Common use of DATA SECURITY AND SAFEGUARDS Clause in Contracts

DATA SECURITY AND SAFEGUARDS. Supplier shall implement and maintain at all times appropriate organisational, operational, managerial, physical and technical measures to protect the Personal Data and Purchaser’s any other data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access, so that all processing is in compliance with the Laws and Purchaser’s reasonable written instructions, especially where the processing involves the transmission of data over a network. These measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation. Technical safeguards shall include all technical security controls defined by Supplier, following the recommendations as laid out in ISO/IEC 27000 series (or equivalent, such as SSAE-16(2)) or other recommendations adapted to a level which is suitable, taking into consideration the degree of sensitivity of the personal data, the particular risks which exist, existing technical possibilities, and the costs for carrying out the measures. Supplier shall limit access to the Personal Data to authorised and properly trained personnel with a well-defined “need-to-know” basis, and who are bound by appropriate confidentiality obligations. Supplier shall also ensure by technical and organisational means that Purchaser’s Personal Data is not processed for different purposes (e.g. for different Supplier customers) and that the Personal Data is processed separately from the data of other Supplier customers. Supplier warrants that in performing the Services under the Agreement all necessary precautions are taken by Supplier to prevent loss and alteration of any data, to prevent unauthorised access to Purchaser’s IT environment, to prevent introduction of viruses to Purchaser’s systems, and to prevent improper access to Purchaser’s IT environment and confidential information of Purchaser.

DATA SECURITY AND SAFEGUARDS. The Parties agree that the Information Security Requirements Appendix (See Annex 1 part E) shall apply to the Processing of Personal Data. Further, the Supplier shall shall (i) implement and maintain at all times appropriate organisationalorganizational, operational, managerial, physical and technical measures to protect the Personal Data and Purchaser’s any other Sanoma’s data against accidental, unauthorised unauthorized or unlawful destruction, loss, alteration, disclosure or access, so that all processing is in compliance with the Laws and Purchaser’s reasonable written instructions, especially where the processing Processing involves the transmission of data over a network. These ; (ii) assess the measures necessary to ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation. Technical safeguards shall include ; (iii) ensure that all technical security controls defined by Supplier, following measures implemented comply with the recommendations as laid out in ISO/IEC 27000 series (or equivalentLaws and applicable industry standards, such as ISO 27001/27002 or SSAE-16(2); (iv) or other recommendations adapted to a level which is suitable, taking into consideration the degree of sensitivity of the personal data, the particular risks which exist, existing technical possibilities, and the costs for carrying out the measures. Supplier shall limit access to the Personal Data to authorised authorized and properly trained personnel with a well-defined “need-to-know” basis, and who are bound by appropriate confidentiality obligations. Supplier shall also ; (v) ensure by technical and organisational organizational means that Purchaser’s Personal Data is not processed Processed for different purposes other than those specified in this Appendix or in the relevant agreement or as required by the Laws. For the sake of clarity, the Supplier is not entitled to Process Personal Data for the Supplier's own purposes or other customer's purposes; (e.g. for different Supplier customersvi) and ensure that the Personal Data is processed Processed separately from the data of other Supplier Supplier’s customers. Supplier warrants that ; and (vii) take all necessary precautions in performing the Services under the Agreement all necessary precautions are taken by Supplier to prevent prevent: loss and alteration of any data, to prevent unauthorised unauthorized access to PurchaserSanoma’s IT environment, to prevent introduction of viruses to PurchaserSanoma’s systems, and to prevent improper access to PurchaserSanoma’s IT environment and confidential information of PurchaserSanoma. Sanoma is entitled to give additional supplementary instructions in the field of data security. Those shall be documented in Annex 1, Part E where applicable.

DATA SECURITY AND SAFEGUARDS. Supplier shall implement and maintain at all times appropriate organisational, operational, managerial, physical and technical measures to protect the Personal Data and Purchaser’s any other data against accidental, unauthorised or unlawful destruction, loss, alteration, disclosure or access, so that all processing is in compliance with the Laws and Purchaser’s reasonable written instructions, especially where the processing involves the transmission of data over a network. These measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation. Technical safeguards shall include all technical security controls defined by Supplier, following the recommendations as laid out in ISO/IEC 27000 series (or equivalent, such as SSAE-16(2)) or other recommendations adapted to a level which is suitable, taking into consideration the degree of sensitivity of the personal data, the particular risks which exist, existing technical possibilities, and the costs for carrying out the measures. Supplier shall limit access to the Personal Data to Data Processing Appendix – Appendix 3 to Semantix Supplier Agreement authorised and properly trained personnel with a well-defined “need-to-know” basis, and who are bound by appropriate confidentiality obligations. Supplier shall also ensure by technical and organisational means that Purchaser’s Personal Data is not processed for different purposes (e.g. for different Supplier customers) and that the Personal Data is processed separately from the data of other Supplier customers. Supplier warrants that in performing the Services under the Agreement all necessary precautions are taken by Supplier to prevent loss and alteration of any data, to prevent unauthorised access to Purchaser’s IT environment, to prevent introduction of viruses to Purchaser’s systems, and to prevent improper access to Purchaser’s IT environment and confidential information of Purchaser.

DATA SECURITY AND SAFEGUARDS. The Parties agree that the Information Security Requirements Appendix shall apply to the Processing of Personal Data. Further, the Supplier shall shall (i) implement and maintain at all times appropriate organisationalorganizational, operational, managerial, physical and technical measures to protect the Personal Data and Purchaser’s any other Sanoma’s data against accidental, unauthorised unauthorized or unlawful destruction, loss, alteration, disclosure or access, so that all processing is in compliance with the Laws and Purchaser’s reasonable written instructions, especially where the processing Processing involves the transmission of data over a network. These ; (ii) assess the measures necessary to ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation. Technical safeguards shall include ; (iii) ensure that all technical security controls defined by Supplier, following measures implemented comply with the recommendations as laid out in ISO/IEC 27000 series (or equivalentLaws and applicable industry standards, such as ISO 27001/27002 or SSAE-16(2); (iv) or other recommendations adapted to a level which is suitable, taking into consideration the degree of sensitivity of the personal data, the particular risks which exist, existing technical possibilities, and the costs for carrying out the measures. Supplier shall limit access to the Personal Data to authorised authorized and properly trained personnel with a well-defined “need-to-know” basis, and who are bound by appropriate confidentiality obligations. Supplier shall also ; (v) ensure by technical and organisational organizational means that Purchaser’s Personal Data is not processed Processed for different purposes other than those specified in this Appendix or in the relevant agreement or as required by the Laws. For the sake of clarity, the Supplier is not entitled to Process Personal Data for the Supplier's own purposes or other customer's purposes; (e.g. for different Supplier customersvi) and ensure that the Personal Data is processed Processed separately from the data of other Supplier Supplier’s customers. Supplier warrants that ; and (vii) take all necessary precautions in performing the Services under the Agreement all necessary precautions are taken by Supplier to prevent prevent: loss and alteration of any data, to prevent unauthorised unauthorized access to PurchaserSanoma’s IT environment, to prevent introduction of viruses to PurchaserSanoma’s systems, and to prevent improper access to PurchaserSanoma’s IT environment and confidential information of PurchaserSanoma. Sanoma is entitled to give additional supplementary instructions in the field of data security. Those shall be documented in Annex 1, Part F where applicable.

DATA SECURITY AND SAFEGUARDS. Supplier shall implement and maintain at all times appropriate organisationalorganizational, operational, managerial, physical and technical measures to protect the Personal Data and PurchaserSanoma’s any other data against accidental, unauthorised unauthorized or unlawful destruction, loss, alteration, disclosure or access, access so that all processing is in compliance with the Laws and PurchaserSanoma’s reasonable written instructions, especially where the processing involves the transmission of data over a network. These measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation. Technical safeguards shall include all technical security controls defined by Supplier, following the recommendations as laid out in ISO/IEC 27000 series (or equivalent, such as SSAE-16(2)) or other recommendations adapted to a level which is suitable, taking into consideration the degree of sensitivity of the personal data, the particular risks which exist, existing technical possibilities, and the costs for carrying out the measures). Supplier shall limit access to the Personal Data to authorised authorized and properly trained personnel with a well-defined “need-to-know” basis, and who are bound by appropriate confidentiality obligations. Supplier shall also ensure by technical and organisational organizational means that PurchaserSanoma’s Personal Data is not processed for different purposes (e.g. for different Supplier customers) and that the Personal Data is processed separately from the data of other Supplier customers. Supplier warrants that in performing the Services under the Agreement all necessary precautions are taken by Supplier to prevent loss and alteration of any data, to prevent unauthorised unauthorized access to PurchaserSanoma’s IT environment, to prevent introduction of viruses to PurchaserSanoma’s systems, and to prevent improper access to PurchaserSanoma’s IT environment and confidential information of PurchaserSanoma. [Supplier shall comply with the information security requirements set out in more detail in the Information Security Requirements Annex a Annex 2.]