Common use of SECURITY BREACH MANAGEMENT AND NOTIFICATION Clause in Contracts

SECURITY BREACH MANAGEMENT AND NOTIFICATION. Xactly maintains security incident management policies and procedures and shall, to the extent permitted by law, notify Customer’s designated contact as set forth by Customer in the signature block below, without undue delay (and in any event within 72 hours of confirmation), of any breach of security leading to the actual or reasonably suspected unauthorized disclosure of Personal Data by Xactly or its Sub-processors of which Xactly becomes aware (a “Security Breach”). Any such notification is not an acknowledgement of fault or responsibility. To the extent such Security Breach is caused by a violation of the requirements of this DPA by Xactly, Xactly shall make reasonable efforts to identify and remediate the cause of such Security Breach. Xactly will reasonably assist the Customer to comply with its reporting obligations under applicable Data Protection Laws and Regulations in connection with the Security Breach, including by providing at least the following information to the extent available: a) a description of the nature of the Security Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; b) the name and contact details of the data protection officer or other contact point where more information can be obtained; c) a description of the likely consequences of the Security Breach; d) a description of the measures taken or proposed to be taken to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects. In case of a Security Breach and prior to making any required public statement or required notice, Customer agrees to timely provide Xactly with a draft for discussion on the content of its intended required public statements or required notices for the affected Data Subjects and/or required notices to the relevant Regulators regarding the Security Breach to the extent such public statements or notices identify Xactly by name or relate to Xactly's multi- tenant cloud software and/or Services. This draft shall be discussed in a timely fashion and in good faith between the parties. Notwithstanding the preceding sentence, Customer shall not be required to prejudice its obligations under Data Protection Laws and Regulations.

SECURITY BREACH MANAGEMENT AND NOTIFICATION. Xactly maintains Supplier must maintain a security incident management policies procedure to promptly identify, prevent, investigate, mitigate any security breach /incident and procedures and undertake any actions to remedy the impact of such breach/ incident. Supplier shall, to the extent permitted by law, notify Customer’s designated contact as set forth by Customer in the signature block below, without undue delay (promptly and in any event within 72 a reasonable period of time which in no event shall exceed 24 hours of confirmation)after discovery, notify SGS of any breach of security leading to the actual or reasonably suspected unauthorized disclosure disclosure, destruction, alteration or unlawful form of processing of SGS Data, including Personal Data Data, by Xactly Supplier or its Sub-processors of which Xactly Supplier becomes aware (a “Security Breach”). Any such Breach”).Such notification is not an acknowledgement of fault or responsibility. To the extent such Security Breach is caused by a violation of the requirements of this DPA by Xactly, Xactly shall make reasonable efforts to identify and remediate the cause of such Security Breach. Xactly will reasonably assist the Customer to comply with its reporting obligations under applicable Data Protection Laws and Regulations in connection with the Security Breach, including by providing at least the following information to the extent available: a) include:  a description of the nature of the Security Breach including including, where possible, the categories and approximate number of Data Subjects concerned affected by the breach and the categories and the approximate number of Personal Data records concerned; b) ;  the name and contact details of the data protection officer or other point of contact point where more from whom additional information can be obtained; c) ;  a description of the likely consequences of the Security Breach; d) ;  a description of the measures taken or proposed by Controller to be taken to address remedy the Security Breach, including, where appropriate, measures to mitigate any negative consequences.  If, and to the extent that it is not possible to provide all this information at the same time, the information may be communicated in a staggered manner without undue delay. Upon notification, Supplier shall cooperate with SGS in its possible adverse effectsinvestigation of the incident whether discovered by Supplier or a third party and Supplier shall inform SGS with a detailed description of the security breach / incident and in particular: the identity of each affected person and any confirmation which SGS may request concerning such affected persons. In case Supplier shall nominate an individual responsible for management of a Security Breach the breach/ security incident and inform SGS of the same immediately. If requested by SGS, Supplier shall send security notices and to the extent permitted by law, SGS may request to review those notices prior to making issuance and publication by Supplier providing however that SGS shall not refuse any required public statement information which the Supplier is bound to disclose by law or required court decision. Should SGS issue such security notice, Customer agrees Supplier shall provide all reasonable and timely information relating to timely provide Xactly with a draft for discussion on the content of its intended such notice which SGS may need. Other than approved Security notices or otherwise required public statements or required notices for the affected Data Subjects and/or required notices to the relevant Regulators regarding the Security Breach to the extent such public statements or notices identify Xactly by name or relate to Xactly's multi- tenant cloud software and/or Services. This draft shall be discussed in a timely fashion and in good faith between the parties. Notwithstanding the preceding sentencelaw, Customer Supplier shall not be required make or allow any public statement concerning SGS’ involvement with such security breach / incident to prejudice its obligations under Data Protection Laws and Regulationsany third party without SGS’ prior consent.