Common use of Security of Personal Data Clause in Contracts

Security of Personal Data. The Contractor shall implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standards, having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected. Without limiting the foregoing, the Contractor shall: (a) implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including to ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Contractor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Contractor of its obligation to comply fully with this Supplementary Agreement, and the Contractor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; (b) ensure that the Personal Data are stored in a secure (encrypted) digital and physical environment; (c) ensure that all data sharing is executed by secure (end-to-end encrypted) means; (d) implement technical measures including (i) restricting access to data to authorized personnel and devices only, (ii) the use of multi-factor authentication where possible, and passwords to prevent unauthorized access to data and (iii) backing-up data in case of loss or damage; (e) implement organizational measures including (i) securing premises where hard-copy files or computers are stored, (ii) safely disposing of any obsolete hard copy files and (iii) ensuring that portable devices are kept in a secure location at all times when not in use. (f) implement backup processes as agreed between UNHCR and the Contractor to procure the availability of the Personal Data at all times and ensure that UNHCR will have access to such backup of the Personal Data as is reasonably required by UNHCR; (g) comply with any request from UNHCR to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by UNHCR within reasonable timeframes as agreed between the Parties; (h) inform UNHCR of the location of its processing the Personal Data and immediately notify UNHCR of any changes. The Contractor shall process the Personal Data only within member State(s) that have recognized the privileges and immunities of the United Nations pursuant to the General Convention or any other relevant international or national legal instrument. Under no circumstance shall any Personal Data of refugees or asylum seekers be transferred to their country of origin.

Security of Personal Data. The Contractor Data Processor shall implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standards, having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected. Without limiting the foregoing, the Contractor Data Processor shall: (a) : implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including to ensure that any disclosure to an employee, agent or subcontractor sub processor is subject to a binding legal obligation to comply with the obligations of the Contractor Data Processor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal DataData including, without limitation, anti-virus and anti-malware protections, intrusion detection and reporting methods (alerts are captured and analysed in real time). For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor sub-Processor shall not relieve the Contractor Data Processor of its obligation to comply fully with this Supplementary Agreement, and the Contractor Data Processor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; (b) ; ensure that the Personal Data are stored in a secure (encrypted) digital and physical environment; (c) ; ensure that all UNHCR data sharing is executed by secure (end-to-end encrypted) means; , in particular ensure encryption of all devices including mobile devices, storage devices files and databases containing Personal Data and encrypt all communications between UNHCR and the Data Processor, between Data Processor and all third parties (d) including its Sub-Processors); implement technical measures including (i) restricting access to data to authorized personnel and devices only, (ii) the use of multi-factor authentication where possible, and passwords to prevent unauthorized access to data and (iii) backing-up data in case of loss or damage; (e) ; implement organizational measures including (i) securing premises where hard-copy files or computers are stored, (ii) safely disposing of any obsolete hard copy files and (iii) ensuring that portable devices are always kept in a secure location at all times when not in use. (f) . implement backup processes and reliable storage media as agreed between UNHCR and the Contractor Data Processor to always procure the availability of the Personal Data at all times and ensure that UNHCR will have access to such backup of the Personal Data as is reasonably required by UNHCR; (g) . All backup copies of Data shall be retained for a minimum of 12 months following their respective creation. comply with any request from UNHCR to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by UNHCR within reasonable timeframes as agreed between the Parties; (h) ; At the written election of UNHCR, the Contractor shall either securely destroy or transmit to UNHCR, or to a third party designated in writing by UNHCR, any backup copies of the Data. The Contractor shall provide UNHCR a written certificate indicating the nature or type of Data disposed of, the date of such disposal, and the method of disposal. inform UNHCR of the location of its processing the Personal Data and immediately notify UNHCR of any changes. The Contractor Data Processor shall process the Personal Data only within member State(s) that have recognized the privileges and immunities of the United Nations pursuant to the General Convention or any other relevant international or national legal instrument. Under no circumstance shall any Personal Data of refugees or asylum seekers be transferred to their country of origin. Information Security In addition to the requirements set forth in the Article 3.2, the Data Processor shall: comply with UNHCR’s instructions on IT security, include the security controls and countermeasures considered required according to UNHCR information security baselines, and when requested by UNHCR permit information security reviews and/or audits in accordance with Article 3.5 below; implement information security measures which shall be no less protective than those used by the Data Processor to protect its own confidential information, and in no event less than reasonable in view of the nature and type of data involved. As such, the Contractor shall implement and maintain industry-standard security measures (as evidenced, for example, by an ISO 27001 certificate and/or a SOC 2 type 2 report) to protect UNHCR Data from unauthorized access, disclosure, alteration, and destruction; ensure that Data is logically segregated from other customer’s data to the fullest extent possible; provide the Data Controller at the latest upon the signature of the Agreement with a description of such information security measures, which shall include at least: ensuring the ongoing confidentiality, integrity, availability of processing systems and services; protection of all UNHCR Data against deterioration or degradation of its quality and authenticity; platform has an Intrusion Detection System or Intrusion Prevention System (IDS/IPS) running and its alerts are analysed in real time and is protected by a network firewall or network security group, and the firewall/NSG rules are documented and actively managed by the managing organization; platform is behind a Web Application Firewall (WAF), running in blocking mode (whereby traffic detected as suspicious is automatically blocked); Mobile application interface meet OWASP mobile app standards.

Security of Personal Data. The Contractor shall implement appropriate technical and organisational measures to safeguard the Personal Data from unauthorised or unlawful processing or accidental loss, destruction or damage in compliance with best industry standards, having regard to the state of technological development and the cost of implementing any measures, such measures shall ensure a level of security appropriate to the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage and to the nature of the Personal Data to be protected. Without limiting the foregoing, the Contractor shall: (a) : implement technical and organisational measures to procure the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data including to ensure that any disclosure to an employee, agent or subcontractor is subject to a binding legal obligation to comply with the obligations of the Contractor under this Supplementary Agreement including compliance with relevant technical and organisational measures for the confidentiality, privacy, integrity, availability, accuracy and security of the Personal Data. For the avoidance of doubt, any agreement, contract or other arrangement with an employee, agent or subcontractor shall not relieve the Contractor of its obligation to comply fully with this Supplementary Agreement, and the Contractor shall remain fully responsible and liable for ensuring full compliance with this Supplementary Agreement; (b) ; ensure that the Personal Data are stored in a secure (encrypted) digital and physical environment; (c) ; ensure that all data sharing is executed by secure (end-to-end encrypted) means; (d) ; implement technical measures including (i) restricting access to data to authorized personnel and devices only, (ii) the use of multi-factor authentication where possible, and passwords to prevent unauthorized access to data and (iii) backing-up data in case of loss or damage; (e) ; implement organizational measures including (i) securing premises where hard-copy files or computers are stored, (ii) safely disposing of any obsolete hard copy files and (iii) ensuring that portable devices are kept in a secure location at all times when not in use. (f) . implement backup processes as agreed between UNHCR and the Contractor to procure the availability of the Personal Data at all times and ensure that UNHCR will have access to such backup of the Personal Data as is reasonably required by UNHCR; (g) ; comply with any request from UNHCR to amend, transfer or delete Personal Data; provide a copy of all or specified Personal Data held by it in a format and or a media reasonably specified by UNHCR within reasonable timeframes as agreed between the Parties; (h) ; inform UNHCR of the location of its processing the Personal Data and immediately notify UNHCR of any changes. The Contractor shall process the Personal Data only within member State(s) that have recognized the privileges and immunities of the United Nations pursuant to the General Convention or any other relevant international or national legal instrument. Under no circumstance shall any Personal Data of refugees or asylum seekers be transferred to their country of origin.