Common use of Obligations of the Processor Clause in Contracts

Obligations of the Processor. 1. The Processor shall, and shall ensure that each of its employees, approved Subprocessors and any other individual acting under its authority who has access to the Data: a. process Data in accordance with the terms of this Agreement, Appendix GDPR or any other written instructions of the Controller, and only to the extent and in the manner necessary to provide Services, and for no other purpose(s). In the event Applicable Data Protection Law requires Processor to process in a manner not expressly authorized by this Agreement or the Controller’s written instructions, the Processor shall promptly inform the Controller of the applicable legal requirement before processing, unless prohibited from doing so on important public interest grounds, consistent with Applicable Data Protection Law; b. keep the Data confidential and ensure that any person authorized to process the Data for or on behalf of the Processor (including but not limited to any Processor employees and staff and approved Subprocessors) has agreed to keep the Data confidential, or is otherwise under a statutory obligation to protect the confidentiality of the Data; and c. upon reasonable request from the Controller, provide an up-to-date copy of the Data in the format requested by the Controller. 2. In carrying out its obligations under the Agreement and this Appendix GDPR, Processor agrees to comply with all applicable state, federal and laws of other countries or jurisdictions (including, but not limited to, Applicable Data Protection Law), as well as industry best practices, governing the collection, access, use, disclosure, safeguarding and destruction of Data. 3. In accordance with Applicable Data Protection Law, and taking into consideration the state of the art, costs of implementation and the nature, scope, context and purposes of processing the Data pursuant to this Agreement, as well as the risks to the rights and freedoms of natural persons and the risks to processing the Data, the Processor represents and warrants that it has implemented appropriate technical and organizational security measures appropriate to such risks, including, as appropriate: (i) the pseudonymisation and encryption of the Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

Obligations of the Processor. 1. The Processor shall, and shall ensure that each of its employees, approved Subprocessors and any other individual acting under its authority who has access to the DataData shall: a. process Data in accordance with the terms of this Agreement, Appendix GDPR DPA or any other written instructions of the Controller, and only to the extent and in the manner necessary to provide Services, and for no other purpose(s). In the event Applicable Data Protection Law EU or Member State law requires Processor to process in a manner not expressly authorized by this Agreement or the Controller’s written instructions, the Processor shall promptly inform the Controller of the applicable legal requirement before processing, unless prohibited from doing so on important public interest grounds, consistent with Applicable Data Protection LawEU or Member State law; b. keep the Data confidential and ensure that any person authorized to process the Data for or on behalf of the Processor (including but not limited to any Processor employees and staff and approved Subprocessors) has agreed to keep the Data confidential, or is otherwise under a statutory obligation to protect the confidentiality of the Data; and c. upon reasonable request from the Controller, provide an up-to-date copy of the Data in the format requested by the Controller. 2. In carrying out its obligations under the Agreement and this Appendix GDPRDPA, the Processor agrees to shall comply with all applicable statelaws and regulations relating to privacy or data protection, federal and laws of other countries or jurisdictions (including, but not limited to, Applicable Data Protection Law), as well as industry best practices, governing the collection, access, use, disclosure, safeguarding and destruction of DataGDPR. 3. In accordance with Applicable Data Protection LawGDPR, and taking into consideration the state of the art, costs of implementation and the nature, scope, context and purposes of processing the Data pursuant to this Agreement, as well as the risks to the rights and freedoms of natural persons and the risks to processing the Data, the Processor represents and warrants that it has implemented shall implement appropriate technical and organizational security measures appropriate to such risks, including, as appropriate: (i) the pseudonymisation and encryption of the Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;; (iii) the ability to restore the availability of and access to the Data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. 4. The Processor’s technical and organizational security measures to protect Data shall include, without limitation, the measures set forth in Appendix DS. 5. The Processor shall assist the Controller in ensuring compliance with Controller’s obligations as a Controller by: (a) cooperating with Controller’s implementation of appropriate technical and organizational security measures to ensure the security of processing Data; (b) cooperating with Controller notifications to supervisory authorities and/or data subjects, as applicable, of any breaches of Data; (c) cooperating with Controller’s conduct of data protection impact assessments, including but not limited to, any requirements to consult with a supervisory authority as required by GDPR. Processor shall also cooperate with additional obligations of Controller that may be required of it pursuant to GDPR and other applicable data protection laws. 6. In the event of any suspected or actual personal data breach, the Processor shall notify the Controller (via the individual identified by UC in the Agreement to receive Notices relating to Appendix DS on behalf of UC) orally and in writing (including by e-mail) immediately after becoming aware of such breach. All breach reporting of Data shall otherwise be consistent with Article 11 of Appendix DS. 7. Except for transfers of Data to the Controller, the Processor shall not process or transfer any Data to any country outside the EEA except pursuant to prior written approval of the Controller, and at all times in compliance with GDPR and other applicable data protection laws. 8. This section is only applicable if Processor’s Services include the collection of personal data directly from data subjects: In the event Processor’s Services include the collection of personal data directly from data subjects that is to be provided to Controller, unless the parties otherwise agree, the Processor shall be responsible for ensuring that such processing of personal data complies with GDPR requirements, including, but not limited to, obtaining a lawful basis to process the personal data. 9. This section is only applicable if Processor’s Services include the transfer of personal data it has collected or obtained from the EEA to Controller: In the event Processor is transferring personal data it has collected or otherwise obtained from data subjects in the EEA to Controller for the purposes of performing Services, unless the parties otherwise agree on another transfer mechanism which satisfies GDPR requirements, such transfers shall be governed by the Standard Contractual Clauses set forth in Addendum B to this DPA. Processor acknowledges that Controller is subject to U.S. federal and state laws and regulations, including but not limited to public disclosure laws and regulations that may require the retention and disclosure of information that is the subject of the Agreement. Any liability, claims or damages of Controller shall be limited to the acts or omissions of the Controller. Processor acknowledges that Controller is a U.S. state public institution and is prohibited from assuming liability for the conduct of persons other than Controller’s officers, agents, employees, students, invitees, and/or guests. 10. The Processor shall return or destroy Data consistent with the provisions of Article 9 of Appendix DS. In the event EU, EU Member State law or EEA state law requires the storage of such Data, the Processor shall promptly inform the Controller of such requirement.

Obligations of the Processor. 13.1 The Processor shall Process the Controller Data only on behalf of the Controller, as specified in this Section and Annex I, and solely for the purposes specified by the Controller; however, nothing in the Principal Agreement (including this DPA) shall limit or prevent Processor from collecting or using data that Processor would otherwise collect and process independently of Controller’s use of the Services. The Processor shall: a) Process the Controller Data only in accordance with (i) this DPA; (ii) the instructions regarding processing of Controller Data provided by the Controller; and (iii) Applicable Data Protection Law. If the Processor, in order to comply with Applicable Data Protection Law, is obliged to deviate from the provisions of this DPA and/or the Controller’s instructions, the Processor shall, without undue delay and before further processing of the Controller Data, inform the Controller of such mandatory requirements, unless providing such information violates mandatory law. b) Implement such technical, physical, administrative and organisational security measures and appropriate to the risk that the Processing of the Controller Data may impose on the rights and freedoms of Data Subjects. In assessing the appropriate security levels, and taking appropriate measures, the Processor shall ensure that each account is taken in particular of its employeesthe risks for accidental or unlawful destruction, approved Subprocessors loss or alteration and any other individual acting of the risks of unauthorised disclosure of, or unauthorised access to, the Controller Data as well as of the risk of Personal Data Breaches. c) Ensure that individuals authorised to Process Controller Data have committed to confidentiality or are under its authority who has access an appropriate statutory confidentiality obligation. d) Ensure that individuals Processing Controller Data have undergone relevant training in relation to the Data: a. process Data in accordance with the terms of this Agreement, Appendix GDPR or any other written instructions Processing of the Controller Data. e) Assist the Controller by ensuring that the Controller, and only to the extent and in the manner necessary to provide Services, and for no other purpose(s). In the event ’s obligations under Applicable Data Protection Law requires and the DPA are complied with, for example, but not limited to regarding the performance of data protection impact assessments or audits performed by competent supervisory authorities. f) Assist the Controller by implementing appropriate technical and organisational measures to comply with Controller’s obligations in relation to Data Subjects’ requests to exercise their rights under Applicable Data Protection Law. The Processor to process shall immediately notify the Controller of such Data Subject requests. Unless explicitly stated in a manner not expressly authorized by this Agreement or the Controller’s written instructions, provided for in mandatory law or a decision by a competent supervisory authority, the Processor may not respond to a Data Subject’s request. g) Without undue delay, provide the Controller with access to all information required to demonstrate that the Processor’s obligations set out in this DPA have been fulfilled. The Processor shall also enable and contribute to the Controller’s reviews of the Processor's processing of the Controller Data, including audits of the Processor’s premises, equipment and/or systems ("Audits"). The aforementioned shall also apply in relation to third parties authorised by the Controller to perform such reviews and audits on the Controller’s behalf ("Authorized Third Party"), provided however that such Authorized Third Party (i) has executed a non-disclosure agreement appropriate for the purpose; and (ii) is not conducting operations that compete with the Processor’s operations. The Controller is responsible for ensuring that reviews and Audits are carried out without unreasonable disruptions of the Processor’s operations, including the activities performed by the Processor’s other customers and their reasonable need for protection of their operations. The Controller shall bear all Authorized Third Party costs as well as its own costs for reviews and Audits. h) Keep a record on the Processing of the Controller Data under this DPA and allow the Controller access to such record at the Controller’s request. i) Ensure that the Controller Data is only Transferred disclosed, transmitted or otherwise made available by the Processor to Sub-processors, if any, who, by agreement with the Processor, are bound by obligations that correspond to and are no less stringent than the Processor’s obligations set out in this DPA. A current list of Sub-processors is provided in Annex III to this DPA; and (ii) copies of agreements with the Sub- processors (to the extent necessary to evidence that Sub-processors are bound by obligations that correspond to the Processor's obligations set out in this DPA and subject to any confidentiality restrictions in place with such Sub-processors from time to time), j) When replacing or hiring a new Sub-processor, ensure that the Controller is given the opportunity to object to such change. If the Controller reasonably and fairly objects to the replacement or hiring of a Sub-processor, the Processor shall promptly ensure that the Sub- processor’s processing of Controller Data is not initiated, or, where applicable, is terminated without unnecessary delay. The Controller acknowledges that an objection to a specific Sub-processor may result in (i) limitations in the Processor’s ability to comply with its obligations under the Principal Agreement; and (ii) that the Processor may be entitled to compensation under k) Without undue delay, inform the Controller if the Processor believes the Controller’s instructions violate Applicable Data Protection Law or that Controller Data is processed or may be processed in violation of Applicable Data Protection Law. The Processor is not entitled to stop the processing of the Controller Data unless the Processor can reasonably demonstrate that continued processing would result in that the Processor would violate the DPA, the Principal Agreement and/or Applicable Data Protection Law. l) Without undue delay, inform the Controller of a competent supervisory authority's investigation or audit of the applicable legal requirement before processingController Data, unless providing such information violates mandatory law. m) Without undue delay, notify the Controller of a suspected or confirmed Personal Data Breach related to the Processing of the Controller Data. n) In the event of termination of this DPA, depending on what the Controller requests, delete or return all the Controller Data, including copies thereof, provided however that the Processor is not prohibited from doing so by mandatory law to comply with the Controller’s request. 3.2 If a review or an Audit of the Processor requested by the Controller (according to Section 3.1g) relates to a matter that is covered by an audit report made in accordance with SSAE 16/ISAE 3402 Type II, ISO, NIST or similar, the Controller shall accept the results of that report instead of having the requested review or Audit being performed. The aforementioned shall apply only if (i) the audit report has been performed by an independent third party that can reasonably be assumed to possess relevant competencies; (ii) the Processor confirms that the reviewed functions, processes and measures have not changed after the completion of the audit report; (iii) the audit report has been completed no more than 12 months prior to the date on important public interest grounds, which the Controller has made his request for review or Audit; and (iv) both Parties consider that the procedure is consistent with Applicable Data Protection Law; b. keep the Data confidential and ensure that any person authorized to process the Data for or on behalf of the Processor (including but not limited to any Processor employees and staff and approved Subprocessors) has agreed to keep the Data confidential, or is otherwise under a statutory obligation to protect the confidentiality of the Data; and c. upon reasonable request from the Controller, provide an up-to-date copy of the Data in the format requested by the Controller. 2. In carrying out its obligations under the Agreement and this Appendix GDPR, Processor agrees to comply with all applicable state, federal and laws of other countries or jurisdictions (including, but not limited to, Applicable Data Protection Law), as well as industry best practices, governing the collection, access, use, disclosure, safeguarding and destruction of Data. 3. In accordance with Applicable Data Protection Law, and taking into consideration the state of the art, costs of implementation and the nature, scope, context and purposes of processing the Data pursuant to this Agreement, as well as the risks to the rights and freedoms of natural persons and the risks to processing the Data, the Processor represents and warrants that it has implemented appropriate technical and organizational security measures appropriate to such risks, including, as appropriate: (i) the pseudonymisation and encryption of the Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

Obligations of the Processor. 1. The Processor shall, and shall ensure that each of its employees, approved Subprocessors and any other individual acting under its authority who has access to the Data: a. process Data in accordance with the terms of this Agreement, Appendix GDPR or any other written instructions of the Controller, and only to the extent and in the manner necessary to provide Services, and for no other purpose(s). In the event Applicable Data Protection Law requires Processor to process in a manner not expressly authorized by this Agreement or the Controller’s written instructions, the Processor shall promptly inform the Controller of the applicable legal requirement before processing, unless prohibited from doing so on important public interest grounds, consistent with Applicable Data Protection Law;; {{Int_es_:signer1:initials}} {{Int_es_:signer2:initials}} {{Int_es_:signer3:initials}} b. keep the Data confidential and ensure that any person authorized to process the Data for or on behalf of the Processor (including but not limited to any Processor employees and staff and approved Subprocessors) has agreed to keep the Data confidential, or is otherwise under a statutory obligation to protect the confidentiality of the Data; and c. upon reasonable request from the Controller, provide an up-to-date copy of the Data in the format requested by the Controller. 2. In carrying out its obligations under the Agreement and this Appendix GDPR, Processor agrees to comply with all applicable state, federal and laws of other countries or jurisdictions (including, but not limited to, Applicable Data Protection Law), as well as industry best practices, governing the collection, access, use, disclosure, safeguarding and destruction of Data. 3. In accordance with Applicable Data Protection Law, and taking into consideration the state of the art, costs of implementation and the nature, scope, context and purposes of processing the Data pursuant to this Agreement, as well as the risks to the rights and freedoms of natural persons and the risks to processing the Data, the Processor represents and warrants that it has implemented appropriate technical and organizational security measures appropriate to such risks, including, as appropriate: (i) the pseudonymisation and encryption of the Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

Obligations of the Processor. 1. The Processor shall, and shall ensure that each of its employees, approved Subprocessors and any other individual acting under its authority who has access to the Data: a. process Data in accordance with the terms of this Agreement, Appendix GDPR or any other written instructions of the ControllerController in the applicable SOW, and only to the extent and in the manner necessary to provide Services, and for no other purpose(s). In the event Applicable Data Protection Law requires Processor to process in a manner not expressly authorized by this Agreement or the Controller’s written instructions, the Processor shall promptly inform the Controller of the applicable legal requirement before processing, unless prohibited from doing so on important public interest grounds, consistent with Applicable Data Protection Law; b. keep the Data confidential and ensure that any person authorized to process the Data for or on behalf of the Processor (including but not limited to any Processor employees and staff and approved Subprocessors) has agreed to keep the Data confidential, or is otherwise under a statutory obligation to protect the confidentiality of the Data; and c. upon reasonable request from the Controller, provide an up-to-date copy of the Data in the format reasonably requested by the Controller. 2. In carrying out its obligations under the Agreement and this Appendix GDPR, Processor agrees to comply with all applicable state, federal and laws of other countries or jurisdictions (including, but not limited to, Applicable Data Protection LawLaw as applicable to a data processor), as well as industry best practices, governing the collection, access, use, disclosure, safeguarding and destruction of Data. 3. In accordance with Applicable Data Protection Law, and taking into consideration the state of the art, costs of implementation and the nature, scope, context and purposes of processing the Data pursuant to this Agreement, as well as the risks to the rights and freedoms of natural persons and the risks to processing the Data, the Processor represents and warrants that it has implemented appropriate technical and organizational security measures appropriate to such risks, including, as appropriateappropriate and within the Processor’s scope of Services: (i) the pseudonymisation and encryption of the Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

Obligations of the Processor. 1. The Processor shall, and shall ensure that each of its employees, approved Subprocessors and any other individual acting under its authority who has access to the Data: a. process Data in accordance with the terms of this Agreement, Appendix GDPR or any other written instructions of the Controller, and only to the extent and in the manner necessary to provide Services, and for no other purpose(s). In the event Applicable Data Protection Law EU or member state law requires Processor to process in a manner not expressly authorized by this Agreement or the Controller’s written instructions, the Processor shall promptly inform the Controller of the applicable legal requirement before processing, unless prohibited from doing so on important public interest grounds, consistent with Applicable Data Protection LawEU or member state law; b. keep the Data confidential and ensure that any person authorized to process the Data for or on behalf of the Processor (including but not limited to any Processor employees and staff and approved Subprocessors) has agreed to keep the Data confidential, or is otherwise under a statutory obligation to protect the confidentiality of the Data; and c. upon reasonable request from the Controller, provide an up-to-date copy of the Data in the format requested by the Controller. 2. In carrying out its obligations under the Agreement and this Appendix GDPR, Processor agrees to comply with all applicable state, federal and laws of other countries or jurisdictions (including, but not limited to, Applicable Data Protection LawGDPR), as well as industry best practices, governing the collection, access, use, disclosure, safeguarding and destruction of Data. 3. In accordance with Applicable Data Protection LawGDPR, and taking into consideration the state of the art, costs of implementation and the nature, scope, context and purposes of processing the Data pursuant to this Agreement, as well as the risks to the rights and freedoms of natural persons and the risks to processing the Data, the Processor represents and warrants that it has implemented appropriate technical and organizational security measures appropriate to such risks, including, as appropriate: (i) the pseudonymisation and encryption of the Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;