Common use of Security and Audit Clause in Contracts

Security and Audit. 5.1 Heap may update the security measures set out in Schedule 2, including (where applicable) following any review by Heap of such measures, provided that such variation does not reduce the level of protection afforded to the Customer Personal Data by Heap under this DPA. 5.2 Heap shall treat the Customer Personal Data as the confidential information of the Customer, and shall ensure that (i) access to Customer Personal Data is limited to those employees or other personnel or agents who have a business need to have access to such Customer Personal Data; and (ii) any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data. 5.3 Upon Customer’s written request, Heap shall provide Customer with a confidential summary report of audits or security assessments conducted by its external auditors to verify the adequacy of its security measures and other information necessary to demonstrate Processor’s compliance with this Addendum. The report will constitute Heap’s Confidential Information under the confidentiality provisions of the Agreement. The Parties may, if applicable Data Protection Law requires, agree to appoint a third-party auditor to verify the adequacy of Heap’s security measures. The cost of any third-party audit will be borne by Customer, the third-party auditor shall not be any company that is a competitor to Heap, and audits shall be conducted in a manner so as to minimize the impact on Heap’s business operations. Unless otherwise required by applicable Data Protection Law, Customer shall exercise this right only if and to the extent Heap’s summary of its audits or security assessments are insufficient to allow Customer to demonstrate compliance with applicable Data Protection Laws. 5.4 With respect to any Customer Personal Data processed by Heap under applicable Data Protection Laws, if Heap or any sub-processor becomes aware of a Security Incident, Heap shall (i) notify the Customer of the Security Incident without undue delay; (ii) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident and (where required) notify data subjects and applicable supervisory authorities of the Security Incident, and (iii) take steps to remedy any non-compliance with this DPA.

Security and Audit. 5.1 Heap 6.1 The Processor may update the security measures set out in Schedule 24, including (where applicable) following any review by Heap the Processor of such measuresmeasures in accordance with clause 8.6 of the Standard Contractual Clauses, provided that such variation does not reduce the level of protection afforded to the Customer Personal Data by Heap the Processor under this DPA. 5.2 Heap 6.2 The Processor shall treat the Customer Personal Data subject to the Standard Contractual Clauses as the confidential information of the Customer, and shall ensure that (i) access to Customer Personal Data is limited to those employees or other personnel or agents who have a business need to have access to such Customer Personal Data; and (ii) any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data. 5.3 6.3 Upon Customer’s written request, Heap shall provide Customer with a confidential summary report of audits or security assessments conducted by its external auditors to verify the adequacy of its security measures and other information necessary to demonstrate Processor’s compliance with this Addendum. The report will constitute Heap’s Confidential Information under the confidentiality provisions of the Agreement. The Parties may, if applicable Data Protection Law requires, agree to appoint a third-party auditor to verify the adequacy of Heap’s security measures. The cost of any third-party audit will be borne by Customer, the third-party auditor shall not be any company that is a competitor to Heap, and audits shall be conducted in a manner so as to minimize the impact on Heap’s business operations. Unless otherwise required by applicable Data Protection Law, Customer shall exercise this right only if and to the extent Heap’s summary of its audits or security assessments are insufficient to allow Customer to demonstrate compliance with applicable Data Protection Laws. 5.4 6.4 With respect to any Customer Personal Data processed by Heap the Processor under applicable Data Protection Lawsthe Standard Contractual Clauses, if Heap the Processor or any sub-processor becomes aware of a Security Incident, Heap the Processor shall (i) notify the Customer of the Security Incident without undue delay; (ii) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident and (where required) notify data subjects and applicable supervisory authorities of the Security Incident, and (iii) take steps to remedy any non-compliance with this DPA.

Security and Audit. 5.1 6.1 Heap may update the security measures set out in Schedule 2, including (where applicable) following any review by Heap of such measures, provided that such variation does not reduce the level of protection afforded to the Customer Personal Data by Heap under this DPA. 5.2 6.2 Heap shall treat the Customer Personal Data as the confidential information of the Customer, and shall ensure that (i) access to Customer Personal Data is limited to those employees or other personnel or agents who have a business need to have access to such Customer Personal Data; and (ii) any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data. 5.3 6.3 Upon Customer’s written request, Heap shall provide Customer with a confidential summary report of audits or security assessments conducted by its external auditors to verify the adequacy of its security measures and other information necessary to demonstrate Processor’s compliance with this Addendum. The report will constitute Heap’s Confidential Information under the confidentiality provisions of the Agreement. The Parties may, if applicable Data Protection Law requires, agree to appoint a third-party auditor to verify the adequacy of Heap’s security measures. The cost of any third-party audit will be borne by Customer, the third-party auditor shall not be any company that is a competitor to Heap, and audits shall be conducted in a manner so as to minimize the impact on Heap’s business operations. Unless otherwise required by applicable Data Protection Law, Customer shall exercise this right only if and to the extent Heap’s summary of its audits or security assessments are insufficient to allow Customer to demonstrate compliance with applicable Data Protection Laws. 5.4 6.4 With respect to any Customer Personal Data processed by Heap under applicable Data Protection Laws, if Heap or any sub-processor becomes aware of a Security Incident, Heap shall (i) notify the Customer of the Security Incident without undue delay; (ii) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident and (where required) notify data subjects and applicable supervisory authorities of the Security Incident, and (iii) take steps to remedy any non-compliance with this DPA.