Common use of Provisions Applicable to International Transfers of Personal Data Clause in Contracts

Provisions Applicable to International Transfers of Personal Data. The provisions of this Section 30 apply to AXP Data that is transmitted across any international boundary. The Parties will each comply with their respective obligations under any applicable laws relating to the collection, use, processing, protection or disclosure of data relating to individuals or corporations, including Personal Data (as defined below) during the provision of the Services (including European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and any legislation implementing such article, and any legislation implementing the same in the relevant state (collectively, the “Directive”)) (collectively, “Data Protection Laws”). Neither Party will do any act that puts the other Party in breach of its obligations under the Data Protection Laws and nothing in this Agreement will be deemed to prevent any Party from taking the steps it reasonably deems necessary to comply with the Data Protection Laws. a) The Parties acknowledge that: b) Vendor will, and will cause any Vendor Disclosees to, in a manner that conforms to any time-scales set out in the Directive, and, in any event, as soon as reasonably practicable, comply with any written request by AXP to: c) Vendor will not without AXP’s prior written authorization: d) Vendor will: 1) * ; e) Vendor will indemnify AXP for any breach by Vendor or any Vendor Disclosee of its obligations with respect to data protection under the Amendment. f) Vendor acknowledges that to the extent it is obliged to comply with Article 17 of the Directive in respect of AXP Personal Data, it will comply with such Article 17 including without limitation the following obligations: 1) taking appropriate technical and organizational security measures in accordance with the requirements of the Agreement to safeguard against unauthorized and unlawful processing of AXP Personal Data and against accidental loss or destruction of, or damage to, AXP Personal Data; 2) only processing AXP Personal Data in accordance with written instructions given by AXP, including as set forth in the Amendment; 3) taking reasonable steps to ensure the reliability of those Vendor personnel and Vendor Disclosees that have access to AXP Personal Data; and 4) ensuring that all of the Vendor personnel and Vendor Disclosees involved in processing AXP Personal Data have undergone reasonably adequate training in the care and handling of AXP Personal Data.

Provisions Applicable to International Transfers of Personal Data. The provisions of this Section 30 apply to AXP Data that is transmitted across any international boundary. The Parties will each comply with their respective obligations under any applicable laws relating to the collection, use, processing, protection or disclosure of data relating to individuals or corporations, including Personal Data (as defined below) during the provision of the Services (including European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and any legislation implementing such article, and any legislation implementing the same in the relevant state (collectively, the “Directive”)) (collectively, “Data Protection Laws”). Neither Party will do any act that puts the other Party in breach of its obligations under the Data Protection Laws and nothing in this Agreement will be deemed to prevent any Party from taking the steps it reasonably deems necessary to comply with the Data Protection Laws.. * CONFIDENTIAL TREATMENT REQUESTED a) The Parties acknowledge that: b) Vendor will, and will cause any Vendor Disclosees to, in a manner that conforms to any time-scales set out in the Directive, and, in any event, as soon as reasonably practicable, comply with any written request by AXP to: c) Vendor will not without AXP’s prior written authorization: d) Vendor will: * CONFIDENTIAL TREATMENT REQUESTED 1) * ; e) Vendor will indemnify AXP for any breach by Vendor or any Vendor Disclosee of its obligations with respect to data protection under the Amendment. f) Vendor acknowledges that to the extent it is obliged to comply with Article 17 of the Directive in respect of AXP Personal Data, it will comply with such Article 17 including without limitation the following obligations: 1) taking appropriate technical and organizational security measures in accordance with the requirements of the Agreement to safeguard against unauthorized and unlawful processing of AXP Personal Data and against accidental loss or destruction of, or damage to, AXP Personal Data; 2) only processing AXP Personal Data in accordance with written instructions given by AXP, including as set forth in the Amendment; 3) taking reasonable steps to ensure the reliability of those Vendor personnel and Vendor Disclosees that have access to AXP Personal Data; and 4) ensuring that all of the Vendor personnel and Vendor Disclosees involved in processing AXP Personal Data have undergone reasonably adequate training in the care and handling of AXP Personal Data.. * CONFIDENTIAL TREATMENT REQUESTED Annex 1 Confidentiality and Workstation Rules Agreement The individual specified below (“you” or “your”), in connection with work performed for the company specified below (“Company”) may have access to trade secrets, confidential information, files, records and forms (collectively “Confidential Information”) of American Express Travel Related Services, Inc. and its affiliates (collectively, “American Express”). Confidential Information includes, but is not limited to, any information relating to American Express Card member accounts (“Accounts”), American Express organizational structure, marketing philosophy and objectives, project plans, data models, strategy and vision statements, business initiatives, business requirements, systems design, methodologies, processes, competitive advantages and disadvantages, financial results, product features, systems, operations, technology, customer lists, customer account information, product development, advertising or sales programs and any other information which would give American Express an opportunity to obtain an advantage over its competitors or which American Express is ethically obligated to protect from unauthorized sources. None of such information shall be deemed to be in the public domain. American Express desires to protect its Confidential Information and therefore requires that you agree, as a condition of your performing services (“Services”) pursuant to American Express’ agreement with Company, to safeguard all Confidential Information and not to reveal Confidential Information to any third party (including, without limitation, at conferences, seminars, meetings of professional organizations or by publication in journals or granting of interviews to journalists and other members of the news media) or use Confidential Information for your own benefit or the benefit of any third party, except to the extent necessarily required for your performance of Services. You agree not to discuss Confidential Information in public places. You agree that any work product produced or developed by you in the performance of your Services shall constitute Confidential Information subject to this Agreement and such work product is, and shall remain, the property of American Express. In connection with your use of American Express’ computer workstations and your access to American Express MIS systems, in addition to all other provisions of this Agreement, you agree that: • You will not access your own Account for any reason; • You will not access another employee’s Account if you have personal knowledge that the account holder is an employee; • You will not access any Account held by anyone you know outside of work; • You will not access any Account that you are not required to access as part of your performance of the Services. You will sign off when you leave your workstation and sign back on when you return, including, but not limited to, time away from your desk for breaks, lunch, meetings, etc. You will not give your password to any person and you are not to use another person’s password or identification number. Your password identifies you to the system. The computer system tracks all entries that are made by the person who makes them. If your password is used by anyone in a manner that results in errors or fraud, you would be held accountable for the errors or fraud. All terminals are subject to monitoring and terminal monitoring may occur simultaneously with telephone monitoring. In addition, you should understand that all transactions in the system are recorded by the computer. Printouts listing all transactions by a personal identification number and password are monitored on a regular basis. These rules are extremely important. Any employee who willfully disregards these rules and regulations is subject to discipline, up to and including discharge from employment. You also agree to help safeguard American Express customers’ expectations of privacy by exercising diligence and care in the handling of Confidential Information relating to them. By signing below, you indicate that you understand the above terms and that, as a condition of performing Services, you agree to adhere to them. COMPANY: Full Legal Name Your Name (print) Date Your Signature (Sign Here) EXHIBIT F Purposely left Blank EXHIBIT G DELIVERABLE ENCRYPTION INFORMATION

Provisions Applicable to International Transfers of Personal Data. The provisions of this Section 30 apply to AXP Data that is transmitted across any international boundary. The Parties will each comply with their respective obligations under any applicable laws relating to the collection, use, processing, protection or disclosure of data relating to individuals or corporations, including Personal Data (as defined below) during the provision of the Services (including European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and any legislation implementing such article, and any legislation implementing the same in the relevant state (collectively, the “Directive”)) (collectively, “Data Protection Laws”). Neither Party will do any act that puts the other Party in breach of its obligations under the Data Protection Laws and nothing in this Agreement will be deemed to prevent any Party from taking the steps it reasonably deems necessary to comply with the Data Protection Laws. a) The Parties acknowledge that: 1) [*] 2) [*] 3) [*] 4) [*] 5) [*] b) Vendor will, and will cause any Vendor Disclosees to, in a manner that conforms to any time-scales set out in the Directive, and, in any event, as soon as reasonably practicable, comply with any written request by AXP to: 1) [*] 2) [*] 3) [*] 4) [*] 5) [*] c) Vendor will not without AXP’s prior written authorization: 1) [*] 2) [*] 3) [*] d) Vendor will: : 1) * ;[*] 2) [*] e) Vendor will indemnify AXP for any breach by Vendor or any Vendor Disclosee of its obligations with respect to data protection under the AmendmentAgreement. f) Vendor acknowledges that to the extent it is obliged to comply with Article 17 of the Directive in respect of AXP Personal Data, it will comply with such Article 17 including without limitation the following obligations: 1) taking appropriate technical and organizational security measures in accordance with the requirements of the Agreement to safeguard against unauthorized and unlawful processing of AXP Personal Data and against accidental loss or destruction of, or damage to, AXP Personal Data; 2) only processing AXP Personal Data in accordance with written instructions given by AXP, including as set forth in the AmendmentAgreement; 3) taking reasonable steps to ensure the reliability of those Vendor personnel and Vendor Disclosees that have access to AXP Personal Data; and 4) ensuring that all of the Vendor personnel and Vendor Disclosees involved in processing AXP Personal Data have undergone reasonably adequate training in the care and handling of AXP Personal Data. The individual specified below (you” or “your”), in connection with work performed for the company specified below (“Company”) may have access to trade secrets, confidential information, files, records and forms (collectively “Confidential Information”) of American Express Travel Related Services, Inc. and its affiliates (collectively, “American Express”). Confidential Information includes, but is not limited to, any information relating to American Express Card member accounts (“Accounts”), American Express organizational structure, marketing philosophy and objectives, project plans, data models, strategy and vision statements, business initiatives, business requirements, systems design, methodologies, processes, competitive advantages and disadvantages, financial results, product features, systems, operations, technology, customer lists, customer account information, product development, advertising or sales programs and any other information which would give American Express an opportunity to obtain an advantage over its competitors or which American Express is ethically obligated to protect from unauthorized sources. None of such information shall be deemed to be in the public domain. American Express desires to protect its Confidential Information and therefore requires that you agree, as a condition of your performing services (“Services”) pursuant to American Express’ agreement with Company, to safeguard all Confidential Information and not to reveal Confidential Information to any third-party (including, without limitation, at conferences, seminars, meetings of professional organizations or by publication in journals or granting of interviews to journalists and other members of the news media) or use Confidential Information for your own benefit or the benefit of any third-party, except to the extent necessarily required for your performance of Services. You agree not to discuss Confidential Information in public places. You agree that any work product produced or developed by you in the performance of your Services shall constitute Confidential Information subject to this Agreement and such work product is, and shall remain, the property of American Express. In connection with your use of American Express’ computer workstations and your access to American Express MIS systems, in addition to all other provisions of this Agreement, you agree that: • You will not access your own Account for any reason; • You will not access another employee’s Account if you have personal knowledge that the account holder is an employee; • You will not access any Account held by anyone you know outside of work; • You will not access any Account that you are not required to access as part of your performance of the Services. You will sign off when you leave your workstation and sign back on when you return, including, but not limited to, time away from your desk for breaks, lunch, meetings, etc. You will not give your password to any person and you are not to use another person’s password or identification number. Your password identifies you to the system. The computer system tracks all entries that are made by the person who makes them. If your password is used by anyone in a manner that results in errors or fraud, you would be held accountable for the errors or fraud. All terminals are subject to monitoring and terminal monitoring may occur simultaneously with telephone monitoring. In addition, you should understand that all transactions in the system are recorded by the computer. Printouts listing all transactions by a personal identification number and password are monitored on a regular basis. These rules are extremely important. Any employee who willfully disregards these rules and regulations is subject to discipline, up to and including discharge from employment. You also agree to help safeguard American Express customers’ expectations of privacy by exercising diligence and care in the handling of Confidential Information relating to them. By signing below, you indicate that you understand the above terms and that, as a condition of performing Services, you agree to adhere to them. COMPANY: Full Legal Name Your Name (print) Date Your Signature (Sign Here) The parties agree to establish an internal hierarchy to facilitate resolution of Disputes as set forth below. 1. The JOC Representatives shall discuss the Dispute and negotiate in good faith in an effort to resolve the Dispute without the necessity of any formal proceeding relating thereto (“Level 1 Review”). 2. Upon the written request of either party’s JOC Representative, each party’s Management Representatives shall hold ad hoc meetings and/or informal discussions for the purpose of resolving such Dispute (“Level 2 Review”). The Management Representatives shall meet in person, or by telephone, as often as they reasonably deem necessary in order to gather from and furnish to the other all information with respect to the Dispute which they believe to be appropriate and germane in connection with its resolution. The Management Representatives shall discuss the Dispute and negotiate in good faith in an effort to resolve the Dispute without the necessity of any formal proceeding relating thereto. In the event the Management Representatives are unable to resolve the dispute the Management Representatives shall escalate the matter to executive level management within each company (“Level 3 Review”). 3. If the Dispute cannot be resolved within thirty (30) days of the Level 3 Review, any Dispute (an “Arbitrated Dispute”) shall, after completion of the procedures set forth above, be fully and finally settled and determined by binding arbitration in accordance with the then-current version of the commercial rules of the American Arbitration Association (the “Rules”), and judgment upon an award arising in connection therewith may be entered in any court of competent jurisdiction. The arbitration shall be held before a single arbitrator selected in accordance with the Rules. Any arbitration or court action arising out of, related to, or in connection with this Agreement shall be held in New York City, New York, or, if such proceeding cannot be lawfully held in such location, as near thereto as applicable law permits. All arbitration proceedings and submissions, and the arbitration award, shall be in the English language and the rules of evidence shall apply to all proceedings. 4. Disputes shall be arbitrated on an individual basis. There shall be no right or authority for any Disputes to be arbitrated on a class action basis or in a purported representative capacity on behalf of the general public, other vendors or other persons similarly situated. The arbitrator’s authority to resolve disputes and to make awards is limited to disputes between TRX and AMEX alone, and is subject to the limitations of liability set forth in this Agreement. Furthermore, disputes brought by either party against the other may not be joined or consolidated in arbitration with disputes brought by or against any third party, unless agreed to in writing by all parties. No arbitration award or decision shall be given preclusive effect as to issues or claims in any dispute with anyone who is not a party to the arbitration. Should any portion of this paragraph regarding the arbitrator’s authority to resolve disputes between only TRX and AMEX be stricken from this Agreement or deemed otherwise unenforceable, then this Schedule shall be stricken from this Agreement.