company Supplier shall, in relation to Personal Data: fully comply with all requirements of Process the PDPA, including the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with instructions from the written Customer (which may be specific instructions given or instructions of a general nature as set out in this Call Off Contract or as otherwise notified by IHiS the Customer to the Supplier during the Call Off Contract Period); Process the Personal Data only to the extent, and to in such extent manner, as is necessary and appropriate for the completion provision of the PurposeGoods and/or Services or as is required by Law or any Regulatory Body; promptly deal with any enquiry from IHiS relating implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the Company’s processing harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Staff who have access to the Personal Data; not obtain Approval in order to transfer or allow the Personal Data to be transferred outside any Sub-Contractors or Affiliates for the provision of Singaporethe Services; ensure that all Staff required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause 31; ensure that none of the Staff publish, disclose or divulge any of the Personal Data to any third party unless expressly instructed directed in writing to do so by the Customer; notify the Customer (within five (5) Working Days) if it receives: a request from a Data Subject to have access to that person's Personal Data; or authorised by IHiSa complaint or request relating to the Customer's obligations under the Data Protection Legislation; and provide all necessary co-operation the Customer with full cooperation and assistance (whether in relation to IHiS any complaint or otherwise) to allow request made, including by: providing the Customer with full details of the complaint or request; complying with a data access and/or correction of Personal request within the relevant timescales set out in the Data Protection Legislation and in accordance with the PDPA. Without prejudice to Clause 4.1 above, Customer's instructions; providing the Company ensure: that Customer with any Personal Data belonging it holds in relation to IHiS or its Affiliates which is held by a Data Subject (within the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer timescales required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiSCustomer); and it keeps itself appraised of providing the Customer with any information requested by the Customer; permit the Customer or the Customer Representative (subject to reasonable and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”appropriate confidentiality undertakings), to inspect and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clauseaudit, the Company hereby expressly acknowledges Supplier's data Processing activities (and/or those of its agents, subsidiaries and agrees that it has read the PDPA Documentation Sub-Contractors) and is aware of and will compensate IHiS for any and comply with all potential loss and damage caused to IHiS and/or its Affiliates arising from reasonable requests or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance directions by the Company Customer to enable the Customer to verify and/or procure that the Supplier is in full compliance with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion Call Off Contract; provide a written description of the Purposetechnical and organisational methods employed by the Supplier for Processing Personal Data (within the timescales required by the Customer); receipt of and not Process or otherwise transfer any Personal Data outside the European Economic Area. If, after the Call Off Commencement Date, the Supplier (or any Sub-Contractor) wishes to Process and/or transfer any Personal Data outside the European Economic Area, the following provisions shall apply: the Supplier shall submit a written request from IHiS; or expiry or termination of for Variation to the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify Customer which shall be dealt with in writing to IHiS that it has complied accordance with the requirements of this Clause 5.1. Notwithstanding Variation Procedure and paragraphs (b) to (d) below; the completion of the Purpose or return of the documents and materials as aforesaid, the Company Supplier shall continue to be bound by the undertakings set out in its request for a Variation details of the following: the Personal Data which will be Processed and/or transferred outside the European Economic Area; the country or countries in which the Personal Data will be Processed and/or to which the Personal Data will be transferred outside the European Economic Area; any Sub-Contractors or other third parties who will be Processing and/or transferring Personal Data outside the European Economic Area; and how the Supplier will ensure an adequate level of protection and adequate safeguards (in accordance with the Data Protection Legislation and in particular so as to ensure the Customer’s compliance with the Data Protection Legislation) in respect of the Personal Data that will be Processed and/or transferred outside the European Economic Area; in providing and evaluating the request for Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Government and Information Commissioner Office’s policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing and/or transfers of Personal Data outside the European Economic Area and/or overseas generally but, for the avoidance of doubt, the Customer may, in its absolute discretion, refuse to grant Approval of such process and/or transfer any Personal Data outside the European Economic Area; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model Clauses 3 (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation) in this Call Off Contract or a separate data processing agreement between the parties; and 4 aboveprocuring that any Sub-Contractor or other third party who will be Processing and/or transferring the Personal Data outside the European Economic Area enters into a direct data processing agreement with the Customer on such terms as may be required by the Customer, which the Supplier acknowledges may include the incorporation of standard and/or model Clauses (which are approved by the European Commission as offering adequate safeguards under the Data Protection Legislation). The Supplier shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Call Off Contract in such a way as to cause the Customer to breach any of its applicable obligations under the Data Protection Legislation. The Supplier acknowledges that, in the event that it breaches (or attempts or threatens to breach) its obligations relating to Personal Data that the Customer may be irreparably harmed (including harm to its reputation). In such circumstances, the Customer may proceed directly to court and seek injunctive or other equitable relief to remedy or prevent any further breach (or attempted or threatened breach). The Supplier shall, at all times during and after the Call Off Contract Period, indemnify the Customer and keep the Customer fully indemnified against all Losses incurred by, awarded against or agreed to be paid by the Customer at any time (whether before or after the making of a demand pursuant to the indemnity hereunder) arising from any breach of the Supplier's obligations under this Clause 31 except and to the extent that such liabilities have resulted directly from the Customer's instructions.

Protection of Personal Data. The Company shall, in relation to Personal Data: fully comply with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with the written instructions given by IHiS CGH and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS CGH relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiSCGH; and provide all necessary co-operation and assistance (whether to IHiS CGH or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS CGH or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS CGH in accordance with Clause 5 below; that IHiS CGH is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS CGH with such reports or information concerning such steps as and when requested by IHiSCGH); and it keeps itself appraised of any and all notices and circulars which IHiS CGH may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS CGH to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS CGH for any and all potential loss and damage caused to IHiS CGH and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS CGH reserves the right and the Company agrees that IHiS CGH may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiSCGH; or expiry or termination of the NDA, return to IHiS CGH all documents and materials (and all copies thereof) containing IHiS’ CGH’s Confidential Information or destroy the same, and certify in writing to IHiS CGH that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.

Protection of Personal Data. The Company shall, in relation to Personal Data: fully comply with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with the written instructions given by IHiS AIC and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS AIC relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiSAIC; and provide all necessary co-operation and assistance (whether to IHiS AIC or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS AIC or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS AIC in accordance with Clause 5 below; that IHiS AIC is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS AIC with such reports or information concerning such steps as and when requested by IHiSAIC); and it keeps itself appraised of any and all notices and circulars which IHiS AIC may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS AIC to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS AIC for any and all potential loss and damage caused to IHiS AIC and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS AIC reserves the right and the Company agrees that IHiS AIC may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiSAIC; or expiry or termination of the NDA, return to IHiS AIC all documents and materials (and all copies thereof) containing IHiS’ AIC’s Confidential Information or destroy the same, and certify in writing to IHiS AIC that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.

Protection of Personal Data. The Company shall, in relation to Personal Data: fully comply with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with the written instructions given by IHiS CGH and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS CGH relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiSCGH; and provide all necessary co-operation and assistance (whether to IHiS CGH or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS CGH or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS CGH in accordance with Clause 5 below; that IHiS CGH is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS CGH with such reports or information concerning such steps as and when requested by IHiSCGH); and it keeps itself appraised of any and all notices and circulars which IHiS CGH may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS CGH to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS CGH for any and all potential loss and damage caused to IHiS CGH and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS CGH reserves the right and the Company agrees that IHiS CGH may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. The Company shall within SEVEN seven (7) days of: completion of the Purpose; receipt of a written request from IHiSCGH; or expiry or termination of the NDA, return to IHiS CGH all documents and materials (and all copies thereof) containing IHiS’ CGH’s Confidential Information or destroy the same, and certify in writing to IHiS CGH that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.

Protection of Personal Data. As a result of this Agreement, Seller and Seller Parties may obtain certain information relating to identified or identifiable individuals ("Personal Data"), including but not limited to, from Apple on Apple’s or its affiliate(s)’ behalf and/or from Apple affiliates located in any jurisdiction. Seller shall have no right, title or interest in Personal Data obtained by it as a result of this Agreement. The Company shalldetails of the type of Personal Data and categories of data subjects shall be determined in a PO, statements of work or other contractual instruments executed in relation connection with this Agreement. Seller may only disclose Personal Data to third parties (including Seller Parties), who have a need to know and have signed agreements that require them to protect Personal Data in the same manner as detailed in this Agreement. Seller shall not engage any third party to perform any portion of the Services if such party may obtain or otherwise process Personal Data, without Apple’s prior written consent. Notwithstanding such consent, Seller shall not be relieved of any obligations under this Section and shall remain solely liable to Apple if the third party fails to fulfil its obligations with respect to Personal Data. Seller and Seller Parties shall: fully (i) comply with Apple’s or its affiliate’s reasonable instructions regarding Personal Data, unless otherwise required by applicable law, in which case, Seller shall promptly notify Apple of the applicable legal requirement before processing Personal Data, unless such applicable legal requirement prohibits such notification for public interest reasons; (ii) immediately inform Apple if, in its opinion, an instruction from Apple infringes Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or other applicable data protection laws; (iii) collect, access, maintain, use, process and transfer Personal Data solely for the purpose of performing Seller’s obligations under this Agreement; (iv) comply with all requirements of the PDPAapplicable laws, including the requirements concerning the collectionregulations and international accords or treaties pertaining to Personal Data; (v) take all appropriate legal, use organizational and disclosure technical measures to protect against unlawful and unauthorized processing of Personal Data; process and (vi) promptly notify Apple’s Privacy Counsel at xxxxxxx_xxxxxxxxxxxxx@xxxxx.xxx if it receives any requests from an individual with respect to Personal Data, including but not limited to, “opt-out” specifications, information access requests, information rectification requests and all like requests. Seller shall work with Apple to promptly and effectively handle such requests with respect to Personal Data, and only respond to any such requests if expressly authorized to do so by Apple. If Personal Data only in accordance with is transferred from the written instructions given European Economic Area or Switzerland to or by IHiS Seller and/or Seller Parties, as processor and/or sub-processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, have not determined as ensuring an adequate level of protection of personal data, then Seller shall either: (a) subscribe to such extent necessary and the appropriate legal instruments for the completion international transfer of data (such as the PurposeEU-U.S. Privacy Shield Framework); promptly deal with or (b) execute: (1) the Standard Contractual Clauses as approved by the European Commission; and (2) where relevant, the Swiss Transborder Data Flow Agreement; or (c) execute mutually agreeable contractual instruments or Binding Corporate Rules (BCR) as such BCR are approved by the relevant supervisory authority. Seller shall be liable for the damage caused to any enquiry from IHiS relating to the Companyindividual as a result of Seller’s processing of Personal Data; , where Seller has not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company complied with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; Section or expiry any applicable laws, regulations and international accords or termination of the NDAtreaties pertaining to Personal Data, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that where it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose acted outside or return of the documents and materials as aforesaid, the Company shall continue contrary to be bound by the undertakings set out in Clauses 3 and 4 abovelawful instructions from Apple.

Protection of Personal Data. The Company Where Hotel processes personal data on behalf of IEEE in connection with the performance of this Agreement, it shall, : (i) process such personal data in relation to Personal Data: fully comply accordance with all requirements applicable laws, only for purposes reasonably necessary for the performance of the PDPA, including the requirements concerning the collection, use its obligations under this Agreement and disclosure of Personal Data; process Personal Data only in accordance with the documented written instructions given of IEEE (except where required otherwise by IHiS and to law); (ii) treat such extent necessary and appropriate for data as Confidential Information of IEEE; (iii) where such personal data is collected in the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s processing of Personal Data; European Economic Area (“EEA”), not transfer or allow such personal data to any location outside the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data EEA except in accordance with the PDPAsafeguards required under the Regulation (EU) 2016/679 (the General Data Protection Regulation) and any applicable national legislation (“EU Data Protection Laws”); (iv) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the likelihood and severity of any risk, implement appropriate technical and organizational measures to protect such personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, limitation to the extent that the Personal Data is foregoing, such measures shall comply with prevailing industry standards but in no longer required by the Company for legal case consist of less than reasonable care; (v) co-operate fully with IEEE to enable it to adequately discharge its responsibility under applicable laws (including assisting with data subject access or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 belowerasure requests); that IHiS is (vi) immediately alerted in writing (with full particulars) notify IEEE of any unauthorised access, disclosure actual or other suspected data breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, provide all steps to prevent further unauthorised access, disclosure or other breach of this clause available information; (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of vii) not allow any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conductprocess such personal data on its behalf except with IEEE’s prior written consent; and (viii) an audit and/or assessment delete or (at IEEE’s choice) deliver to IEEE all records of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or such personal data upon termination of this Agreement or (if earlier) upon the NDAdata no longer being required for the purposes referred to in subsection (i) above. References to ‘personal data’ and to ‘processing’ in this section, return insofar as it concerns data collected in the EEA, shall have the meaning given to IHiS all documents these terms under the EU Data Protection Laws. IEEE or its representative shall have the right, on reasonable Notice, to review, inspect and/or audit Hotel’s security program, technical environment and materials (business continuity arrangements and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied its compliance with the other requirements of this Clause 5.1section. Notwithstanding Hotel shall delete all of IEEE’s information within its custody or control, including, but not limited to, completed project data, email addresses and all other personal data processed on behalf of IEEE upon the completion earliest of (a) termination of this Agreement; (b) written request by IEEE; or (c) the personal data no longer being required for the performance of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 aboveservices specified herein.

Protection of Personal Data. The Company shall, Mutual exchange of personal data between the Parties’ competent authorities shall be made in relation to Personal Data: fully comply com- pliance with all requirements the conditions laid down by the transmitting authority and on the basis of the PDPA, including following prin- ciples to be applied to both computer-assisted and non-computer-assisted data processing: (1) The data transmitted shall not be used for any purposes other than those indicated in the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with the written instructions given by IHiS and to such extent necessary and appropriate for the completion message without consent of the Purposetransmitting authorities; (2) The data transmitted shall be deleted and/or corrected, if – (a) found to be incorrect; promptly deal with or (b) the transmitting authority advises that the data was unlawfully obtained or transmitted; or (c) the data is no longer needed for fulfilment of the task stated by the requesting authority, unless explicit permission was given to use the transmitted data for any enquiry from IHiS relating other purpose. (3) Upon request of the transmitting authority the receiving authority shall furnish information about the use of the data received; (4) The transmitting authority shall guarantee that the data transmitted is correct and up-to-date. In case of the transmission of incorrect data or data which should not have been transmitted or in case that data which has been lawfully transmitted has to be deleted at a later date pursuant to the Company’s processing domestic law in force in the State of Personal Data; not transfer the transmitting authority, the receiving authority shall be informed thereof without undue delay in order to carry out the Necessary deletion or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice data pursuant to Clause 4.1 aboveSubArticle (2); (5) If the receiving authority has any reason to believe that transmitted data might be incorrect or should be deleted, this authority shall immediately inform the Company ensure: that any Personal Data belonging transmitting authority thereof; (6) The receiving authority shall be obliged to IHiS or its Affiliates which is held by effectively protect the Company is protected against lossreceived data from unauthor- ised access, unauthorised access, use, modification, disclosure modification and unauthorised publication; (7) Both the transmitting and the receiving authority shall be obliged to log or other misuse, to place the transmis- sion and that only authorised personnel receipt of data on record; (8) The persons concerned shall have the right to have access to that Personal Data; thatthe data relating to them transmitted under this agreement, as well as the right to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach correction and/or deletion of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps data in cases pursu- ant to prevent further unauthorised access, disclosure subArticle (2) or other breach to verification of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Companydata, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection conformity with the Purpose in relevant domestic legal provisions. In case of a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes request for assertion of this clauseright, prior to deciding on the request, the Company hereby expressly acknowledges and agrees that it has read au- thority holding the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused data shall afford the transmitting authority the opportunity to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) furnish an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 aboveopin- ion.

Protection of Personal Data. The Company shall, in relation to Personal Data: Data:- ensure that it has, in relation to all Personal Data obtained and/or collected by it, fully comply complied with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure Personal Data Protection Act (No. 26 of Personal Data2012); process Personal Data only in accordance with the written instructions given by IHiS and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred transferred, outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPAPersonal Data Protection Xxx 0000. Without prejudice to Clause 4.1 above, the Company shall take all reasonable measures to ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned re-delivered to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertakeundertakes, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDAAgreement, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its the obligations under this Clause 4. The Company shall within SEVEN (7) seven days of: completion of the Purpose; or receipt of a written request from IHiS; or expiry or termination of the NDAAgreement, return to IHiS all documents and materials (and all copies thereof) containing the IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1sub-clause. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.

Protection of Personal Data. As a result of this Agreement, Seller and Seller Parties may obtain certain information relating to identified or identifiable individuals (“Personal Data”), including but not limited to, from Apple on Apple’s or its affiliate(s)’ behalf and/or from Apple affiliates located in any jurisdiction. Seller shall have no right, title or interest in Personal Data obtained by it as a result of this Agreement. The Company shalldetails of the type of Personal Data and categories of data subjects shall be determined in a PO, statements of work or other contractual instruments executed in relation connection with this Agreement. Seller may only disclose Personal Data to third parties (including Seller Parties), who have a need to know and have signed agreements that require them to protect Personal Data in the same manner as detailed in this Agreement. Seller shall not engage any third party to perform any portion of the Services if such party may obtain or otherwise process Personal Data, without Apple’s prior written consent. Notwithstanding such consent, Seller shall not be relieved of any obligations under this Section and shall remain solely liable to Apple if the third party fails to fulfil its obligations with respect to Personal Data. Seller and Seller Parties shall: fully (i) comply with Apple’s or its affiliate’s reasonable instructions regarding Personal Data, unless otherwise required by applicable law, in which case, Seller shall promptly notify Apple of the applicable legal requirement before processing Personal Data, unless such applicable legal requirement prohibits such notification for public interest reasons; (ii) immediately inform Apple if, in its opinion, an instruction from Apple infringes Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or other applicable data protection laws; (iii) collect, access, maintain, use, process and transfer Personal Data solely for the purpose of performing Seller’s obligations under this Agreement; (iv) comply with all requirements of the PDPAapplicable laws, including the requirements concerning the collection, use regulations and disclosure of international accords or treaties pertaining to Personal Data; process Personal Data only in accordance with the written instructions given by IHiS (v) take all appropriate legal, organizational and technical measures to such extent necessary protect against unlawful and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s unauthorized processing of Personal Data; and (vi) promptly notify Apple’s Privacy Counsel at xxxxxxx_xxxxxxxxxxxxx@xxxxx.xxx if it receives any requests from an individual with respect to Personal Data, including but not transfer or allow the limited to, “opt-out” specifications, information access requests, information rectification requests and all like requests. Seller shall work with Apple to promptly and effectively handle such requests with respect to Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuseData, and that only authorised personnel have access respond to that Personal Data; that, any such requests if expressly authorized to the extent that the do so by Apple. If Personal Data is no longer required transferred from the European Economic Area or Switzerland to or by Seller and/or Seller Parties, as processor and/or sub-processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, have not determined as ensuring an adequate level of protection of personal data, then Seller shall either: (a) subscribe to the appropriate legal instruments for the international transfer of data (such as the EU- U.S. Privacy Shield Framework); or (b) execute: (1) the Standard Contractual Clauses as approved by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS)European Commission; and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause2) where relevant, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the PurposeSwiss Transborder Data Flow Agreement; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.or

Protection of Personal Data. The Company shallService Provider undertakes to guarantee the secrecy, security and confidentiality of personal data as defined by Law No. 09-08 on the protection of individuals with regard to the processing of personal data communicated to him by the Client in the context of this Contract and / or of which he may have become aware of it during the execution of this Contract (the "Data"). For this purpose, the Service Provider undertakes to:  take all necessary precautions, in relation order to Personal Data: fully comply with all requirements preserve the security of the PDPAData, in particular to prevent them from being deformed, damaged and prevent any access not previously authorized by the Client;  treat the Data only within the framework of instructions and authorization received from the Client;  treat the Data exclusively and exclusively within and under this Contract;  not to use the services of a subcontractor, except that the latter is previously and expressly authorized by the Client and acts under the responsibility and control of the Service Provider. This subcontracting must be carried out under a contract incorporating the provisions of this article and submitted to the prior approval of the Client and to ensure compliance with the obligations subscribed by the Service Provider. It is the sole responsibility of the Service Provider to ensure that the subcontractor provides sufficient guarantees to ensure the implementation of the obligations to which the Service Provider has committed;  respect its obligation of secrecy, security and confidentiality, during all maintenance and remote maintenance operations, carried out within the Service Provider's premises or any other company involved in the processing;  take all security measures, including physical and logical, to ensure the requirements concerning preservation and integrity of the collection, use and disclosure of Personal processed Data; process Personal  implement appropriate technical and organizational measures to protect the Data only against accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, as well as any other form of unlawful processing;  take all measures to prevent misuse, malicious or fraudulent use of the Data processed;  at the expiration or termination of this Contract for any reason whatsoever, destroy the Data and computerized or manual files or any medium on which the Data appears. In addition, the Services Provider is prohibited from:  to disclose, in accordance any form whatsoever, all or part of the Data as well as the computerized or manual files or any medium on which the Data appears;  to use all or part of the Data as well as the computerized or manual files or any medium on which the Data appear, on its behalf or on behalf of third parties, for professional, personal or private purposes other than those defined in this Contract ;  to take copy or store, in whatever form and purpose, all or part of the Data as well as the computerized or manual files or any medium on which the Data appears. In addition, the Service Provider undertakes:  at the Client's first request to provide evidence, that he has the organizational and technical means to ensure compliance with his obligations under this article;  to cooperate with the written instructions given Client in all circumstances likely to affect the respect by IHiS and the Service Provider of his obligations under this article;  to such extent necessary and appropriate for inform the completion Client immediately in case of loss or alteration of all or part of the Purpose; promptly deal with Data or any enquiry from IHiS relating to event affecting the Company’s processing security and / or confidentiality of Personal all or part of the Data; not transfer  to enable the Client or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held person authorized by the Company latter and provided that this person is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; thatnot a competitor of the Service Provider, to the extent carry out any audit to verify that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company Service Provider complies with its obligations under this Clause 4article. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return Service Provider undertakes to IHiS all documents cooperate in good faith and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied without reservation with the requirements auditors as soon as it is notified of this Clause 5.1. Notwithstanding the completion of an audit;  to implement at its expense and without delay any corrective measures outlined in the Purpose or return audit report;  to inform the Client as soon as he becomes aware of a control of the documents CNDP. The Service Provider acknowledges that in the event of a breach of its obligations as defined in this article:  that his responsibility may be criminally liable;  that he may be held liable to the Client for any damage that may be caused as a result of the breach, as well as for the payment of compensation for the damage suffered;  that the Client may terminate this Contract immediately and materials as aforesaid, without compensation in favor of the Company shall continue Service Provider without prejudice to be bound damages to which he could claim. The Service Provider undertakes to respect and to enforce the respect of all the obligations mentioned in this article by the undertakings set out in Clauses 3 its management and 4 abovepersonnel.

Protection of Personal Data. The Company ‌ 4.1 Data Recipient acknowledges and agrees that the Data Discloser Data may include Data Discloser Personal Data. In relation to such Data Discloser Personal Data, Data Recipient shall, in relation to and shall procure that its Representatives shall: (a) use or disclose the Data Discloser Personal Data: fully comply with all requirements Data solely for the purposes of the PDPA, including the requirements concerning the collectionProject or as otherwise authorised by Data Discloser in writing from time to time; (b) [store, use and disclosure Process the Data Discloser Personal Data on the basis of one or more of the following legal grounds: (i) [the Data Subject has unambiguously given his or her consent;] (ii) [the Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;] (iii) [the Processing is necessary for the purposes of the legitimate interests pursued by the Parties except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject, in particular where the Data Subject is a child]; (c) [store, use and Process the Data Discloser Personal Data classified as Special Category Personal Data on the basis that the Data Subject has given his explicit consent to the Processing of the shared Special Category Personal Data; process Personal Data only ;] (d) provide notice to data subject in accordance with Applicable Data Protection Laws; (e) [store, use and Process the written instructions given by IHiS and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Discloser Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 abovetransparency requirements under the Applicable Data Protection Laws;] (f) [store, use or Process the Company ensure: that any Data Discloser Personal Data belonging for no longer than is necessary to IHiS carry out the Project and in any event not longer than any statutory or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuseprofessional retention periods applicable under any Applicable Data Protection Laws, and that only authorised personnel have access to that shall return or delete any Data Discloser Personal Data; thatData once the storage, to use or Processing of the extent that the relevant Data Discloser Personal Data is no longer required by necessary for the Company purposes for legal or business purposes, that which it was originally shared. Data Recipient shall notify Data Discloser within [five (5) Business Days] following the deletion of any Data Discloser Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted this Clause;] (g) [not store in or transfer Data Discloser Data to a Third Country, nor allow processing or access to the Data Discloser Personal Data from, a Third Country, other than, in each case, as authorised approved by Data Discloser in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify time;]‌ (h) [if the Data Recipient Processes the Data Discloser Personal Data for the purposes of direct marketing, the Data Recipient shall ensure that effective procedures are in place to allow the Data Subject to “opt-out” from having their Personal Data used for such direct marketing purposes and the appropriate [explicit] consent has been obtained from the relevant Data Subject to allow the Data Discloser Personal Data to be used for the purposes of direct marketing in compliance with all Applicable Data Protection Laws; and] (i) to the Companyextent necessary to allow Data Discloser to comply with the Applicable Data Protection Laws: (i) assist Data Discloser with any subject access requests which it may receive from individuals to whom any Data Discloser Personal Data relates; (ii) carry out any reasonable request from Data Discloser to amend, transfer or delete any Data Discloser Personal Data; (iii) [notify Data Discloser [within five (5) Business Days] about any enquiries from the relevant Data Protection Authority in relation to the Data Discloser Personal Data and cooperate promptly and thoroughly with such Data Protection Authority, to the extent required under the Applicable Data Protection Laws;] (iv) promptly notify Data Discloser [and in any event within five (5) Business Days] about any legally binding request for disclosure of Data Discloser Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation[. The Data Recipient shall review the legality of any such request for disclosure and shall challenge the request if it considers there are reasonable grounds to do so; it shall provide the minimum amount of information permissible when responding to such a request. The Data Recipient will provide relevant information about disclosure requests to the Data Discloser, including in relation to its legality review and any challenges to the request]; (v) take adequate technical and organisational measures against unauthorised or unlawful Processing of, accidental loss or destruction of, or damage to, the Data Discloser Personal Data[, including without limitation any policies, guidelines, circulars to: (A) maintain the security and confidentiality of the Data Discloser Personal Data; (B) protect against reasonably anticipated threats or notices relating hazards to personal data the security or integrity of the Data Discloser Personal Data; and (“PDPA Documentation”), C) ensure that those measures continue to provide an adequate level of security;] (vi) [provide adequate training to its relevant staff and to perform its duties or discharge its liabilities in connection ensure such staff will carry out the security measures and comply with the Purpose in a manner which is consistent with obligations of Data Recipient under this Agreement;] (vii) [take appropriate measures to address the PDPA DocumentationSecurity Breach and notify Data Discloser [within five (5) Business Days] after Data Recipient learns of any misappropriation or unauthorized access to, and will not cause IHiS to be in breach of the same. For the purposes of this clauseor disclosure or use of, the Company hereby expressly acknowledges and agrees Data Discloser Personal Data (collectively, “Security Breaches”);]‌ (viii) [investigate each Security Breach that it has read the PDPA Documentation and is becomes aware of and will compensate IHiS for any and all potential loss and damage caused or has reason to IHiS and/or its Affiliates arising from suspect may have occurred [within five (5) Business Days] of becoming aware or having reason to suspect such Security Breach has occurred, and, in the case of an actual Security Breach, provide assistance to Data Discloser in connection with any breach of this clause. Notwithstanding and further reasonable investigation that Data Discloser may desire to anything stated elsewhere in the NDAconduct with respect to such Security Breach; (ix) implement any steps requested by Data Discloser to limit, IHiS reserves the right and the Company agrees that IHiS may conduct stop or otherwise remedy any actual or suspected Security Breach;] (or appoint a qualified, independent third party to conductx) an audit and/or assessment keep appropriate documentation of the standard Processing it carries out under this Agreement and shall make such documentation available to the Regulator; (xi) [provide Data Discloser, upon Data Discloser’s reasonable request, with a copy of its Security Documents, no more than [twice] annually in order to demonstrate compliance with Data Receiver’s obligations under this Agreement, and such Security Documents shall be deemed to satisfy any reporting or non-compliance by the Company with audit obligations imposed on Data Receiver under Applicable Data Protection Laws; ]and (xii) inform Data Discloser if it becomes aware of any Applicable Data Protection Laws that prevent it from fulfilling its obligations under this Clause 4. 4.2 [Data Recipient shall permit Data Discloser at any reasonable time upon [five (5) Business Days’] notice, to be given in writing, to have access to the appropriate part of Data Recipient’s premises, systems, equipment, and other materials and data Processing facilities to enable Data Discloser to inspect the same for the purposes of monitoring compliance with Data Recipient’s obligations under this Agreement. The Company Such inspection shall within SEVEN (7) days of: completion not relieve Data Recipient of any of its obligations under this Agreement.] 4.3 In the event that Data Recipient does Process, access and/or store, or permit any third party including its subcontractors to Process, access or store, Personal Data in any Third Country with the consent of the PurposeData Discloser in accordance with Clause 4.1(g), Data Recipient shall, and shall procure that any relevant Affiliate or [third party subcontractor / Pre-Approved Subcontractor] shall: (a) comply with the data importer’s obligations set out in the Standard Contractual Clauses, which are hereby incorporated into and form part of this Agreement (the processing details set out in Schedule 1 (Description of Transfers) shall apply for the purposes of Annex 1 and the technical and organisational security measures set out in Schedule 2 (Technical and Organisational Security Measures) shall apply for the purposes of Annex 2 to the Standard Contractual Clauses, respectively); (b) at the Data Discloser’s request (from time to time), enter separately into the Standard Contractual Clauses with the relevant Data Discloser or procure that such Affiliate or [third party subcontractor / Pre-Approved Subcontractor] enter into the Standard Contractual Clauses directly with the Data Discloser; (c) to the extent required by Applicable Data Protection Laws, ensure that such transfer of Personal Data is carried out using a Lawful Export Measure. To the extent such Lawful Export Measure requires (a) a contract imposing appropriate safeguards on the transfer and processing of such Personal Data (which is not otherwise satisfied by this Agreement); receipt of (b) a written request from IHiS; or expiry or termination description of the NDAProcessing of Personal Data contemplated under this Agreement; and (c) a description of technical and organisational measures to be implemented by the Data Recipient, return to IHiS all documents the Parties agree that the Standard Contractual Clauses, the description of processing activities set out in Schedule 1 and materials (the description of technical and all copies thereof) containing IHiS’ Confidential Information or destroy organisational measures set out in Schedule 2, shall apply mutatis mutandis for the samebenefit of such transfer, and certify in writing relation to IHiS any onward transfer of the Personal Data by that it has complied data importer to another person, the other person shall comply with the same importer obligations; and (d) if agreed between the Data Discloser and Data Recipient, take any other alternative or additional steps reasonably requested by the Data Discloser in order to ensure such Processing takes place in accordance with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 aboveApplicable Data Protection Laws.

Protection of Personal Data. 14.4.1. The Company shall, Vendor and its personnel shall comply in relation to all respects with any applicable or relevant data protection legislation or regulations regarding Personal Data: fully . The Vendor represents warrants and undertakes that it shall use and process the Personal Data only for the purpose of providing the Services in accordance with this Agreement or otherwise in any documented instructions which the Vendor may receive from SATS from time to time and that:- (i) It shall adhere to the requirements of the PDPA and other Applicable Data Protection Laws; (ii) Access to the Personal Data will be given only to the Vendor’s and any permitted subcontractor’s employees, personnel, agents, principals and contractors who ‘need to know’ and only to the extent necessary to perform the Vendor’s obligations under this Agreement, and ensure that such employees, personnel, agents, principals and contractors who are authorized to collect, process, disclose and/or use the Personal Data are under appropriate and legally enforceable confidentiality obligations; (iii) It shall comply with all of SATS’ security policies, standards, requirements of and specifications, as notified to the PDPAVendor by SATS in writing from time to time, including the requirements concerning the collection, use and disclosure of with respect to safeguarding or dealing with Personal Data; process Personal Data only in accordance with ; (iv) It shall institute and maintain appropriate technical and organizational safeguards and measures against the written instructions given by IHiS and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modificationor disclosure of Personal Data that are no less rigorous than the most rigorous practices of SATS and the Vendor, for similar types of information; (v) Without undue delay, it shall notify SATS about any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data or any accidental or unauthorised access or any other misuseevent materially affecting the integrity, and that only authorised personnel have access to that availability or confidentiality of Personal Data; that, ; (vi) It shall provide the individuals to the extent that whom the Personal Data is no longer required by relates (“Subject Individual”) with access to their Personal Data and the Company for legal or business purposes, ability to correct such Personal Data upon request along with their other rights under Applicable Data Protection Laws and promptly notify SATS upon receipt of any request from Subject Individuals seeking to exercise such rights; (vii) It shall ensure that Personal Data is destroyed stored or returned recorded accurately; (viii) It will not modify, alter, delete, publish or disclose any Personal Data to IHiS any third party, nor allow any third party to process such Personal Data on the Vendor’s behalf unless SATS has given its prior written consent or it is required to do so by law; and (ix) It will not retain the Personal Data longer than is necessary for the provision of the Services hereunder. 14.4.2. The Vendor shall immediately rectify, erase or complete any Personal Data on receiving instructions to this effect from SATS. The Vendor undertakes in particular to rectify, erase or complete any Personal Data if it appears that such measures are required by the requirements of any applicable laws, rules and/or regulations. 14.4.3. The Vendor shall not transfer any Personal Data out of Singapore without the prior written consent of SATS. If given, the Vendor shall provide an adequate level of protection to any Personal Data transferred in accordance with Clause 5 below; that IHiS is immediately alerted the PDPA and other Applicable Data Protection Laws, SATS’ IT security policy and all reasonable instructions of SATS. The Vendor shall also specify the countries and territories to which the Personal Data may be transferred. 14.4.4. The Vendor shall be liable for the use and processing of the Personal Data and undertakes to fully indemnify SATS and the SATS users in writing (with full particulars) respect of any unauthorised access, disclosure penalties (including any penalties or other breach of this Clause 4 amounts levied, imposed or charged by any regulator or regulatory authority), liabilities, claims, costs, legal fees (solicitor-client basis), demands, losses and the Company will undertake, damages as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised a result of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its Vendor’s obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion 14.4 or the Vendor’s fault or negligence in performing these obligations, or any act or omission of the Purpose; receipt Vendor or any of a written request from IHiS; its officers, employees, advisors, agents and representatives which results in SATS or expiry or termination of any SATS user breaching the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 abovePDPA and/or other Applicable Data Protection Laws.

Protection of Personal Data. The Company shallWith respect to the parties'’ rights and obligations under this Contract and each Access Agreement, the parties agree that (a) each LAthe CUSTOMER is the Data Controller in relation to Personal Data: fully comply with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure respect of Personal Data; process Data attributable to functions exercisable by that LA CUSTOMER and (b) that the SERVICE PROVIDER is the Data Processor. The SERVICE PROVIDER shall: Pprocess the Personal Data only in accordance with instructions from the written relevant LA CUSTOMER (which may be specific instructions given or instructions of a general nature as set out in this Contract, the applicable Access Agreement or as otherwise notified by IHiS the LA CUSTOMER to the SERVICE PROVIDER during the Term); Pprocess the Personal Data only to the extent, and to in such extent manner, as is necessary and appropriate for the completion provision of the PurposeOrdered Software Application Solutions or as is required by Law or any Regulatory Body; promptly deal with any enquiry from IHiS relating implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the Company’s processing harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; take reasonable steps to ensure the reliability of any SERVICE PROVIDER Personnel who have access to the Personal Data; not obtain prior written consent from each LAthe CUSTOMER in order to transfer or allow the Personal Data attributable to be transferred outside functions exercisable by that LA CUSTOMER to any Sub-Contractors or Affiliates for the provision of Singapore, unless expressly instructed or authorised by IHiSthe Ordered Software Application Solutions; and provide ensure that all necessary co-operation and assistance (whether SERVICE PROVIDER Personnel required to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by are informed of the Company for legal or business purposes, that confidential nature of the Personal Data is destroyed or returned to IHiS and comply with the obligations set out in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS)14; and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach ensure that none of the same. For SERVICE PROVIDER Personnel publish, disclose or divulge any of the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for Personal Data attributable to functions exercisable by any and all potential loss and damage caused LA CUSTOMER to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify unless directed in writing to IHiS do so by that LAe CUSTOMER; notify each LAthe CUSTOMER (within five (5) Working Days) if it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.receives:

Protection of Personal Data. The Company shall, Where any Personal Data are Processed in relation to Personal Data: fully comply connection with all requirements the exercise of the PDPAParties’ rights and obligations under this Call Off Contract, including the requirements concerning Parties acknowledge that the collection, use Customer is the Data Controller and disclosure of Personal Data; process that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the written instructions given by IHiS Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to such extent necessary and appropriate for the completion guard against unauthorised or unlawful Processing of the Purpose; promptly deal with any enquiry from IHiS relating Personal Data and/or accidental loss, destruction, or damage to the Company’s processing of Personal Data, including the measures as are set out in Clauses 32.1 (Security Requirements) and 32.2 (Protection of Customer Data); not disclose or transfer or allow the Personal Data to be transferred outside any third party or Supplier Personnel unless necessary for the provision of Singaporethe Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Supplier’s duties under this Clause 32.6.2 and Clauses 32.1 (Security Requirements), 32.2 (Protection of Customer Data) and 32.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless expressly instructed directed in writing to do so by the Customer or authorised as otherwise permitted by IHiSthis Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide all necessary co-operation the Customer with full cooperation and assistance (whether within the timescales reasonably required by the Customer) in relation to IHiS any complaint, communication or otherwise) request made (as referred to allow access and/or correction at Clause 32.6.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to this Clause 32.6.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the PDPA. Without prejudice Variation Procedure and Clauses 32.6.3(b) to Clause 4.1 above, 32.6.3(c); the Company ensure: that any Personal Data belonging to IHiS or Supplier shall set out in its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, proposal to the extent that Customer for a Variation details of the following: the Personal Data is no longer which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Company for legal Customer; or business purposes, that a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”)transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to perform its duties or discharge its liabilities in connection with assist the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS Customer to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection comply with any breach of this clause. Notwithstanding obligations under the DPA and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with shall not perform its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion Call Off Contract in such a way as to cause the Customer to breach any of the Purpose; receipt Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 abovesuch obligations.

Protection of Personal Data. The Company shall, Where any Personal Data are Processed in relation to Personal Data: fully comply connection with all requirements the exercise of the PDPAParties’ rights and obligations under this Call Off Contract, including the requirements concerning Parties acknowledge that the collection, use Customer is the Data Controller and disclosure of Personal Data; process that the Supplier is the Data Processor. The Supplier shall: Process the Personal Data only in accordance with instructions from the written instructions given by IHiS Customer to perform its obligations under this Call Off Contract; ensure that at all times it has in place appropriate technical and organisational measures to such extent necessary and appropriate for the completion guard against unauthorised or unlawful Processing of the Purpose; promptly deal with any enquiry from IHiS relating Personal Data and/or accidental loss, destruction, or damage to the Company’s processing of Personal Data, including the measures as are set out in Clauses 34.1 (Security Requirements) and 34.2 (Protection of Customer Data); not disclose or transfer or allow the Personal Data to be transferred outside any third party or Supplier Personnel unless necessary for the provision of Singaporethe Services and, for any disclosure or transfer of Personal Data to any third party, obtain the prior written consent of the Customer (save where such disclosure or transfer is specifically authorised under this Call Off Contract) take reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel: are aware of and comply with the Suppliers duties under Clause 34.5.2 and Clauses 34.1 (Security Requirements), 34.2 (Protection of Customer Data) and 34.3 (Confidentiality); are informed of the confidential nature of the Personal Data and do not publish, disclose or divulge any of the Personal Data to any third party unless expressly instructed directed in writing to do so by the Customer or authorised as otherwise permitted by IHiSthis Call Off Contract; and have undergone adequate training in the use, care, protection and handling of personal data (as defined in the DPA); notify the Customer within five (5) Working Days if it receives: from a Data Subject (or third party on their behalf) a Data Subject Access Request (or purported Data Subject Access Request) a request to rectify, block or erase any Personal Data or any other request, complaint or communication relating to the Customer's obligations under the DPA; any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data; or a request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law; provide all necessary co-operation the Customer with full cooperation and assistance (whether within the timescales reasonably required by the Customer) in relation to IHiS any complaint, communication or otherwise) request made (as referred to allow access and/or correction at Clause 34.5.2(e)), including by promptly providing: the Customer with full details and copies of the complaint, communication or request; where applicable, such assistance as is reasonably requested by the Customer to enable the Customer to comply with the Data Subject Access Request within the relevant timescales set out in the DPA; and the Customer, on request by the Customer, with any Personal Data it holds in relation to a Data Subject; and if requested by the Customer, provide a written description of the measures that has taken and technical and organisational security measures in place, for the purpose of compliance with its obligations pursuant to Clause 34.5.2 and provide to the Customer copies of all documentation relevant to such compliance including, protocols, procedures, guidance, training and manuals. The Supplier shall not Process or otherwise transfer any Personal Data in or to any country outside the European Economic Area or any country which is not determined to be adequate by the European Commission pursuant to Article 25(6) of Directive 95/46/EC (together “Restricted Countries”). If, after the Call Off Commencement Date, the Supplier or any Sub-Contractor wishes to Process and/or transfer any Personal Data in or to any outside the European Economic Area, the following provisions shall apply: the Supplier shall propose a Variation to the Customer which, if it is agreed by the Customer, shall be dealt with in accordance with the PDPA. Without prejudice Variation Procedure and Clauses 34.5.3(b) to Clause 4.1 above, 34.5.3(c); the Company ensure: that any Personal Data belonging to IHiS or Supplier shall set out in its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, proposal to the extent that Customer for a Variation details of the following: the Personal Data is no longer which will be transferred to and/or Processed in or to any Restricted Countries; the Restricted Countries to which the Personal Data will be transferred and/or Processed; and any Sub-Contractors or other third parties who will be Processing and/or receiving Personal Data in Restricted Countries; how the Supplier will ensure an adequate level of protection and adequate safeguards in respect of the Personal Data that will be Processed in and/or transferred to Restricted Countries so as to ensure the Customer’s compliance with the DPA; in providing and evaluating the Variation, the Parties shall ensure that they have regard to and comply with then-current Customer, Central Government Bodies and Information Commissioner Office policies, procedures, guidance and codes of practice on, and any approvals processes in connection with, the Processing in and/or transfers of Personal Data to any Restricted Countries; and the Supplier shall comply with such other instructions and shall carry out such other actions as the Customer may notify in writing, including: incorporating standard and/or model clauses (which are approved by the European Commission as offering adequate safeguards under the DPA) into this Call Off Contract or a separate data processing agreement between the Parties; and procuring that any Sub-Contractor or other third party who will be Processing and/or receiving or accessing the Personal Data in any Restricted Countries either enters into: a direct data processing agreement with the Customer on such terms as may be required by the Company for legal Customer; or business purposes, that a data processing agreement with the Supplier on terms which are equivalent to those agreed between the Customer and the Sub-Contractor relating to the relevant Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”)transfer, and in each case which the Supplier acknowledges may include the incorporation of model contract provisions (which are approved by the European Commission as offering adequate safeguards under the DPA) and technical and organisation measures which the Customer deems necessary for the purpose of protecting Personal Data. The Supplier shall use its reasonable endeavours to perform its duties or discharge its liabilities in connection with assist the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS Customer to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection comply with any breach of this clause. Notwithstanding obligations under the DPA and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with shall not perform its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion Call Off Contract in such a way as to cause the Customer to breach any of the Purpose; receipt Customer’s obligations under the DPA to the extent the Supplier is aware, or ought reasonably to have been aware, that the same would be a breach of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 abovesuch obligations.

Protection of Personal Data. The Company shall, in relation to Personal Data: fully comply with all requirements of the PDPA, including the requirements concerning the collection, use and disclosure of Personal Data; process Personal Data only in accordance with the written instructions given by IHiS and to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s processing of Personal Data; not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. The Company shall within SEVEN seven (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 above.

Protection of Personal Data. As a result of this Agreement, Seller and Seller Parties may obtain certain information relating to identified or identifiable individuals (“Personal Data”), including but not limited to, from Platypus on Platypus’s or its affiliate(s)’ behalf and/or from Platypus affiliates located in any jurisdiction. Seller shall have no right, title or interest in Personal Data obtained by it as a result of this Agreement. The Company shalldetails of the type of Personal Data and categories of data subjects shall be determined in a PO, statements of work or other contractual instruments executed in relation connection with this Agreement. Seller may only disclose Personal Data to third parties (including Seller Parties), who have a need to know and have signed agreements that require them to protect Personal Data in the same manner as detailed in this Agreement. Seller shall not engage any third party to perform any portion of the Services if such party may obtain or otherwise process Personal Data, without Platypus’s prior written consent. Notwithstanding such consent, Seller shall not be relieved of any obligations under this Section and shall remain solely liable to Platypus if the third party fails to fulfil its obligations with respect to Personal Data. Seller and Seller Parties shall: fully (i) comply with Platypus’s or its affiliate’s reasonable instructions regarding Personal Data, unless otherwise required by applicable law, in which case, Seller shall promptly notify Platypus of the applicable legal requirement before processing Personal Data, unless such applicable legal requirement prohibits such notification for public interest reasons; (ii) immediately inform Platypus if, in its opinion, an instruction from Platypus infringes Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or other applicable data protection laws; (iii) collect, access, maintain, use, process and transfer Personal Data solely for the purpose of performing Seller’s obligations under this Agreement; (iv) comply with all requirements of the PDPAapplicable laws, including the requirements concerning the collectionregulations and international accords or treaties pertaining to Personal Data; (v) take all appropriate legal, use organizational and disclosure technical measures to protect against unlawful and unauthorized processing of Personal Data; process and (vi) promptly notify Platypus’s Privacy Counsel at xxxxxxx_xxxxxxxxxxxxx@xxxxx.xxx if it receives any requests from an individual with respect to Personal Data, including but not limited to, “opt-out” specifications, information access requests, information rectification requests and all like requests. Seller shall work with Platypus to promptly and effectively handle such requests with respect to Personal Data, and only respond to any such requests if expressly authorized to do so by Platypus. If Personal Data only in accordance with is transferred from the written instructions given European Economic Area or Switzerland to or by IHiS Seller and/or Seller Parties, as processor and/or sub-processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, have not determined as ensuring an adequate level of protection of personal data, then Seller shall either: (a) subscribe to such extent necessary and the appropriate legal instruments for the completion international transfer of data (such as the PurposeEU-U.S. Privacy Shield Framework); promptly deal with or (b) execute: (1) the Standard Contractual Clauses as approved by the European Commission; and (2) where relevant, the Swiss Transborder Data Flow Agreement; or (c) execute mutually agreeable contractual instruments or Binding Corporate Rules (BCR) as such BCR are approved by the relevant supervisory authority. Seller shall be liable for the damage caused to any enquiry from IHiS relating to the Companyindividual as a result of Seller’s processing of Personal Data; , where Seller has not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company complied with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; Section or expiry any applicable laws, regulations and international accords or termination of the NDAtreaties pertaining to Personal Data, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that where it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose acted outside or return of the documents and materials as aforesaid, the Company shall continue contrary to be bound by the undertakings set out in Clauses 3 and 4 abovelawful instructions from Platypus.

Protection of Personal Data. 14.4.1. The Company Vendor represents, warrants, undertakes and agrees as follows: (i) The Vendor shall, in relation its collection, processing, disclosure or other use of Personal Data for SATS, adhere to Personal Data: fully comply with all the requirements of the PDPA, including the requirements concerning the collection, other Applicable Data Protection Laws and this Clause; and (ii) The Vendor shall be liable for its use and processing of the Personal Data and undertakes to fully indemnify SATS in respect of any penalties (including any penalties or other amounts levied, imposed or charged by any regulator or regulatory authority), liabilities, claims, demands, costs, legal fees (solicitor-client basis), losses and damages as a result of any breach of the Vendor’s obligations under this Clause or the Vendor’s fault or negligence in performing these obligations, or any act or omission of the Vendor or any of its officers, employees, advisors, agents and representatives which results in SATS breaching the PDPA and/or other Applicable Data Protection Laws. ; 14.4.2. Without prejudice to the generality of the foregoing, the Vendor shall: (i) disclose, process, store and use the Personal Data only for the purpose of performing its obligations under this Agreement or otherwise in any documented instructions which the Vendor may receive from SATS from time to time, except where required under Applicable Data Protection Laws, in which case, the Vendor shall notify SATS of such disclosure, processing or storage unless prohibited by any Applicable Data Protection Laws; (ii) allow access to the Personal Data to the Vendor’s and any permitted subcontractor’s employees, personnel, agents, principals and contractors strictly on a ‘need to know’ basis provided that they agree to comply with the terms of this Agreement, and ensure that such personnel are bound by substantially similar confidentiality obligations as those set out in this Agreement; (iii) comply with all of SATS’ security policies, standards, requirements and specifications, as notified to the Vendor by SATS in writing from time to time, with respect to safeguarding or dealing with Personal Data; (iv) institute and maintain appropriate technical and organizational safeguards and measures against the unauthorised access, use, or disclosure of Personal Data; process Data that are no less rigorous than the most rigorous practices of SATS and the Vendor, for similar types of information (v) not retain the Personal Data longer than is necessary for the performance of its obligations under this Agreement, and in any event no longer than such period as permitted by Applicable Data Protection Laws or such other period as may be prescribed by SATS (as the case may be) (“Retention Period”); (vi) promptly return, delete or destroy the Personal Data forthwith upon being required by SATS, or upon the expiry of the Retention Period. The Vendor shall promptly confirm at SATS’ request that its obligations herein in respect of the return, deletion and destruction of Personal Data are complied with, and in addition shall notify SATS within ten (10) calendar days of the deletion of any Personal Data in accordance with this Clause; [Note: 10 calendar days’ requirement cannot be negotiated if Personal Data received from SQ will be disclosed, used or processed by Vendor.] (vii) not modify, alter, delete, publish or disclose any Personal Data to any third party (including subcontractors), nor allow any third party (including subcontractors) to process such Personal Data on the Vendor’s behalf immediately without request upon the expiry or earlier termination of this Agreement; (viii) not store in or transfer any Personal Data to any country outside of Singapore, nor process or allow processing or access to Personal Data from outside of Singapore without the prior written consent of SATS, and if consent is given, to transfer Personal Data outside Singapore only in accordance with the written Applicable Data Protection Laws, SATS’ IT security policy and all reasonable instructions given by IHiS of SATS. The Vendor shall also specify the countries and territories to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s processing of Personal Data; not transfer or allow which the Personal Data to may be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance transferred; (whether to IHiS or otherwiseix) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to the generality of Clause 4.1 above14.4.2(viii), if such consent is given by SATS, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, Vendor shall in addition to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance foregoing comply with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach Annexure R of this Clause 4 and the Company will undertake, as soon as reasonably practicable, Agreement; and (x) comply with all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings provisions set out in Clauses 3 and 4 above.Annexure Q.]

Protection of Personal Data. As a result of this Agreement, Seller and Seller Parties may obtain certain information relating to identified or identifiable individuals (“Personal Data”), including but not limited to, from ACWN on ACWN’s or its affiliate(s)’ behalf and/or from ACWN affiliates located in any jurisdiction. Seller shall have no right, title or interest in Personal Data obtained by it as a result of this Agreement. The Company shalldetails of the type of Personal Data and categories of data subjects shall be determined in a PO, statements of work or other contractual instruments executed in relation connection with this Agreement. Seller may only disclose Personal Data to third parties (including Seller Parties), who have a need to know and have signed agreements that require them to protect Personal Data in the same manner as detailed in this Agreement. Seller shall not engage any third party to perform any portion of the Services if such party may obtain or otherwise process Personal Data, without ACWN’s prior written consent. Notwithstanding such consent, Seller shall not be relieved of any obligations under this Section and shall remain solely liable to ACWN if the third party fails to fulfil its obligations with respect to Personal Data. Seller and Seller Parties shall: fully (i) comply with ACWN’s or its affiliate’s reasonable instructions regarding Personal Data, unless otherwise required by applicable law, in which case, Seller shall promptly notify ACWN of the applicable legal requirement before processing Personal Data, unless such applicable legal requirement prohibits such notification for public interest reasons; (ii) immediately inform ACWN if, in its opinion, an instruction from ACWN infringes Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or other applicable data protection laws; (iii) collect, access, maintain, use, process and transfer Personal Data solely for the purpose of performing Seller’s obligations under this Agreement; (iv) comply with all requirements of the PDPAapplicable laws, including the requirements concerning the collectionregulations and international accords or treaties pertaining to Personal Data; (v) take all appropriate legal, use organizational and disclosure technical measures to protect against unlawful and unauthorized processing of Personal Data; process and (vi) promptly notify ACWN’s Privacy Counsel at xxxxxxx_xxxxxxxxxxxxx@xxxxx.xxx if it receives any requests from an individual with respect to Personal Data, including but not limited to, “opt-out” specifications, information access requests, information rectification requests and all like requests. Seller shall work with ACWN to promptly and effectively handle such requests with respect to Personal Data, and only respond to any such requests if expressly authorized to do so by ACWN. If Personal Data only in accordance with is transferred from the written instructions given European Economic Area or Switzerland to or by IHiS Seller and/or Seller Parties, as processor and/or sub-processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, have not determined as ensuring an adequate level of protection of personal data, then Seller shall either: (a) subscribe to such extent necessary and the appropriate legal instruments for the completion international transfer of data (such as the PurposeEU-U.S. Privacy Shield Framework); promptly deal with or (b) execute: (1) the Standard Contractual Clauses as approved by the European Commission; and (2) where relevant, the Swiss Transborder Data Flow Agreement; or (c) execute mutually agreeable contractual instruments or Binding Corporate Rules (BCR) as such BCR are approved by the relevant supervisory authority. Seller shall be liable for the damage caused to any enquiry from IHiS relating to the Companyindividual as a result of Seller’s processing of Personal Data; , where Seller has not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company complied with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; Section or expiry any applicable laws, regulations and international accords or termination of the NDAtreaties pertaining to Personal Data, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that where it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose acted outside or return of the documents and materials as aforesaid, the Company shall continue contrary to be bound by the undertakings set out in Clauses 3 and 4 abovelawful instructions from ACWN.

Protection of Personal Data. (a) The Company Vendor represents, warrants, undertakes and agrees as follows: (i) the Vendor shall, in relation its collection, processing, disclosure or other use of Personal Data for SAS, adhere to Personal Data: fully comply with all the requirements of the PDPA, including other Applicable Data Protection Laws and this Clause; (ii) the requirements concerning the collection, Vendor shall be liable for its use and processing of the Personal Data and undertakes to fully indemnify SAS in respect of any penalties (including any penalties or other amounts levied, imposed or charged by any regulator or regulatory authority), liabilities, claims, demands, costs, legal fees (solicitor- client basis), losses and damages as a result of any breach of the Vendor’s obligations under this Clause or the Vendor’s fault or negligence in performing these obligations, or any act or omission of the Vendor or any of its officers, employees, advisors, agents and representatives which results in SAS breaching the PDPA and/or other Applicable Data Protection Laws. (b) Without prejudice to the generality of the foregoing, the Vendor shall: (i) disclose, process, store and use the Personal Data only for the purpose of performing its obligations under this Agreement or otherwise in any documented instructions which the Vendor may receive from SAS from time to time, except where required under Applicable Data Protection Laws, in which case, the Vendor shall notify SAS of such disclosure, processing or storage unless prohibited by any Applicable Data Protection Laws; (ii) allow access to the Personal Data to the Vendor’s and any permitted subcontractor’s employees, personnel, agents, principals and contractors strictly on a ‘need to know’ basis provided that they agree to comply with the terms of this Agreement, and ensure that such personnel are bound by substantially similar confidentiality obligations as those set out in this Agreement; (iii) comply with all of SAS’ security policies, standards, requirements and specifications, as notified to the Vendor by SAS in writing from time to time, with respect to safeguarding or dealing with Personal Data; (iv) institute and maintain appropriate technical and organizational safeguards and measures against the unauthorised access, use, or disclosure of Personal Data; process Data that are no less rigorous than the most rigorous practices of SAS and the Vendor, for similar types of information; (v) not retain the Personal Data longer than is necessary for the performance of its obligations under this Agreement, and in any event no longer than such period as permitted by Applicable Data Protection Laws or such other period as may be prescribed by SAS (as the case may be) (“Retention Period”); (vi) promptly return, delete or destroy the Personal Data forthwith upon being required by SAS, or upon the expiry of the Retention Period. The Vendor shall promptly confirm at SAS’ request that its obligations herein in respect of the return, deletion and destruction of Personal Data are complied with, and in addition shall notify SAS within ten (10) calendar days of the deletion of any Personal Data in accordance with this Clause; (vii) not modify, alter, delete, publish or disclose any Personal Data to any third party (including subcontractors), nor allow any third party (including subcontractors) to process such Personal Data on the Vendor’s behalf immediately without request upon the expiry or earlier termination of this Agreement; and (viii) not store in or transfer any Personal Data to any country outside of Singapore, nor process or allow processing or access to Personal Data from outside of Singapore without the prior written consent of SAS, and if consent is given, to transfer Personal Data outside Singapore only in accordance with the written Applicable Data Protection Laws, SAS’ IT security policy and all reasonable instructions given by IHiS of SAS. The Vendor shall also specify the countries and territories to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s processing of Personal Data; not transfer or allow which the Personal Data to may be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings set out in Clauses 3 and 4 abovetransferred.

Protection of Personal Data. 11.4.1. The Company Vendor represents, warrants, undertakes and agrees as follows: (i) The Vendor shall, in relation its collection, processing, disclosure or other use of Personal Data for SATS, adhere to Personal Data: fully comply with all the requirements of the PDPA, including the requirements concerning the collection, other Applicable Data Protection Laws and this Clause; and; (ii) The Vendor shall be liable for its use and processing of the Personal Data and undertakes to fully indemnify SATS in respect of any penalties (including any penalties or other amounts levied, imposed or charged by any regulator or regulatory authority), liabilities, claims, demands, costs, legal fees (solicitor-client basis), losses and damages as a result of any breach of the Vendor’s obligations under this Clause or the Vendor’s fault or negligence in performing these obligations, or any act or omission of the Vendor or any of its officers, employees, advisors, agents and representatives which results in SATS breaching the PDPA and/or other Applicable Data Protection Laws. 11.4.2. Without prejudice to the generality of the foregoing, the Vendor shall: (i) disclose, process, store and use the Personal Data only for the purpose of performing its obligations under this Agreement or otherwise in any documented instructions which the Vendor may receive from SATS from time to time, except where required under Applicable Data Protection Laws, in which case, the Vendor shall notify SATS of such disclosure, processing or storage unless prohibited by any Applicable Data Protection Laws; (ii) allow access to the Personal Data to the Vendor’s and any permitted subcontractor’s employees, personnel, agents, principals and contractors strictly on a ‘need to know’ basis provided that they agree to comply with the terms of this Agreement, and ensure that such personnel are bound by substantially similar confidentiality obligations as those set out in this Agreement; (iii) comply with all of SATS’ security policies, standards, requirements and specifications, as notified to the Vendor by SATS in writing from time to time, with respect to safeguarding or dealing with Personal Data; (iv) institute and maintain appropriate technical and organizational safeguards and measures against the unauthorised access, use, or disclosure of Personal Data; process Data that are no less rigorous than the most rigorous practices of SATS and the Vendor, for similar types of information (v) not retain the Personal Data longer than is necessary for the performance of its obligations under this Agreement, and in any event no longer than such period as permitted by Applicable Data Protection Laws or such other period as may be prescribed by SATS (as the case may be) (“Retention Period”); (vi) promptly return, delete or destroy the Personal Data forthwith upon being required by SATS, or upon the expiry of the Retention Period. The Vendor shall promptly confirm at SATS’ request that its obligations herein in respect of the return, deletion and destruction of Personal Data are complied with, and in addition shall notify SATS within ten (10) calendar days of the deletion of any Personal Data in accordance with this Clause; [Note: 10 calendar days’ requirement cannot be negotiated if Personal Data received from SQ will be disclosed, used or processed by Vendor.] (vii) not modify, alter, delete, publish or disclose any Personal Data to any third party (including subcontractors), nor allow any third party (including subcontractors) to process such Personal Data on the Vendor’s behalf immediately without request upon the expiry or earlier termination of this Agreement; (viii) not store in or transfer any Personal Data to any country outside of Singapore, nor process or allow processing or access to Personal Data from outside of Singapore without the prior written consent of SATS, and if consent is given, to transfer Personal Data outside Singapore only in accordance with the written Applicable Data Protection Laws, SATS’ IT security policy and all reasonable instructions given by IHiS of SATS. The Vendor shall also specify the countries and territories to such extent necessary and appropriate for the completion of the Purpose; promptly deal with any enquiry from IHiS relating to the Company’s processing of Personal Data; not transfer or allow which the Personal Data to may be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance transferred; (whether to IHiS or otherwiseix) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to the generality of Clause 4.1 above11.4.2(viii), if such consent is given by SATS, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, Vendor shall in addition to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance foregoing comply with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach Annexure E of this Clause 4 and the Company will undertake, as soon as reasonably practicable, Agreement; and (x) comply with all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; or expiry or termination of the NDA, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose or return of the documents and materials as aforesaid, the Company shall continue to be bound by the undertakings provisions set out in Clauses 3 and 4 above.Annexure D.]

Protection of Personal Data. As a result of this Agreement, Seller and Seller Affiliates may obtain certain information relating to identified or identifiable individuals (“Personal Data”), including but not limited to, from Apple on Apple’s or its affiliate(s)’ behalf and/or from Apple affiliates located in any jurisdiction. Seller shall have no right, title or interest in Personal Data obtained by it as a result of this Agreement. The Company shalldetails of the type of Personal Data and categories of data subjects shall be determined in a PO, statements of work or other contractual instruments executed in relation connection with this Agreement. Seller may only disclose Personal Data to third parties (including Seller Affiliates), who have a need to know and have signed agreements that require them to protect Personal Data in the same manner as detailed in this Agreement. Seller shall not engage any third party to perform any portion of the Services if such party may obtain or otherwise process Personal Data, without Apple’s prior written consent. Notwithstanding such consent, Seller shall not be relieved of any obligations under this Section and shall remain solely liable to Apple if the third party fails to fulfil its obligations with respect to Personal Data. Seller and Seller Affiliates shall: fully (i) comply with Apple’s or its affiliate’s reasonable instructions regarding Personal Data, unless otherwise required by applicable law, in which case, Seller shall promptly notify Apple of the applicable legal requirement before processing Personal Data, unless such applicable legal requirement prohibits such notification for public interest reasons; (ii) immediately inform Apple if, in its opinion, an instruction from Apple infringes Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 or other applicable data protection laws; (iii) collect, access, maintain, use, process and transfer Personal Data solely for the purpose of performing Seller’s obligations under this Agreement; (iv) comply with all requirements of the PDPAapplicable laws, including the requirements concerning the collectionregulations and international accords or treaties pertaining to Personal Data; (v) take all appropriate legal, use organizational and disclosure technical measures to protect against unlawful and unauthorized processing of Personal Data; process and (vi) promptly notify Apple’s Privacy Counsel at xxxxxxx_xxxxxxxxxxxxx@xxxxx.xxx if it receives any requests from an individual with respect to Personal Data, including but not limited to, “opt-out” specifications, information access requests, information rectification requests and all like requests. Seller shall work with Apple to promptly and effectively handle such requests with respect to Personal Data, and only respond to any such requests if expressly authorized to do so by Apple. If Personal Data only in accordance with is transferred from the written instructions given European Economic Area or Switzerland to or by IHiS Seller and/or Seller Affiliates, as processor and/or sub-processor, to a jurisdiction which the European Commission or, where relevant, the Swiss Federal Data Protection and Information Commissioner, have not determined as ensuring an adequate level of protection of personal data, then Seller shall either: (a) subscribe to such extent necessary and the appropriate legal instruments for the completion international transfer of data (such as the PurposeEU-U.S. Privacy Shield Framework); promptly deal with or (b) execute: (1) the Standard Contractual Clauses as approved by the European Commission; and (2) where relevant, the Swiss Transborder Data Flow Agreement; or (c) execute mutually agreeable contractual instruments or Binding Corporate Rules (BCR) as such BCR are approved by the relevant supervisory authority. Seller shall be liable for the damage caused to any enquiry from IHiS relating to the Companyindividual as a result of Seller’s processing of Personal Data; , where Seller has not transfer or allow the Personal Data to be transferred outside of Singapore, unless expressly instructed or authorised by IHiS; and provide all necessary co-operation and assistance (whether to IHiS or otherwise) to allow access and/or correction of Personal Data in accordance with the PDPA. Without prejudice to Clause 4.1 above, the Company ensure: that any Personal Data belonging to IHiS or its Affiliates which is held by the Company is protected against loss, unauthorised access, use, modification, disclosure or other misuse, and that only authorised personnel have access to that Personal Data; that, to the extent that the Personal Data is no longer required by the Company for legal or business purposes, that Personal Data is destroyed or returned to IHiS in accordance with Clause 5 below; that IHiS is immediately alerted in writing (with full particulars) of any unauthorised access, disclosure or other breach of this Clause 4 and the Company will undertake, as soon as reasonably practicable, all steps to prevent further unauthorised access, disclosure or other breach of this clause (including providing IHiS with such reports or information concerning such steps as and when requested by IHiS); and it keeps itself appraised of any and all notices and circulars which IHiS may from time to time notify to the Company, including without limitation any policies, guidelines, circulars or notices relating to personal data (“PDPA Documentation”), and to perform its duties or discharge its liabilities in connection with the Purpose in a manner which is consistent with the PDPA Documentation, and will not cause IHiS to be in breach of the same. For the purposes of this clause, the Company hereby expressly acknowledges and agrees that it has read the PDPA Documentation and is aware of and will compensate IHiS for any and all potential loss and damage caused to IHiS and/or its Affiliates arising from or in connection with any breach of this clause. Notwithstanding and further to anything stated elsewhere in the NDA, IHiS reserves the right and the Company agrees that IHiS may conduct (or appoint a qualified, independent third party to conduct) an audit and/or assessment of the standard of compliance or non-compliance by the Company complied with its obligations under this Clause 4. The Company shall within SEVEN (7) days of: completion of the Purpose; receipt of a written request from IHiS; Section or expiry any applicable laws, regulations and international accords or termination of the NDAtreaties pertaining to Personal Data, return to IHiS all documents and materials (and all copies thereof) containing IHiS’ Confidential Information or destroy the same, and certify in writing to IHiS that where it has complied with the requirements of this Clause 5.1. Notwithstanding the completion of the Purpose acted outside or return of the documents and materials as aforesaid, the Company shall continue contrary to be bound by the undertakings set out in Clauses 3 and 4 abovelawful instructions from Apple.