Common use of Security of processing Clause in Contracts

Security of processing. The level of security shall reflect a generally high level of security reflecting the types of data being processed. The data processor has aligned its information security management system with the ISO 27001:2022 standard and have implemented and complies with technical and organisational controls in accordance with this standard. In addition, the level of security shall take into account the specific agreed services in the parties’ agreement regarding the data processor’s provision of Services to the data controller: The data processor shall initiate and implement appropriate security measures to protect the personal data provided against accidental or unlawful destruction, loss, alteration, unavailability, unauthorized disclosure of or access to the personal data. The data processor may change the implemented security measures on an ongoing basis, however, changes in security measures must never lead to a deterioration of the agreed security level. In order to ensure an appropriate level of security, the data controller shall make the data protection impact assessment carried out by the data controller for the agreed processing available to the data processor, and the data controller shall regularly update this to the data processor. The data processor is entitled and obliged to make decisions about the technical and organizational security measures to be implemented to establish the necessary (and agreed) security level. The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller: The data processor has a documented information security management system that addresses and describes how information security is implemented across the organization. The data processor maintains and enforces policies for secure management and processing of information, including personal information, with the objective of ensuring that personal information is processed in accordance with applicable laws and regulations. The data processor has implemented appropriate measures to ensure that all employees are familiar with these policies and the guidelines and controls described within them. The data processor enforces regular mandatory training for all employees in both the GDPR and its practical implications along with training in information security. The data processor has established an audit programme which includes annual audit and review of its policies relation to the implemented organizational and technical controls relating to access to data, including personal data. With respect to the current technical level, implementation costs and the type, extend, context and purpose of the data processing of personal data, the data processor has implemented and enforces the principles of data protection throughout all phases of the lifecycle of the information and the systems processing it. The data processor ensures that third party suppliers in scope of its information security management system conform to a set of minimum requirements, confidentiality agreements and controls as defined by the data processor. The data processor supervises data sub-processors in accordance with the methodology developed by the Danish Data Agency as described in the “Guide on supervision of data processors” (“Vejledning om tilsyn med databehandlere”) which includes a general assessment of the data sub-processors based on their processing activities, data categories, results from past inspections, and public information. All premises of the data processor are guarded by access restrictions; only employees of the data processor have access to the premises and all guests are logged and are not allowed to access the premise areas where personal data is processed or stored without supervision of an employee. The data processor generally minimizes the amount of data, including personal data, which is kept in physical format at its premises. Any sensitive information – including personal data – is stored in locked areas only accessible to select and approved personnel. All physical copies of sensitive information, including personal data, is securely disposed of in accordance with industry practices once no longer required. The data processor strives to only keep back-up information offsite of its physical premises. For back-up stored at any of the data processor’s physical premises, the data is kept in secure areas only accessible to select and approved staff, and access to these areas are logged. The data processor ensures that the personal information provided by the data controller is only accessible by approved personnel in accordance with the data processor’s policies for access control. These policies follow the principle of least privilege regarding access to all data, including data stored online, and the policies and their implementation are reviewed frequently and audited annually. These policies also ensures that access is revoked once no longer necessary. The data processor has implemented a process for changes to permission levels (including permission to accessing and working with data, including personal data) which includes requirements of management approval. This process is audited annually. Systems which are used by the data processor to process personal information are secured through multifactor authentication. Multifactor authentication is also enforced for all remote access to data and infrastructure. The data processor enforces the same requirements and principles regarding access to data, including personal data, to its employees regardless of whether the employee is working on premise or remotely. The data processor has implemented encryption of all its online connections to ensure the protection of data during transmission.

Security of processing. The ‌ 1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and data processor shall implement appropriate technical and organizational measures to ensure a level of security shall reflect a generally high level of security reflecting appropriate to the types of data being processedrisk. The data processor has aligned its information security management system with controller shall evaluate the ISO 27001:2022 standard risks to the rights and have implemented freedoms of natural persons inherent in the processing and complies with implement measures to mitigate those risks. Depending on their relevance, the measures may include the following: 1 References to ”Member States” made throughout the Clauses shall be understood as references to “EEA Member States”. a. Pseudonymisation and encryption of personal data; b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational controls in accordance with this standardorganizational measures for ensuring the security of the processing. 2. In additionAccording to Article 32 GDPR, the level of security shall take into account the specific agreed services in the parties’ agreement regarding the data processor’s provision of Services to the data controller: The data processor shall initiate also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement appropriate security measures to protect the personal data provided against accidental or unlawful destruction, loss, alteration, unavailability, unauthorized disclosure of or access to the personal datamitigate those risks. The data processor may change the implemented security measures on an ongoing basis, however, changes in security measures must never lead to a deterioration of the agreed security level. In order to ensure an appropriate level of securityTo this effect, the data controller shall make provide the data protection impact assessment carried out processor with all information necessary to identify and evaluate such risks. 3. Furthermore, the data processor shall assist the data controller in ensuring compliance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organizational measures already implemented by the data controller processor pursuant to Article 32 GDPR along with all other information necessary for the agreed processing available data controller to comply with the data controller’s obligation under Article 32 GDPR. If subsequently – in the assessment of the data controller – mitigation of the identified risks requires further measures to be implemented by the data processor, and than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall regularly update this to the data processor. The data processor is entitled and obliged to make decisions about the technical and organizational security specify these additional measures to be implemented to establish the necessary (and agreed) security level. The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller: The data processor has a documented information security management system that addresses and describes how information security is implemented across the organization. The data processor maintains and enforces policies for secure management and processing of information, including personal information, with the objective of ensuring that personal information is processed in accordance with applicable laws and regulations. The data processor has implemented appropriate measures to ensure that all employees are familiar with these policies and the guidelines and controls described within them. The data processor enforces regular mandatory training for all employees in both the GDPR and its practical implications along with training in information security. The data processor has established an audit programme which includes annual audit and review of its policies relation to the implemented organizational and technical controls relating to access to data, including personal data. With respect to the current technical level, implementation costs and the type, extend, context and purpose of the data processing of personal data, the data processor has implemented and enforces the principles of data protection throughout all phases of the lifecycle of the information and the systems processing it. The data processor ensures that third party suppliers in scope of its information security management system conform to a set of minimum requirements, confidentiality agreements and controls as defined by the data processor. The data processor supervises data sub-processors in accordance with the methodology developed by the Danish Data Agency as described in the “Guide on supervision of data processors” (“Vejledning om tilsyn med databehandlere”) which includes a general assessment of the data sub-processors based on their processing activities, data categories, results from past inspections, and public information. All premises of the data processor are guarded by access restrictions; only employees of the data processor have access to the premises and all guests are logged and are not allowed to access the premise areas where personal data is processed or stored without supervision of an employee. The data processor generally minimizes the amount of data, including personal data, which is kept in physical format at its premises. Any sensitive information – including personal data – is stored in locked areas only accessible to select and approved personnel. All physical copies of sensitive information, including personal data, is securely disposed of in accordance with industry practices once no longer required. The data processor strives to only keep back-up information offsite of its physical premises. For back-up stored at any of the data processor’s physical premises, the data is kept in secure areas only accessible to select and approved staff, and access to these areas are logged. The data processor ensures that the personal information provided by the data controller is only accessible by approved personnel in accordance with the data processor’s policies for access control. These policies follow the principle of least privilege regarding access to all data, including data stored online, and the policies and their implementation are reviewed frequently and audited annually. These policies also ensures that access is revoked once no longer necessary. The data processor has implemented a process for changes to permission levels (including permission to accessing and working with data, including personal data) which includes requirements of management approval. This process is audited annually. Systems which are used by the data processor to process personal information are secured through multifactor authentication. Multifactor authentication is also enforced for all remote access to data and infrastructure. The data processor enforces the same requirements and principles regarding access to data, including personal data, to its employees regardless of whether the employee is working on premise or remotely. The data processor has implemented encryption of all its online connections to ensure the protection of data during transmission.Appendix C.

Security of processing. The 1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of im- plementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and data processor shall implement appropriate technical and organiza- tional measures to ensure a level of security shall reflect a generally high level of security reflecting appropriate to the types of data being processedrisk. The data controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following: a. Pseudonymisation and encryption of personal data; b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of pro- cessing systems and services; c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. 2. According to Article 32 GDPR, the data processor has aligned its shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the data con- troller shall provide the data processor with all information security management system necessary to identify and eval- uate such risks. 3. Furthermore, the data processor shall assist the data controller in ensuring compliance with the ISO 27001:2022 standard and have implemented and complies data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisational controls in accordance organizational measures already implemented by the data processor pursuant to Article 32 GDPR along with this standardall other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR. In addition, the level of security shall take into account the specific agreed services If subsequently – in the parties’ agreement regarding assessment of the data controller – mitigation of the identified risks require further measures to be implemented by the data processor’s provision of Services to , than those already implemented by the data controller: The data processor shall initiate and implement appropriate security measures pursuant to protect the personal data provided against accidental or unlawful destruction, loss, alteration, unavailability, unauthorized disclosure of or access to the personal data. The data processor may change the implemented security measures on an ongoing basis, however, changes in security measures must never lead to a deterioration of the agreed security level. In order to ensure an appropriate level of securityArticle 32 GDPR, the data controller shall make the data protection impact assessment carried out by the data controller for the agreed processing available to the data processor, and the data controller shall regularly update this to the data processor. The data processor is entitled and obliged to make decisions about the technical and organizational security specify these additional measures to be implemented to establish the necessary (and agreed) security level. The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller: The data processor has a documented information security management system that addresses and describes how information security is implemented across the organization. The data processor maintains and enforces policies for secure management and processing of information, including personal information, with the objective of ensuring that personal information is processed in accordance with applicable laws and regulations. The data processor has implemented appropriate measures to ensure that all employees are familiar with these policies and the guidelines and controls described within them. The data processor enforces regular mandatory training for all employees in both the GDPR and its practical implications along with training in information security. The data processor has established an audit programme which includes annual audit and review of its policies relation to the implemented organizational and technical controls relating to access to data, including personal data. With respect to the current technical level, implementation costs and the type, extend, context and purpose of the data processing of personal data, the data processor has implemented and enforces the principles of data protection throughout all phases of the lifecycle of the information and the systems processing it. The data processor ensures that third party suppliers in scope of its information security management system conform to a set of minimum requirements, confidentiality agreements and controls as defined by the data processor. The data processor supervises data sub-processors in accordance with the methodology developed by the Danish Data Agency as described in the “Guide on supervision of data processors” (“Vejledning om tilsyn med databehandlere”) which includes a general assessment of the data sub-processors based on their processing activities, data categories, results from past inspections, and public information. All premises of the data processor are guarded by access restrictions; only employees of the data processor have access to the premises and all guests are logged and are not allowed to access the premise areas where personal data is processed or stored without supervision of an employee. The data processor generally minimizes the amount of data, including personal data, which is kept in physical format at its premises. Any sensitive information – including personal data – is stored in locked areas only accessible to select and approved personnel. All physical copies of sensitive information, including personal data, is securely disposed of in accordance with industry practices once no longer required. The data processor strives to only keep back-up information offsite of its physical premises. For back-up stored at any of the data processor’s physical premises, the data is kept in secure areas only accessible to select and approved staff, and access to these areas are logged. The data processor ensures that the personal information provided by the data controller is only accessible by approved personnel in accordance with the data processor’s policies for access control. These policies follow the principle of least privilege regarding access to all data, including data stored online, and the policies and their implementation are reviewed frequently and audited annually. These policies also ensures that access is revoked once no longer necessary. The data processor has implemented a process for changes to permission levels (including permission to accessing and working with data, including personal data) which includes requirements of management approval. This process is audited annually. Systems which are used by the data processor to process personal information are secured through multifactor authentication. Multifactor authentication is also enforced for all remote access to data and infrastructure. The data processor enforces the same requirements and principles regarding access to data, including personal data, to its employees regardless of whether the employee is working on premise or remotely. The data processor has implemented encryption of all its online connections to ensure the protection of data during transmission.Appendix C.

Security of processing. The 5.1. Article 32 in the GDPR stipulates that, considering the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security shall reflect a generally high level of security reflecting appropriate to the types of data being processedrisk. The data processor has aligned its information security management system with controller shall evaluate the ISO 27001:2022 standard risks to the rights and have implemented freedoms of natural persons inherent in the processing and complies with implement measures to mitigate those risks. Depending on their relevance, the measures may include the following: a. Pseudonymisation and encryption of personal data; b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational controls measures for ensuring the security of the processing. 5.2. According to Article 32 in accordance with this standard. In additionthe GDPR, the level of security shall take into account the specific agreed services in the parties’ agreement regarding the data processor’s provision of Services to the data controller: The data processor shall initiate also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement appropriate security measures to protect the personal data provided against accidental or unlawful destruction, loss, alteration, unavailability, unauthorized disclosure of or access to the personal datamitigate those risks. The data processor may change the implemented security measures on an ongoing basis, however, changes in security measures must never lead to a deterioration of the agreed security level. In order to ensure an appropriate level of securityTo this effect, the data controller shall make provide the data protection impact assessment carried out processor with all information necessary to identify and evaluate such risks. 5.3. Furthermore, the data processor shall assist the data controller in ensuring compliance with the data controller’s obligations pursuant to Articles 32 in the GDPR, by inter alia providing the data controller with information concerning the technical and organisational measures already implemented by the data controller processor pursuant to Article 32 in the GDPR along with all other information necessary for the agreed processing available data controller to comply with the data controller’s obligation under Article 32 in the GDPR. If subsequently – in the assessment of the data controller – mitigation of the identified risks requires further measures to be implemented by the data processor, and than those already implemented by the data processor pursuant to Article 32 in the GDPR, the data controller shall regularly update this to the data processor. The data processor is entitled and obliged to make decisions about the technical and organizational security specify these additional measures to be implemented to establish the necessary (and agreed) security level. The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller: The data processor has a documented information security management system that addresses and describes how information security is implemented across the organization. The data processor maintains and enforces policies for secure management and processing of information, including personal information, with the objective of ensuring that personal information is processed in accordance with applicable laws and regulations. The data processor has implemented appropriate measures to ensure that all employees are familiar with these policies and the guidelines and controls described within them. The data processor enforces regular mandatory training for all employees in both the GDPR and its practical implications along with training in information security. The data processor has established an audit programme which includes annual audit and review of its policies relation to the implemented organizational and technical controls relating to access to data, including personal data. With respect to the current technical level, implementation costs and the type, extend, context and purpose of the data processing of personal data, the data processor has implemented and enforces the principles of data protection throughout all phases of the lifecycle of the information and the systems processing it. The data processor ensures that third party suppliers in scope of its information security management system conform to a set of minimum requirements, confidentiality agreements and controls as defined by the data processor. The data processor supervises data sub-processors in accordance with the methodology developed by the Danish Data Agency as described in the “Guide on supervision of data processors” (“Vejledning om tilsyn med databehandlere”) which includes a general assessment of the data sub-processors based on their processing activities, data categories, results from past inspections, and public information. All premises of the data processor are guarded by access restrictions; only employees of the data processor have access to the premises and all guests are logged and are not allowed to access the premise areas where personal data is processed or stored without supervision of an employee. The data processor generally minimizes the amount of data, including personal data, which is kept in physical format at its premises. Any sensitive information – including personal data – is stored in locked areas only accessible to select and approved personnel. All physical copies of sensitive information, including personal data, is securely disposed of in accordance with industry practices once no longer required. The data processor strives to only keep back-up information offsite of its physical premises. For back-up stored at any of the data processor’s physical premises, the data is kept in secure areas only accessible to select and approved staff, and access to these areas are logged. The data processor ensures that the personal information provided by the data controller is only accessible by approved personnel in accordance with the data processor’s policies for access control. These policies follow the principle of least privilege regarding access to all data, including data stored online, and the policies and their implementation are reviewed frequently and audited annually. These policies also ensures that access is revoked once no longer necessary. The data processor has implemented a process for changes to permission levels (including permission to accessing and working with data, including personal data) which includes requirements of management approval. This process is audited annually. Systems which are used by the data processor to process personal information are secured through multifactor authentication. Multifactor authentication is also enforced for all remote access to data and infrastructure. The data processor enforces the same requirements and principles regarding access to data, including personal data, to its employees regardless of whether the employee is working on premise or remotely. The data processor has implemented encryption of all its online connections to ensure the protection of data during transmission.Appendix C.

Security of processing. The level of security shall reflect a generally high level of security reflecting the types of data being processed1. The data processor has aligned its information security management system with the ISO 27001:2022 standard and have implemented and complies with technical and organisational controls in accordance with this standard. In addition, the level of security shall take into account the specific agreed services in the parties’ agreement regarding the data processor’s provision of Services to the data controller: The data processor shall initiate and implement appropriate security measures to protect the personal data provided against accidental or unlawful destruction, loss, alteration, unavailability, unauthorized disclosure of or access to the personal data. The data processor may change the implemented security measures on an ongoing basis, however, changes in security measures must never lead to a deterioration Article 32 of the agreed security level. In order to ensure an appropriate level of security, Data Protection Regulation states that the data controller shall make the data protection impact assessment carried out by the data controller for the agreed processing available to and the data processor, and the data controller shall regularly update this to the data processor. The data processor is entitled and obliged to make decisions about the technical and organizational security measures to be implemented to establish the necessary (and agreed) security level. The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller: The data processor has a documented information security management system that addresses and describes how information security is implemented across the organization. The data processor maintains and enforces policies for secure management and processing of information, including personal information, with the objective of ensuring that personal information is processed in accordance with applicable laws and regulations. The data processor has implemented appropriate measures to ensure that all employees are familiar with these policies and the guidelines and controls described within them. The data processor enforces regular mandatory training for all employees in both the GDPR and its practical implications along with training in information security. The data processor has established an audit programme which includes annual audit and review of its policies relation to the implemented organizational and technical controls relating to access to data, including personal data. With respect to taking into account the current technical level, the implementation costs and the typenature, extendscope, context and purpose of the processing in question, as well as the risks of varying probability and seriousness for physical rights and free- doms of individuals, implements appropriate technical and organizational measures to ensure a level of protection appropriate to these risks. The data controller shall evaluate the risks to the rights and freedoms of natural per- sons inherent in the processing and implement measures to mitigate those risks. This includes the following: a. Pseudonymization and encryption of personal data, here especially regarding the data processors relation to sub-data processor(s). See Appendix B.1. b. the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services. c. the ability to restore the availability and access to personal data in a timely man- ner in the event of a physical or technical incident. d. a procedure for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the pro- cessing. 2. According to Article 32 GDPR, the data processor has shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons in- herent in the processing and implement measures to mitigate those risks. To this ef- fect, the data controller shall provide the data processor with all the information nec- ▇▇▇▇▇▇ to identify and evaluate such risks. 3. Furthermore, the data processor shall assist the data controller in ensuring compli- ance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organiza- tional measures already implemented and enforces by the principles of data protection throughout processor pursuant to Article 32 GDPR along with all phases other information necessary for the data controller to comply with the data controller’s obligation under Article 32 in GDPR. If subsequently in the assessment of the lifecycle data controller, mitigation of the information and the systems processing it. The data processor ensures that third party suppliers in scope of its information security management system conform identified risks requires further measures to a set of minimum requirements, confidentiality agreements and controls as defined be implemented by the data processor. The data processor supervises data sub-processors in accordance with the methodology developed by the Danish Data Agency as described in the “Guide on supervision of data processors” (“Vejledning om tilsyn med databehandlere”) which includes a general assessment of the data sub-processors based on their processing activities, data categories, results from past inspections, and public information. All premises of the data processor are guarded by access restrictions; only employees of the data processor have access to the premises and all guests are logged and are not allowed to access the premise areas where personal data is processed or stored without supervision of an employee. The data processor generally minimizes the amount of data, including personal data, which is kept in physical format at its premises. Any sensitive information – including personal data – is stored in locked areas only accessible to select and approved personnel. All physical copies of sensitive information, including personal data, is securely disposed of in accordance with industry practices once no longer required. The data processor strives to only keep back-up information offsite of its physical premises. For back-up stored at any of the data processor’s physical premises, the data is kept in secure areas only accessible to select and approved staff, and access to these areas are logged. The data processor ensures that the personal information provided by the data controller is only accessible by approved personnel in accordance with the data processor’s policies for access control. These policies follow the principle of least privilege regarding access to all data, including data stored online, and the policies and their implementation are reviewed frequently and audited annually. These policies also ensures that access is revoked once no longer necessary. The data processor has than those already implemented a process for changes to permission levels (including permission to accessing and working with data, including personal data) which includes requirements of management approval. This process is audited annually. Systems which are used by the data processor pursuant to process personal information are secured through multifactor authentication. Multifactor authentication is also enforced for all remote access Article 32 GDPR, the data controller shall specify these additional measures to data and infrastructure. The data processor enforces the same requirements and principles regarding access to data, including personal data, to its employees regardless of whether the employee is working on premise or remotely. The data processor has be implemented encryption of all its online connections to ensure the protection of data during transmission.in Appendix C.

Security of processing. The 1. Article 32 of the GDPR states that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security shall reflect a generally high level of security reflecting appropriate to the types of data being processedrisk. 2. The data processor has aligned its information security management system Data Controller shall assess the risk to the rights and freedoms of natural persons associated with the ISO 27001:2022 standard processing and have implemented and complies with technical and organisational controls in implement measures to mitigate these risks. 3. In accordance with this standard. In additionArticle 32 of the GDPR, the level Data Processor shall also - independently of security shall take into account the specific agreed services in Data Controller - assess the parties’ agreement regarding the data processor’s provision of Services risk to the data controller: The data processor shall initiate rights and freedoms of natural persons associated with the processing and implement appropriate security measures to protect the personal data provided against accidental or unlawful destruction, loss, alteration, unavailability, unauthorized disclosure of or access to the personal data. The data processor may change the implemented security measures on an ongoing basis, however, changes in security measures must never lead to a deterioration of the agreed security levelmitigate these risks. In order to ensure an appropriate level of securitythis, the data controller Data Controller shall make provide the data protection impact assessment carried out by Data Processor with all information necessary to identify and assess such risks. 4. Furthermore, the data controller for Data Processor shall assist the agreed processing available to Data Controller in ensuring compliance with the data processorData Controller's obligations under Article 32 of the GDPR, and by, among other things, providing the data controller shall regularly update this to the data processor. The data processor is entitled and obliged to make decisions Data Controller with information about the technical and organizational security measures to be already implemented to establish by the necessary (and agreed) security level. The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller: The data processor has a documented information security management system that addresses and describes how information security is implemented across the organization. The data processor maintains and enforces policies for secure management and processing of information, including personal information, with the objective of ensuring that personal information is processed Data Processor in accordance with applicable laws and regulations. The data processor has implemented appropriate measures to ensure that all employees are familiar with these policies and the guidelines and controls described within them. The data processor enforces regular mandatory training for all employees in both the GDPR and its practical implications along with training in information security. The data processor has established an audit programme which includes annual audit and review of its policies relation to the implemented organizational and technical controls relating to access to data, including personal data. With respect to the current technical level, implementation costs and the type, extend, context and purpose Article 32 of the data processing of personal dataGDPR, together with any other information necessary for the data processor has implemented and enforces the principles of data protection throughout all phases Data Controller to be able to comply with its obligation under Article 32 of the lifecycle GDPR. 5. If the reduction of the information and identified risks later - in the systems processing it. The data processor ensures that third party suppliers in scope Data Controller's assessment - requires the implementation of its information security management system conform to a set of minimum requirements, confidentiality agreements and controls as defined further measures by the data processor. The data processor supervises data sub-processors Data Processor, beyond those already implemented by the Data Processor in accordance with Article 32 of the methodology developed GDPR, the Data Controller shall specify these additional measures in writing. The Data Processor shall not be obliged to comply with any request from the Data Controller for such additional measures unless the additional measures requested by the Danish Data Agency as described Controller are reasonable and proportionate in all the “Guide on supervision of data processors” (“Vejledning om tilsyn med databehandlere”) which includes a general assessment of the data sub-processors based on their processing activities, data categories, results from past inspections, and public information. All premises of the data processor are guarded by access restrictions; only employees of the data processor have access to the premises and all guests are logged and are not allowed to access the premise areas where personal data is processed or stored without supervision of an employee. The data processor generally minimizes the amount of data, including personal data, which is kept in physical format at its premises. Any sensitive information – including personal data – is stored in locked areas only accessible to select and approved personnel. All physical copies of sensitive information, including personal data, is securely disposed of in accordance with industry practices once no longer required. The data processor strives to only keep back-up information offsite of its physical premises. For back-up stored at any of the data processor’s physical premises, the data is kept in secure areas only accessible to select and approved staff, and access to these areas are logged. The data processor ensures that the personal information provided by the data controller is only accessible by approved personnel in accordance with the data processor’s policies for access control. These policies follow the principle of least privilege regarding access to all data, including data stored online, and the policies and their implementation are reviewed frequently and audited annually. These policies also ensures that access is revoked once no longer necessary. The data processor has implemented a process for changes to permission levels (including permission to accessing and working with data, including personal data) which includes requirements of management approval. This process is audited annually. Systems which are used by the data processor to process personal information are secured through multifactor authentication. Multifactor authentication is also enforced for all remote access to data and infrastructure. The data processor enforces the same requirements and principles regarding access to data, including personal data, to its employees regardless of whether the employee is working on premise or remotely. The data processor has implemented encryption of all its online connections to ensure the protection of data during transmissioncircumstances.

Security of processing. The ‌ 1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural per- sons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security shall reflect a generally high level of security reflecting appropriate to the types of data being processedrisk. The data processor has aligned its information security management system with controller shall evaluate the ISO 27001:2022 standard risks to the rights and have implemented freedoms of natural per- sons inherent in the processing and complies with implement measures to mitigate those risks. De- pending on their relevance, the measures may include the following: a. Pseudonymisation and encryption of personal data; b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; c. the ability to restore the availability and access to personal data in a timely man- ner in the event of a physical or technical incident; d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational controls in accordance with this standardmeasures for ensuring the security of the pro- cessing. 2. In additionAccording to Article 32 GDPR, the level of security shall take into account the specific agreed services in the parties’ agreement regarding the data processor’s provision of Services to the data controller: The data processor shall initiate also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons in- herent in the processing and implement appropriate security measures to protect the personal data provided against accidental or unlawful destruction, loss, alteration, unavailability, unauthorized disclosure of or access to the personal datamitigate those risks. The data processor may change the implemented security measures on an ongoing basis, however, changes in security measures must never lead to a deterioration of the agreed security level. In order to ensure an appropriate level of securityTo this ef- fect, the data controller shall make provide the data protection impact assessment carried out processor with all information necessary to identify and evaluate such risks. 3. Furthermore, the data processor shall assist the data controller in ensuring compli- ance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisa- tional measures already implemented by the data controller processor pursuant to Article 32 GDPR along with all other information necessary for the agreed processing available data controller to comply with the data controller’s obligation under Article 32 GDPR. If subsequently – in the assessment of the data controller – mitigation of the identified risks requires further measures to be implemented by the data processor, and than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall regularly update this to the data processor. The data processor is entitled and obliged to make decisions about the technical and organizational security specify these additional measures to be implemented to establish the necessary (and agreed) security level. The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller: The data processor has a documented information security management system that addresses and describes how information security is implemented across the organization. The data processor maintains and enforces policies for secure management and processing of information, including personal information, with the objective of ensuring that personal information is processed in accordance with applicable laws and regulations. The data processor has implemented appropriate measures to ensure that all employees are familiar with these policies and the guidelines and controls described within them. The data processor enforces regular mandatory training for all employees in both the GDPR and its practical implications along with training in information security. The data processor has established an audit programme which includes annual audit and review of its policies relation to the implemented organizational and technical controls relating to access to data, including personal data. With respect to the current technical level, implementation costs and the type, extend, context and purpose of the data processing of personal data, the data processor has implemented and enforces the principles of data protection throughout all phases of the lifecycle of the information and the systems processing it. The data processor ensures that third party suppliers in scope of its information security management system conform to a set of minimum requirements, confidentiality agreements and controls as defined by the data processor. The data processor supervises data sub-processors in accordance with the methodology developed by the Danish Data Agency as described in the “Guide on supervision of data processors” (“Vejledning om tilsyn med databehandlere”) which includes a general assessment of the data sub-processors based on their processing activities, data categories, results from past inspections, and public information. All premises of the data processor are guarded by access restrictions; only employees of the data processor have access to the premises and all guests are logged and are not allowed to access the premise areas where personal data is processed or stored without supervision of an employee. The data processor generally minimizes the amount of data, including personal data, which is kept in physical format at its premises. Any sensitive information – including personal data – is stored in locked areas only accessible to select and approved personnel. All physical copies of sensitive information, including personal data, is securely disposed of in accordance with industry practices once no longer required. The data processor strives to only keep back-up information offsite of its physical premises. For back-up stored at any of the data processor’s physical premises, the data is kept in secure areas only accessible to select and approved staff, and access to these areas are logged. The data processor ensures that the personal information provided by the data controller is only accessible by approved personnel in accordance with the data processor’s policies for access control. These policies follow the principle of least privilege regarding access to all data, including data stored online, and the policies and their implementation are reviewed frequently and audited annually. These policies also ensures that access is revoked once no longer necessary. The data processor has implemented a process for changes to permission levels (including permission to accessing and working with data, including personal data) which includes requirements of management approval. This process is audited annually. Systems which are used by the data processor to process personal information are secured through multifactor authentication. Multifactor authentication is also enforced for all remote access to data and infrastructure. The data processor enforces the same requirements and principles regarding access to data, including personal data, to its employees regardless of whether the employee is working on premise or remotely. The data processor has implemented encryption of all its online connections to ensure the protection of data during transmission.Appendix C.

Security of processing. The ‌ 1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural per- sons, the data controller and data processor shall implement appropriate technical and organizational measures to ensure a level of security shall reflect a generally high level of security reflecting appropriate to the types of data being processedrisk. The data processor has aligned its information security management system with controller shall evaluate the ISO 27001:2022 standard risks to the rights and have implemented freedoms of natural per- sons inherent in the processing and complies with implement measures to mitigate those risks. De- pending on their relevance, the measures may include the following: a. Pseudonymization and encryption of personal data; b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; c. the ability to restore the availability and access to personal data in a timely man- ner in the event of a physical or technical incident; d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational controls in accordance with this standardorganizational measures for ensuring the security of the pro- cessing. 2. In additionAccording to Article 32 GDPR, the level of security shall take into account the specific agreed services in the parties’ agreement regarding the data processor’s provision of Services to the data controller: The data processor shall initiate also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons in- herent in the processing and implement appropriate security measures to protect the personal data provided against accidental or unlawful destruction, loss, alteration, unavailability, unauthorized disclosure of or access to the personal datamitigate those risks. The data processor may change the implemented security measures on an ongoing basis, however, changes in security measures must never lead to a deterioration of the agreed security level. In order to ensure an appropriate level of securityTo this ef- fect, the data controller shall make provide the data protection impact assessment carried out processor with all information necessary to identify and evaluate such risks. 3. Furthermore, the data processor shall assist the data controller in ensuring compli- ance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organiza- tional measures already implemented by the data controller processor pursuant to Article 32 GDPR along with all other information necessary for the agreed processing available data controller to comply with the data controller’s obligation under Article 32 GDPR. If subsequently – in the assessment of the data controller – mitigation of the identified risks requires further measures to be implemented by the data processor, and than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall regularly update this to the data processor. The data processor is entitled and obliged to make decisions about the technical and organizational security specify these additional measures to be implemented to establish the necessary (and agreed) security level. The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller: The data processor has a documented information security management system that addresses and describes how information security is implemented across the organization. The data processor maintains and enforces policies for secure management and processing of information, including personal information, with the objective of ensuring that personal information is processed in accordance with applicable laws and regulations. The data processor has implemented appropriate measures to ensure that all employees are familiar with these policies and the guidelines and controls described within them. The data processor enforces regular mandatory training for all employees in both the GDPR and its practical implications along with training in information security. The data processor has established an audit programme which includes annual audit and review of its policies relation to the implemented organizational and technical controls relating to access to data, including personal data. With respect to the current technical level, implementation costs and the type, extend, context and purpose of the data processing of personal data, the data processor has implemented and enforces the principles of data protection throughout all phases of the lifecycle of the information and the systems processing it. The data processor ensures that third party suppliers in scope of its information security management system conform to a set of minimum requirements, confidentiality agreements and controls as defined by the data processor. The data processor supervises data sub-processors in accordance with the methodology developed by the Danish Data Agency as described in the “Guide on supervision of data processors” (“Vejledning om tilsyn med databehandlere”) which includes a general assessment of the data sub-processors based on their processing activities, data categories, results from past inspections, and public information. All premises of the data processor are guarded by access restrictions; only employees of the data processor have access to the premises and all guests are logged and are not allowed to access the premise areas where personal data is processed or stored without supervision of an employee. The data processor generally minimizes the amount of data, including personal data, which is kept in physical format at its premises. Any sensitive information – including personal data – is stored in locked areas only accessible to select and approved personnel. All physical copies of sensitive information, including personal data, is securely disposed of in accordance with industry practices once no longer required. The data processor strives to only keep back-up information offsite of its physical premises. For back-up stored at any of the data processor’s physical premises, the data is kept in secure areas only accessible to select and approved staff, and access to these areas are logged. The data processor ensures that the personal information provided by the data controller is only accessible by approved personnel in accordance with the data processor’s policies for access control. These policies follow the principle of least privilege regarding access to all data, including data stored online, and the policies and their implementation are reviewed frequently and audited annually. These policies also ensures that access is revoked once no longer necessary. The data processor has implemented a process for changes to permission levels (including permission to accessing and working with data, including personal data) which includes requirements of management approval. This process is audited annually. Systems which are used by the data processor to process personal information are secured through multifactor authentication. Multifactor authentication is also enforced for all remote access to data and infrastructure. The data processor enforces the same requirements and principles regarding access to data, including personal data, to its employees regardless of whether the employee is working on premise or remotely. The data processor has implemented encryption of all its online connections to ensure the protection of data during transmission.Appendix C.

Security of processing. The 1. Article 32 of the GDPR states that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and the Data Processor shall implement appropriate technical and organisational measures to ensure a level of security shall reflect a generally high level of security reflecting appropriate to the types of data being processedrisk. 2. The data processor has aligned its information security management system Data Controller shall assess the risk to the rights and freedoms of natural persons associated with the ISO 27001:2022 standard processing and have implemented and complies with technical and organisational controls in implement measures to mitigate these risks. 3. In accordance with this standard. In additionArticle 32 of the GDPR, the level Data Processor shall also - independently of security shall take into account the specific agreed services in Data Controller - assess the parties’ agreement regarding the data processor’s provision of Services risk to the data controller: The data processor shall initiate rights and freedoms of natural persons associated with the processing and implement appropriate security measures to protect the personal data provided against accidental or unlawful destruction, loss, alteration, unavailability, unauthorized disclosure of or access to the personal data. The data processor may change the implemented security measures on an ongoing basis, however, changes in security measures must never lead to a deterioration of the agreed security levelmitigate these risks. In order to ensure an appropriate level of securitythis, the data controller Data Controller shall make provide the data protection impact assessment carried out by Data Processor with all information necessary to identify and assess such risks. 4. Furthermore, the data controller for Data Processor shall assist the agreed processing available to Data Controller in ensuring compliance with the data processorData Controller's obligations under Article 32 of the GDPR, and by, among other things, providing the data controller shall regularly update this to the data processor. The data processor is entitled and obliged to make decisions Data Controller with information about the technical and organizational security organisational measures to be already implemented to establish by the necessary (and agreed) security level. The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller: The data processor has a documented information security management system that addresses and describes how information security is implemented across the organization. The data processor maintains and enforces policies for secure management and processing of information, including personal information, with the objective of ensuring that personal information is processed Data Processor in accordance with applicable laws and regulations. The data processor has implemented appropriate measures to ensure that all employees are familiar with these policies and the guidelines and controls described within them. The data processor enforces regular mandatory training for all employees in both the GDPR and its practical implications along with training in information security. The data processor has established an audit programme which includes annual audit and review of its policies relation to the implemented organizational and technical controls relating to access to data, including personal data. With respect to the current technical level, implementation costs and the type, extend, context and purpose Article 32 of the data processing of personal dataGDPR, together with any other information necessary for the data processor has implemented and enforces the principles of data protection throughout all phases Data Controller to be able to comply with its obligation under Article 32 of the lifecycle GDPR. 5. If the reduction of the information and identified risks later - in the systems processing it. The data processor ensures that third party suppliers in scope Data Controller's assessment - requires the implementation of its information security management system conform to a set of minimum requirements, confidentiality agreements and controls as defined further measures by the data processor. The data processor supervises data sub-processors Data Processor, beyond those already implemented by the Data Processor in accordance with Article 32 of the methodology developed GDPR, the Data Controller shall specify these additional measures in writing. The Data Processor shall not be obliged to comply with any request from the Data Controller for such additional measures unless the additional measures requested by the Danish Data Agency as described Controller are reasonable and proportionate in all the “Guide on supervision of data processors” (“Vejledning om tilsyn med databehandlere”) which includes a general assessment of the data sub-processors based on their processing activities, data categories, results from past inspections, and public information. All premises of the data processor are guarded by access restrictions; only employees of the data processor have access to the premises and all guests are logged and are not allowed to access the premise areas where personal data is processed or stored without supervision of an employee. The data processor generally minimizes the amount of data, including personal data, which is kept in physical format at its premises. Any sensitive information – including personal data – is stored in locked areas only accessible to select and approved personnel. All physical copies of sensitive information, including personal data, is securely disposed of in accordance with industry practices once no longer required. The data processor strives to only keep back-up information offsite of its physical premises. For back-up stored at any of the data processor’s physical premises, the data is kept in secure areas only accessible to select and approved staff, and access to these areas are logged. The data processor ensures that the personal information provided by the data controller is only accessible by approved personnel in accordance with the data processor’s policies for access control. These policies follow the principle of least privilege regarding access to all data, including data stored online, and the policies and their implementation are reviewed frequently and audited annually. These policies also ensures that access is revoked once no longer necessary. The data processor has implemented a process for changes to permission levels (including permission to accessing and working with data, including personal data) which includes requirements of management approval. This process is audited annually. Systems which are used by the data processor to process personal information are secured through multifactor authentication. Multifactor authentication is also enforced for all remote access to data and infrastructure. The data processor enforces the same requirements and principles regarding access to data, including personal data, to its employees regardless of whether the employee is working on premise or remotely. The data processor has implemented encryption of all its online connections to ensure the protection of data during transmissioncircumstances.

Security of processing. The level of security shall reflect a generally high level of security reflecting the types of data being processed‌ 1. The data processor has aligned its information security management system with the ISO 27001:2022 standard and have implemented and complies with technical and organisational controls in accordance with this standard. In addition, the level of security shall take into account the specific agreed services in the parties’ agreement regarding the data processor’s provision of Services to the data controller: The data processor shall initiate and implement appropriate security measures to protect the personal data provided against accidental or unlawful destruction, loss, alteration, unavailability, unauthorized disclosure of or access to the personal data. The data processor may change the implemented security measures on an ongoing basis, however, changes in security measures must never lead to a deterioration Article 32 of the agreed security level. In order to ensure an appropriate level GDPR stipulates that, in consideration of security, the data controller shall make the data protection impact assessment carried out by the data controller for the agreed processing available to the data processor, and the data controller shall regularly update this to the data processor. The data processor is entitled and obliged to make decisions about the technical and organizational security measures to be implemented to establish the necessary (and agreed) security level. The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller: The data processor has a documented information security management system that addresses and describes how information security is implemented across the organization. The data processor maintains and enforces policies for secure management and processing of information, including personal information, with the objective of ensuring that personal information is processed in accordance with applicable laws and regulations. The data processor has implemented appropriate measures to ensure that all employees are familiar with these policies and the guidelines and controls described within them. The data processor enforces regular mandatory training for all employees in both the GDPR and its practical implications along with training in information security. The data processor has established an audit programme which includes annual audit and review of its policies relation to the implemented organizational and technical controls relating to access to data, including personal data. With respect to the current technical level, implementation costs and the typenature, extendscope, context and purpose purposes of processing and the data risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and the Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The Data Controller shall evaluate the risk presented by processing to the rights and freedoms of natural persons and implement measures to mitigate these risks. Depending on their relevance, such measures can include: a. the pseudonymisation and encryption of personal data; b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c. the data processor has implemented and enforces ability to restore the principles of data protection throughout all phases of the lifecycle of the information and the systems processing it. The data processor ensures that third party suppliers in scope of its information security management system conform to a set of minimum requirements, confidentiality agreements and controls as defined by the data processor. The data processor supervises data sub-processors in accordance with the methodology developed by the Danish Data Agency as described in the “Guide on supervision of data processors” (“Vejledning om tilsyn med databehandlere”) which includes a general assessment of the data sub-processors based on their processing activities, data categories, results from past inspections, and public information. All premises of the data processor are guarded by access restrictions; only employees of the data processor have access to the premises and all guests are logged and are not allowed to access the premise areas where personal data is processed or stored without supervision of an employee. The data processor generally minimizes the amount of data, including personal data, which is kept in physical format at its premises. Any sensitive information – including personal data – is stored in locked areas only accessible to select and approved personnel. All physical copies of sensitive information, including personal data, is securely disposed of in accordance with industry practices once no longer required. The data processor strives to only keep back-up information offsite of its physical premises. For back-up stored at any of the data processor’s physical premises, the data is kept in secure areas only accessible to select and approved staff, availability and access to these areas are logged. The personal data processor ensures that in a timely manner in the personal information provided by the data controller is only accessible by approved personnel in accordance with the data processor’s policies for access control. These policies follow the principle event of least privilege regarding access to all data, including data stored online, and the policies and their implementation are reviewed frequently and audited annually. These policies also ensures that access is revoked once no longer necessary. The data processor has implemented a physical or technical incident; d. a process for changes regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 2. According to permission levels (including permission Article 32 of GDPR, the Data Processor – acting independently of the Data Controller – shall also evaluate the risk presented by processing to accessing the rights and working freedoms of natural persons and implement measures to gate such risks. With a view to making this evaluation, the Data Controller is obliged to place information at the Data Processor’s disposal to allow to the Data Processor to identify and evaluate the risks involved. 3. Moreover, the Data Processor shall assist the Data Controller in meeting the latter’s obligations pursuant to Article 32 of the GDPR, including, among other ways, providing the Data Controller with datainformation about the technical and organisational security measures that Data Controller has already implemented in compliance with Article 32 and any other information that may be necessary for the Data Controller to meet its obligations in pursuance of Article 32 of the GDPR. If the Data Controller evaluates that mitigating the risks thus identified requires the implementation of further measures than those the Data Processor has already implemented, including personal data) which includes requirements of management approval. This process is audited annually. Systems which are used by the data processor to process personal information are secured through multifactor authentication. Multifactor authentication is also enforced for all remote access to data and infrastructure. The data processor enforces Data Controller shall note the same requirements and principles regarding access to data, including personal data, to its employees regardless of whether the employee is working on premise or remotely. The data processor has additional measures that shall be implemented encryption of all its online connections to ensure the protection of data during transmission.in Appendix C.

Security of processing. The 1. Article 32 of the GDPR stipulates that, taking into account the current technical level, the costs of implementation and the nature, scope, context, and purposes of pro- cessing as well as the risk of varying likelihood and severity for the rights and free- 1 References to ”Member States” made throughout the Clauses shall be understood as references to “EEA Member States”. doms of natural persons, the data controller and data processor shall implement ap- propriate technical and organisational measures to ensure a level of security shall reflect a generally high level of security reflecting the types of data being processedappro- priate to these risks. The data processor has aligned its information security management system with controller shall evaluate the ISO 27001:2022 standard risks to the rights and have implemented freedoms of natural per- sons inherent in the processing and complies with implement measures to mitigate those risks. De- pending on their relevance, the measures may include the following: a. Pseudonymisation and encryption of personal data; b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services; c. the ability to restore the availability and access to personal data in a timely man- ner in the event of a physical or technical incident; d. a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational controls in accordance with this standardmeasures for ensuring the security of the pro- cessing. 2. In additionAccording to Article 32 of the GDPR, the level of security shall take into account the specific agreed services in the parties’ agreement regarding the data processor’s provision of Services to the data controller: The data processor shall initiate also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement appropriate security measures to protect the personal data provided against accidental or unlawful destruction, loss, alteration, unavailability, unauthorized disclosure of or access to the personal datamitigate those risks. The data processor may change the implemented security measures on an ongoing basis, however, changes in security measures must never lead to a deterioration of the agreed security level. In order to ensure an appropriate level of securityTo this effect, the data controller shall make provide the data protection impact assessment carried out processor with all information necessary to identify and evaluate such risks. 3. Furthermore, the data processor shall assist the data controller in ensuring compli- ance with the data controller’s obligations pursuant to Article 32 of the GDPR, by inter alia providing the data controller with information concerning the technical and organ- isational measures already implemented by the data controller processor pursuant to Article 32 of the GDPR along with all other information necessary for the agreed processing available data controller to com- ply with the data controller’s obligation under Article 32 of the GDPR. If - in the assessment of the data controller – mitigation of the identified risks requires further measures to be implemented by the data processor, and than those already imple- mented pursuant to Article 32 of the GDPR, the data controller shall regularly update this to the data processor. The data processor is entitled and obliged to make decisions about the technical and organizational security specify these additional measures to be implemented to establish the necessary (and agreed) security level. The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller: The data processor has a documented information security management system that addresses and describes how information security is implemented across the organization. The data processor maintains and enforces policies for secure management and processing of information, including personal information, with the objective of ensuring that personal information is processed in accordance with applicable laws and regulations. The data processor has implemented appropriate measures to ensure that all employees are familiar with these policies and the guidelines and controls described within them. The data processor enforces regular mandatory training for all employees in both the GDPR and its practical implications along with training in information security. The data processor has established an audit programme which includes annual audit and review of its policies relation to the implemented organizational and technical controls relating to access to data, including personal data. With respect to the current technical level, implementation costs and the type, extend, context and purpose of the data processing of personal data, the data processor has implemented and enforces the principles of data protection throughout all phases of the lifecycle of the information and the systems processing it. The data processor ensures that third party suppliers in scope of its information security management system conform to a set of minimum requirements, confidentiality agreements and controls as defined by the data processor. The data processor supervises data sub-processors in accordance with the methodology developed by the Danish Data Agency as described in the “Guide on supervision of data processors” (“Vejledning om tilsyn med databehandlere”) which includes a general assessment of the data sub-processors based on their processing activities, data categories, results from past inspections, and public information. All premises of the data processor are guarded by access restrictions; only employees of the data processor have access to the premises and all guests are logged and are not allowed to access the premise areas where personal data is processed or stored without supervision of an employee. The data processor generally minimizes the amount of data, including personal data, which is kept in physical format at its premises. Any sensitive information – including personal data – is stored in locked areas only accessible to select and approved personnel. All physical copies of sensitive information, including personal data, is securely disposed of in accordance with industry practices once no longer required. The data processor strives to only keep back-up information offsite of its physical premises. For back-up stored at any of the data processor’s physical premises, the data is kept in secure areas only accessible to select and approved staff, and access to these areas are logged. The data processor ensures that the personal information provided by the data controller is only accessible by approved personnel in accordance with the data processor’s policies for access control. These policies follow the principle of least privilege regarding access to all data, including data stored online, and the policies and their implementation are reviewed frequently and audited annually. These policies also ensures that access is revoked once no longer necessary. The data processor has implemented a process for changes to permission levels (including permission to accessing and working with data, including personal data) which includes requirements of management approval. This process is audited annually. Systems which are used by the data processor to process personal information are secured through multifactor authentication. Multifactor authentication is also enforced for all remote access to data and infrastructure. The data processor enforces the same requirements and principles regarding access to data, including personal data, to its employees regardless of whether the employee is working on premise or remotely. The data processor has implemented encryption of all its online connections to ensure the protection of data during transmission.Appendix C.

Security of processing. The level of security shall reflect a generally high level of security reflecting the types of data being processed1. The data processor has aligned its information security management system with the ISO 27001:2022 standard and have implemented and complies with technical and organisational controls in accordance with this standard. In addition, the level of security shall take into account the specific agreed services in the parties’ agreement regarding the data processor’s provision of Services to the data controller: The data processor shall initiate and implement appropriate security measures to protect the personal data provided against accidental or unlawful destruction, loss, alteration, unavailability, unauthorized disclosure of or access to the personal data. The data processor may change the implemented security measures on an ongoing basis, however, changes in security measures must never lead to a deterioration Article 32 of the agreed security level. In order to ensure an appropriate level GDPR stipulates that, in consideration of security, the data controller shall make the data protection impact assessment carried out by the data controller for the agreed processing available to the data processor, and the data controller shall regularly update this to the data processor. The data processor is entitled and obliged to make decisions about the technical and organizational security measures to be implemented to establish the necessary (and agreed) security level. The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller: The data processor has a documented information security management system that addresses and describes how information security is implemented across the organization. The data processor maintains and enforces policies for secure management and processing of information, including personal information, with the objective of ensuring that personal information is processed in accordance with applicable laws and regulations. The data processor has implemented appropriate measures to ensure that all employees are familiar with these policies and the guidelines and controls described within them. The data processor enforces regular mandatory training for all employees in both the GDPR and its practical implications along with training in information security. The data processor has established an audit programme which includes annual audit and review of its policies relation to the implemented organizational and technical controls relating to access to data, including personal data. With respect to the current technical level, implementation costs and the typenature, extendscope, context and purpose purposes of processing and the data risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and the Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The Data Controller shall evaluate the risk presented by processing to the rights and freedoms of natural persons and implement measures to mitigate these risks. Depending on their relevance, such measures can include: a. the pseudonymisation and encryption of personal data; b. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c. the data processor has implemented and enforces ability to restore the principles of data protection throughout all phases of the lifecycle of the information and the systems processing it. The data processor ensures that third party suppliers in scope of its information security management system conform to a set of minimum requirements, confidentiality agreements and controls as defined by the data processor. The data processor supervises data sub-processors in accordance with the methodology developed by the Danish Data Agency as described in the “Guide on supervision of data processors” (“Vejledning om tilsyn med databehandlere”) which includes a general assessment of the data sub-processors based on their processing activities, data categories, results from past inspections, and public information. All premises of the data processor are guarded by access restrictions; only employees of the data processor have access to the premises and all guests are logged and are not allowed to access the premise areas where personal data is processed or stored without supervision of an employee. The data processor generally minimizes the amount of data, including personal data, which is kept in physical format at its premises. Any sensitive information – including personal data – is stored in locked areas only accessible to select and approved personnel. All physical copies of sensitive information, including personal data, is securely disposed of in accordance with industry practices once no longer required. The data processor strives to only keep back-up information offsite of its physical premises. For back-up stored at any of the data processor’s physical premises, the data is kept in secure areas only accessible to select and approved staff, availability and access to these areas are logged. The personal data processor ensures that in a timely manner in the personal information provided by the data controller is only accessible by approved personnel in accordance with the data processor’s policies for access control. These policies follow the principle event of least privilege regarding access to all data, including data stored online, and the policies and their implementation are reviewed frequently and audited annually. These policies also ensures that access is revoked once no longer necessary. The data processor has implemented a physical or technical incident; d. a process for changes regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. 2. According to permission levels (including permission Article 32 of GDPR, the Data Processor – acting independently of the Data Controller – shall also evaluate the risk presented by processing to accessing the rights and working freedoms of natural persons and implement measures to gate such risks. With a view to making this evaluation, the Data Controller is obliged to place information at the Data Processor’s disposal to allow to the Data Processor to identify and evaluate the risks involved. 3. Moreover, the Data Processor shall assist the Data Controller in meeting the latter’s obligations pursuant to Article 32 of the GDPR, including, among other ways, providing the Data Controller with datainformation about the technical and organisational security measures that Data Controller has already implemented in compliance with Article 32 and any other information that may be necessary for the Data Controller to meet its obligations in pursuance of Article 32 of the GDPR. If the Data Controller evaluates that mitigating the risks thus identified requires the implementation of further measures than those the Data Processor has already implemented, including personal data) which includes requirements of management approval. This process is audited annually. Systems which are used by the data processor to process personal information are secured through multifactor authentication. Multifactor authentication is also enforced for all remote access to data and infrastructure. The data processor enforces Data Controller shall note the same requirements and principles regarding access to data, including personal data, to its employees regardless of whether the employee is working on premise or remotely. The data processor has additional measures that shall be implemented encryption of all its online connections to ensure the protection of data during transmission.in Appendix C.