Common use of Information Security and Confidentiality Clause in Contracts

Information Security and Confidentiality. 8.1. The AppXite can demonstrate its compliance with the obligations in this DPA by maintaining the ISO 27001 Information Security Management certification, therefore, having an independent auditor’s note that AppXite’s information security practices are in conformity with ISO 27001 requirements. 8.2. The Processor shall, in order to assist the Controller to fulfil its legal obligations including but not limited to; security measures and privacy impact assessments, be obliged to take appropriate technical and organizational measures to protect the Personal Data which is Processed and shall thereby follow any written information security requirements or policies communicated by the Controller from time to time. The measures shall at least result in a level of security which is appropriate taking into consideration: i. the technical possibilities available; ii. the cost to implement the measures; iii. the special risks involved with processing of personal data; and iv. the sensitivity of the personal data. 8.3. The Processor shall maintain adequate security for the Personal Data appropriate to the risk of processing. 8.4. The Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the technical and organizational measures to be implemented by the Processor shall include, inter alia, as appropriate: i. the Pseudonymisation and encryption of Personal Data; ii. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing Personal Data; iii. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and iv. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 8.5. The Processor shall maintain a record of all categories of Processing activities carried out on behalf of the Controller. The Processor shall prepare and keep updated a description of its technical, organisational and physical measures to be and maintain compliant with the Applicable Data Protection Law. 8.6. The Processor undertakes not to, without the Controller’s prior written consent disclose or otherwise make Personal Data Processed under this DPA available to any third party, except for Sub Processors engaged in accordance with this DPA. 8.7. The Processor shall be obliged to ensure that only persons that directly require access to Personal Data in order to fulfil the Processor’s obligations in accordance with the respective Agreement have access to such information. The Processor shall ensure that any persons involved in the Processing of Personal Data have committed themselves to confidentiality or are under proper statutory obligation of confidentiality.