Common use of TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND Clause in Contracts

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND. ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA EXPLANATORY NOTE: The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers. Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. If you have enquiries about the British Council possible measure for this Agreement, then please contact the British Council’s Information Governance & Risk Management Team (XxxxXxxxxxxxxx@xxxxxxxxxxxxxx.xxx) for further guidance - Delete this paragraph before finalising and signing the Agreement [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter ………………………..

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND. ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA EXPLANATORY NOTE: The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers. Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. If you have enquiries about the British Council possible measure for this Agreement, then please contact the British Council’s Information Governance & Risk Management Team (XxxxXxxxxxxxxx@xxxxxxxxxxxxxx.xxx) for further guidance - Delete this paragraph before finalising and signing the Agreement [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing Measures for user identification and authorisation Measures for the protection of data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter ……………………….. For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter ………………………..

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND. ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA MODULE TWO: Transfer controller to processor EXPLANATORY NOTE: The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers. Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. If you have enquiries about the British Council possible measure for this Agreement, then please contact the British Council’s Information Governance & Risk Management Team (XxxxXxxxxxxxxx@xxxxxxxxxxxxxx.xxx) for further guidance - Delete this paragraph before finalising and signing the Agreement [Examples of possible measures: ● Measures of pseudonymisation and encryption of personal data ● Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services ● Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident ● Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing ● Measures for user identification and authorisation ● Measures for the protection of data during transmission ● Measures for the protection of data during storage ● Measures for ensuring physical security of locations at which personal data are processed ● Measures for ensuring events logging ● Measures for ensuring system configuration, including default configuration ● Measures for internal IT and IT security governance and management ● Measures for certification/assurance of processes and products ● Measures for ensuring data minimisation ● Measures for ensuring data quality ● Measures for ensuring limited data retention ● Measures for ensuring accountability ● Measures for allowing data portability and ensuring erasure] erasure For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter ………………………..● Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services ● Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident ● Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing ● Measures for the protection of data during transmission ● Measures for the protection of data during storage ● Measures for ensuring physical security of locations at which personal data are processed ● Measures for ensuring events logging ● Measures for ensuring system configuration, including default configuration ● Measures for internal IT and IT security governance and management ● Measures for certification/assurance of processes and products

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND. ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA MODULE ONE: Transfer controller to controller MODULE TWO: Transfer controller to processor MODULE THREE: Transfer processor to processor EXPLANATORY NOTE: The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers. Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. If you have enquiries about Data importer will maintain administrative, physical, and technical safeguards for protection of the British Council possible measure for this Agreementsecurity, then please contact confidentiality and integrity of any Personal Data uploaded to the British Council’s Information Governance & Risk Management Team SCC Services or otherwise maintained on behalf of data exporter (XxxxXxxxxxxxxx@xxxxxxxxxxxxxx.xxx) for further guidance - Delete this paragraph before finalising as Data Controller). Data importer reserves the right to update the security controls from time-to-time, provided that at no time shall data importer materially and signing to the Agreement adverse impact of data exporter, decrease the overall security of the SCC Services during a subscription term. [Examples of possible measures: • Measures of pseudonymisation and encryption of personal data • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing • Measures for user identification and authorisation • Measures for the protection of data during transmission • Measures for the protection of data during storage • Measures for ensuring physical security of locations at which personal data are processed • Measures for ensuring events logging • Measures for ensuring system configuration, including default configuration • Measures for internal IT and IT security governance and management • Measures for certification/assurance of processes and products • Measures for ensuring data minimisation • Measures for ensuring data quality • Measures for ensuring limited data retention • Measures for ensuring accountability • Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-sub- processor, to the data exporter ………………………..exporter

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND. ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA EXPLANATORY NOTE: The As of the date of this DPA, Xxxxxxxx’s technical and organisational organizational measures include the following: Category Sub-category Measures Organization of Information Security Segregation of duties Provider shall ensure that conflicting duties and areas of responsibility are segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the assets supporting the Service delivered. Human resource security Screening When allowed by law, Provider shall systematically perform, or engage a third-party screening company to do, background checks on employees or third parties working on the contract, including but not limited to the following checks: - Person’s identity and address - Academic qualifications - Work experience Terms and conditions of employment Provider shall systematically include in the contract of employment of his employees: - Unauthorized Disclosure of Sensitive Information - Data Protection legislation Management responsibilities Provider's staff shall periodically receive security training. Provider’s management must be described in specific ensure that employees and contractors: - are aware of and understand their information security roles and responsibilities prior to being granted access to confidential information or information systems - are provided with information security expectations associated with their role within the organization and related to Customer Asset Management Acceptable use of assets Provider shall develop, implement and maintain a comprehensive Acceptable Use Policy for its Information Assets. Handling of assets Without prejudice to Provider’s obligations, Provider shall (and not genericshall procure that its sub-contractors shall) termsin accordance with Good Industry Practice protect against corruption, loss or disclosure all Customer’s confidential information. See also Logical Security / Access Access control policy Provider shall properly manage Access control, including the general comment following topics: - Policy on the first page use of network services - User registration and de-registration - User Access Provisioning - Management of privileged access rights - Management of secret authentication information on users - Review of user access rights - Removal or adjustment of access rights - Use of secret authentication information - Information access restriction - Secure log-on procedures - Password management system - Use of privileged utility programs - Access control to program source code Physical and environmental security Physical security perimeter Provider shall properly manage security policy, including the Appendixfollowing topics: - Physical security perimeter - Securing office, in particular on the need to clearly indicate which measures apply to each transfer/set room and facilities - Equipment siting and protection - Security disposal or re-use of transfers. Description of the technical equipment - Unattended user equipment Operations Security Documented operating procedures Provider shall develop, implement and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks maintain comprehensive operating processes for the rights Services provided and freedoms underlying IT, including the following topics: - Change management, including emergency changes - Separation of natural persons. If you have enquiries about the British Council possible measure for this Agreementdevelopment, then please contact the British Council’s test and operational environments - Controls against malware - Information Governance & Risk backup - Event logging - Protection of log information - Installation of software on operational systems - Management Team (XxxxXxxxxxxxxx@xxxxxxxxxxxxxx.xxx) for further guidance - Delete this paragraph before finalising and signing the Agreement [Examples of possible measures: Measures of pseudonymisation and encryption of personal data Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident Processes for regularly testing, assessing and evaluating the effectiveness of technical vulnerabilities and organisational measures patching Security requirements analysis and specification Provider shall ensure that development activities are carried out in order to ensure the security of the processing Measures accordance with a documented system development methodology. This methodology shall consider OWASP recommendations for user identification and authorisation Measures Web application development or other secure development methodologies suitable for the protection development environment. (in x.x. XxxXxxXxx). The following topics shall be addressed: - Security requirements analysis and specification - Securing applications services on public networks - Protecting application services transactions - Secure development policy - Outsourced development - System security testing - System acceptance testing - Protection of test data during transmission Measures for the protection of data during storage Measures for ensuring physical security of locations at which personal data are processed Measures for ensuring events logging Measures for ensuring system configuration, including default configuration Measures for internal IT Communications Security Network controls Provider shall ensure that its network is designed and IT security governance and management Measures for certification/assurance of processes and products Measures for ensuring data minimisation Measures for ensuring data quality Measures for ensuring limited data retention Measures for ensuring accountability Measures for allowing data portability and ensuring erasure] For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor implemented so as to be able to provide assistance cope with current and predicted levels of traffic and shall be protected using all available in-built security controls. Topics to be addressed are: - Network controls - Security of network services - Segregation in networks - Information transfer policies and procedures - Agreements on information transfer Electronic messaging Provider shall ensure that its electronic messaging systems (in e.g. mail, instant messaging) are protected by a combination of policy (including a usage policy), training and documented procedural and technical security controls. Supplier Relationships Information security policy for supplier relationships Provider shall ensure that services required to support the Services provided to the controller andCustomer shall be obtained from service providers capable of providing security controls no less rigorous than those that the Service Provider is required to comply with pursuant to this Schedule. When possible, such services shall be provided under appropriate contracts. When available, Provider shall ensure that agreements with Sub-contractors include a right for transfers from the Provider to conduct a processor to a sub-processor, security review for the purposes of ensuring they are meeting the Provider’s obligations under this Agreement. The results of any such security review shall be provided to the data exporter ………………………..Customer promptly on request.

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND. ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA EXPLANATORY NOTEMODULE TWO: Transfer controller to processor The technical and organisational measures must be are described in specific (OneSpan’s Privacy and not generic) termsSecurity Schedule. See also They include the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers. Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons. If you have enquiries about the British Council possible measure for this Agreement, then please contact the British Council’s Information Governance & Risk Management Team (XxxxXxxxxxxxxx@xxxxxxxxxxxxxx.xxx) for further guidance - Delete this paragraph before finalising and signing the Agreement [Examples of possible following measures: • Measures of pseudonymisation and encryption of personal data • Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services • Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident • Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing • Measures for user identification and authorisation • Measures for the protection of data during transmission • Measures for the protection of data during storage • Measures for ensuring physical security of locations at which personal data are processed • Measures for ensuring events logging • Measures for ensuring system configuration, including default configuration • Measures for internal IT and IT security governance and management • Measures for certification/assurance of processes and products • Measures for ensuring data minimisation • Measures for ensuring data quality • Measures for ensuring limited data retention • Measures for ensuring accountability • Measures for allowing data portability and ensuring erasure] erasure For transfers to (sub-) processorssubprocessors, also describe OneSpan has agreed in each data processing agreement with such subprocessors on the specific technical and organisational measures to be taken by the (sub-) processor each subprocessor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter ………………………..controller.