Common use of Security and Audit Clause in Contracts

Security and Audit. 5.1. Sage shall implement and maintain appropriate technical and organisational security measures appropriate to the risks presented by the relevant Processing activity to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage or disclosure. Such measures include, without limitation, the security measures set out in clause 5.3. 5.2. Subject to any existing obligations of confidentiality owed to other parties, we shall make available to you all information reasonably necessary to demonstrate compliance with the obligations set out in this Exhibit A, which may include a summary of any available third party security audit report, or shall, at your sole cost and expense (including, for the avoidance of doubt any expenses reasonably incurred by us), allow for and contribute to independent audits, including inspections, conducted by a suitably-qualified third party auditor mandated by you and approved by us. 5.3. Sage operates, maintain and enforce an information security management programme (“Security Program”) which is consistent with recognised industry best practice. The Security Program contains appropriate administrative, physical, technical and organisational safeguards, policies and controls in the following areas: • Information security policies • Organization of information security • Human resources security • Asset management • Access control • Cryptography • Physical and environmental security • Operations security • Communications security • System acquisition, development and maintenance • Supplier relationships • Information security incident management • Information security aspects of business continuity management • Legislative, regulatory and contractual compliance

Security and Audit. 5.1. Sage shall implement and maintain appropriate technical and organisational security measures appropriate to the risks presented by the relevant Processing activity to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage or disclosure. Such measures include, without limitation, the security measures set out in clause 5.3. 5.2. Subject to any existing obligations of confidentiality owed to other parties, we shall make available to you all information reasonably necessary to demonstrate compliance with the obligations set out in this Exhibit AB, which may include a summary of any available third party security audit report, or shall, at your sole cost and expense (including, for the avoidance of doubt any expenses reasonably incurred by us), allow for and contribute to independent audits, including inspections, conducted by a suitably-qualified third party auditor mandated by you and approved by us. 5.3. Sage operates, maintain and enforce an information security management programme (“Security Program”) which is consistent with recognised industry best practice. The Security Program contains appropriate administrative, physical, technical and organisational safeguards, policies and controls in the following areas: • Information security policies • Organization of information security • Human resources security • Asset management • Access control • Cryptography • Physical and environmental security • Operations security • Communications security • System acquisition, development and maintenance • Supplier relationships • Information security incident management • Information security aspects of business continuity management • Legislative, regulatory and contractual compliance

Security and Audit. 5.1. Sage We shall implement and maintain appropriate technical and organisational security measures appropriate to the risks presented by the relevant Processing activity to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage or disclosure. Such measures include, without limitation, the security measures set out in clause Clause 5.3. 5.2. Subject to any existing obligations of confidentiality owed to other parties, we shall make available to you all information reasonably necessary to demonstrate compliance with the obligations set out in this Exhibit AC, which may include a summary of any available third party security audit report, or shall, at your sole cost and expense (including, for the avoidance of doubt any expenses reasonably incurred by us), allow for and contribute to independent audits, including inspections, conducted by a suitably-qualified third party auditor mandated by you and approved by us. 5.3. Sage operates, maintain and enforce an information security management programme (“Security Program”) which is consistent with recognised industry best practice. The Security Program contains appropriate administrative, physical, technical and organisational safeguards, policies and controls in the following areas: • Information security policies • Organization of information security • Human resources security • Asset management • Access control • Cryptography • Physical and environmental security • Operations security • Communications security • System acquisition, development and maintenance • Supplier relationships • Information security incident management • Information security aspects of business continuity management • Legislative, regulatory and contractual compliance

Security and Audit. 5.1. Sage shall implement and maintain appropriate technical and organisational security measures appropriate to the risks presented by the relevant Processing activity to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage or disclosure. Such measures include, without limitation, the security measures set out in clause 5.3. 5.2. Subject to any existing obligations of confidentiality owed to other parties, we shall make available to you all information reasonably necessary to demonstrate compliance with the obligations set out in this Exhibit A, which may include a summary of any available third party security audit report, or shall, at your sole cost and expense (including, for the avoidance of doubt any expenses reasonably incurred by us), allow for and contribute to independent audits, including inspections, conducted by a suitably-qualified third party auditor mandated by you and approved by us. 5.3. Sage operates, maintain and enforce an information security management programme (“Security Program”) which is consistent with recognised industry best practice. The Security Program contains appropriate administrative, physical, technical and organisational safeguards, policies and controls in the following areas: •  Information security policies • Organization  Organisation of information security •  Human resources security •  Asset management •  Access control •  Cryptography •  Physical and environmental security •  Operations security •  Communications security •  System acquisition, development and maintenance •  Supplier relationships •  Information security incident management •  Information security aspects of business continuity management •  Legislative, regulatory and contractual compliance

Security and Audit. 5.1. Sage shall implement and maintain appropriate technical and organisational security measures appropriate to the risks presented by the relevant Processing activity to protect the Personal Customer Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage or disclosure. Such measures include, without limitation, the security measures set out in clause 5.3. 5.2. Subject to any existing obligations of confidentiality owed to other parties, we shall make available to you all information reasonably necessary to demonstrate compliance with the obligations set out in this Exhibit AB, which may include a summary of any available third party security audit report, or shall, at your sole cost and expense (including, for the avoidance of doubt any expenses reasonably incurred by us), allow for and contribute to independent audits, including inspections, conducted by a suitably-qualified third party auditor mandated by you and approved by us. 5.3. Sage operates, maintain and enforce an information security management programme (“Security Program”) which is consistent with recognised industry best practice. The Security Program contains appropriate administrative, physical, technical and organisational safeguards, policies and controls in the following areas: • Information security policies • Organization of information security • Human resources security • Asset management • Access control • Cryptography • Physical and environmental security • Operations security • Communications security • System acquisition, development and maintenance • Supplier relationships • Information security incident management • Information security aspects of business continuity management • Legislative, regulatory and contractual compliance

Security and Audit. 5.1. Sage We shall implement and maintain appropriate technical and organisational security measures appropriate to the risks presented by the relevant Processing activity to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage or disclosure. Such measures include, without limitation, the security measures set out in clause Clause 5.3. 5.2. Subject to any existing obligations of confidentiality owed to other parties, we shall make available to you all information reasonably necessary to demonstrate compliance with the obligations set out in this Exhibit A, which may include a summary of any available third party security audit report, or shall, at your sole cost and expense (including, for the avoidance of doubt any expenses reasonably incurred by us), allow for and contribute to independent audits, including inspections, conducted by a suitably-qualified third party auditor mandated by you and approved by us. 5.3. Sage operates, maintain and enforce an information security management programme (“Security Program”) which is consistent with recognised industry best practice. The Security Program contains appropriate administrative, physical, technical and organisational safeguards, policies and controls in the following areas: • Information security policies • Organization of information security • Human resources security • Asset management • Access control • Cryptography • Physical and environmental security • Operations security • Communications security • System acquisition, development and maintenance • Supplier relationships • Information security incident management • Information security aspects of business continuity management • Legislative, regulatory and contractual compliance

Security and Audit. 5.1. Sage a. We shall implement and maintain appropriate technical and organisational security measures appropriate to the risks presented by the relevant Processing activity to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage or disclosure. Such measures include, without limitation, the security measures set out in clause 5.3c below. 5.2. b. Subject to any existing obligations of confidentiality owed to other parties, we shall make available to you all information reasonably necessary to demonstrate compliance with the obligations set out in this Exhibit AAppendix B, which may include a summary of any available third party security audit report, or shall, at your sole cost and expense (including, for the avoidance of doubt any expenses reasonably incurred by us), allow for and contribute to independent audits, including inspections, conducted by a suitably-qualified third party auditor mandated by you and approved by us. 5.3. Sage x. XXXX operates, maintain maintains and enforce enforces an information security management programme (“Security Program”) which is consistent with recognised industry best practice. The Security Program contains appropriate administrative, physical, technical and organisational safeguards, policies and controls in the following areas: • Information : 1. information security policies • Organization policies; 2. organisation of information security • Human security; 3. human resources security • Asset management • Access control • Cryptography • Physical security; 4. asset management; 5. access control; 6. cryptography; 7. physical and environmental security • Operations security • Communications security • System security; 8. operations security; 9. communications security; 10. system acquisition, development and maintenance • Supplier relationships • Information maintenance; supplier relationships; 11. supplier relationships; 12. information security incident management • Information management; 13. information security aspects of business continuity management • Legislativemanagement; 14. legislative, regulatory and contractual compliance.

Security and Audit. 5.1. Sage shall implement and maintain appropriate technical and organisational security measures appropriate to the risks presented by the relevant Processing activity to protect the Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage or disclosure. Such measures include, without limitation, the security measures set out in clause 5.35.3 below. 5.2. Subject to any existing obligations of confidentiality owed to other parties, we Sage shall make available to you Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this Exhibit AAddendum, which may include a summary of any available third party security audit report, or shall, at your Customer’s sole cost and expense (including, for the avoidance of doubt any expenses reasonably incurred by usXxxx), allow for and contribute to independent audits, including inspections, conducted by a suitably-qualified third party auditor mandated by you Customer and approved by usSage. 5.3. Sage operates, maintain and enforce an information security management programme (“Security Program”) which is consistent with recognised industry best practice. The Security Program contains appropriate administrative, physical, technical and organisational safeguards, policies and controls in the following areas: • Information security policies • Organization of information security • Human resources security • Asset management • Access control • Cryptography • Physical and environmental security • Operations security • Communications security • System acquisition, development and maintenance • Supplier relationships • Information security incident management • Information security aspects of business continuity management • Legislative, regulatory and contractual compliance.