Common use of Additional Safeguards Clause in Contracts

Additional Safeguards. 1. In the event of an EEA Transfer or a UK Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate: a. Company shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from Partner to Company and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data. b. Company will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR or the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”). c. If Company becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise: I. Company shall inform the relevant government authority that Company is a processor of the Personal Data and that Partner, the Controller, has not authorized Company to disclose the Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon Partner in writing; II. Partner will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under Company’s control. Notwithstanding the above, Partner acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, Company has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (e)(II) shall not apply. In such event, Company shall notify Partner, as soon as possible, following the access by the government authority, and provide Partner with relevant details of the same, unless and to the extent legally prohibited to do so. 2. Once in every 12-month period, Company will inform Partner, at Partner’s written request of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.

Additional Safeguards. 1. In the event of an EEA Transfer or a UK any Cross-Border Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate: a. Company The Data Importer shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from Partner the Data Exporter to Company the Data Importer and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data. b. Company The Data Importer will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR GDPR, FADP or the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”).; c. If Company the Data Importer becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Customer’s Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise: I. Company The Data Importer will notify the Data Exporter immediately after first becoming aware of such demand for access to Customer’s Personal Data and provide the Data Exporter with all relevant details of the same, unless and to the extent legally prohibited to do so; II. The Data Importer shall inform the relevant government authority that Company the Data Importer is a processor of the Customer’s Personal Data and that Partner, the Controller, Data Exporter and/or Controller has not authorized Company the Data Importer to disclose the Customer’s Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Customer’s Personal Data should therefore be notified . III. to or served upon Partner the Data Exporter and/or Controller in writing; IIIV. Partner The Data Importer will use commercially reasonable legal mechanisms to challenge any such demand for access to Customer’s Personal Data which is under Companythe Data Importer’s control. Notwithstanding the above, Partner (a) the Data Exporter acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Customer’s Personal Data, Company the Data Importer has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (e)(IIc)(III) shall not apply. In such event, Company the Data Importer shall notify Partnerthe Data Exporter, as soon as possible, following the access by the government authority, and provide Partner the Data Exporter with relevant details of the same, unless and to the extent legally prohibited to do so. 2. Once in every 12-month period, Company the Data Importer will inform Partnerthe Data Exporter, at Partnerthe Data Exporter’s written request request, to the extent permitted by applicable law, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.

Additional Safeguards. 1. In the event of an EEA Transfer Transfer, a UK Transfer, or a UK Swiss Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate: a. Company The data importer as defined in Part 1 of this Schedule 2 shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from Partner the data exporter as defined in Part 1 of this Schedule 2 to Company the data importer and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data. b. Company The data importer will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR or the UK GDPR, or the AFDP, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”).; c. If Company the data importer becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise: I. Company The data importer shall inform the relevant government authority that Company Riverside is a processor of the Personal Data and that Partnerthe data exporter, as the Controllercontroller, has not authorized Company Riverside to disclose the Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon Partner the Controller in writing; II. Partner The data importer will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under Companythe data importer’s control. Notwithstanding the above, Partner (a) the data exporter acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, Company the data importer has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (e)(II) shall not apply. In such event, Company the data importer shall notify Partnerthe data exporter, as soon as possible, following the access by the government authority, and provide Partner the data exporter with relevant details of the same, unless and to the extent legally prohibited to do so. 2. Once in every 12-month period, Company the data importer will inform Partnerthe data exporter, at Partnerthe data exporter’s written request request, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.

Additional Safeguards. 1. In the event of an EEA Transfer or a UK Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate: a. Company accessiBe shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from Partner the Customer to Company accessiBe and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data. b. Company will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR or the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”). c. If Company accessiBe becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise: I. Company accessiBe shall inform the relevant government authority that Company accessiBe is a processor of the Personal Data and that Partner, the Controller, Customer has not authorized Company accessiBe to disclose the Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon Partner the Customer in writing; II. Partner accessiBe will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under CompanyaccessiBe’s control. Notwithstanding the above, Partner (a) the Customer acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, Company accessiBe has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (e)(II) shall not apply. In such event, Company accessiBe shall notify Partnerthe Customer, as soon as possible, following the access by the government authority, and provide Partner the Customer with relevant details of the same, unless and to the extent legally prohibited to do so. 2. Once in every 12-month period, Company accessiBe will inform Partnerthe Customer, at Partnerthe Customer’s written request request, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.