Common use of Security of the Processing Clause in Contracts

Security of the Processing. (1) The level of security shall take into account: (a) that a large amount of personal data POTENTIALLY can be subject to processing; (b) that, if the scanning session is chosen, a large amount of special and other categories of personal data POTENTIALLY can be subject to processing, and such data can have a high impact on the rights and freedoms of natural persons; (c) but it is EXPECTED that most processing activities will involve no personal data or mostly general personal data, which is why a ‘medium’ level of security must be established. (2) The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organizational security measures that are to be applied to create the necessary (and agreed) level of data security. (3) The Data Processor shall however – in any event and at a minimum – implement the following measures. The Data Processor undertakes to ensure the following technical measures: (a) that personal data stored in the Data Processor’s files is stored and transferred in an encrypted state, with encryption-at-rest and encryption-at-transit; (b) that personal data stored in the Solution is segregated, so that the personal data and information contained in the Solution cannot be accessed by unauthorized persons; (c) that access to the Solution is controlled, and subject to access control; (d) that necessary security measures are in place to prevent and limit the execution of malware or similar code, including through ongoing updating of software, hardware and communication systems, and code validation; (e) that the Data Controller can see if the content of the Solution has been changed, and in that case, by whom; (f) that the end-users who have used the Solution have the opportunity to correct or add information to the platform themselves; (g) that the Data Controller can extract the necessary data from the solution if the Data Controller wishes to stop using the Solution. Data can be extracted in a machine-readable format by the Data Controller themselves so that the Data Controller’s and Processor’s access to special categories of personal data or confidential information is minimized. The Data Processor undertakes to ensure the following organizational measures: (a) that encrypted personal data and the encryption keys are stored separately; (b) that the personal data can be recovered following technical or physical incidents, and to have procedures in place in the form of disaster recovery and business continuity plans to ensure continued operations; (c) that personal data in the Solution and regarding the Data Controller is limited to what is absolutely necessary, and that, to the extent possible, the Data Processor and sub-processors are limited to process pseudonymized personal data and do not possess, or are unable to access without the Data Controller’s permission or knowledge, personal data; (d) that third parties who gain legitimate access to the Solution can only get access to encrypted data, that activities that involve access to special and other categories of personal data are logged, and that third parties are subject to a non-disclosure clause; (e) to have procedures in place to detect and handle data breaches, so that the Data Controller can inform the data subjects without undue delay; (f) that, upon discovery of a data breach, the necessary information is registered for the purpose of case analysis and for possible follow-up investigations requested by the Data Controller; (g) procedures for the correct and secure processing of physical material taken from the Solution for legal purposes, including storage, distribution, and data extracted from home offices, and ensure that the Data Processor’s employees are instructed in the correct processing of personal data, have received security training, are subject to non- disclosure clauses and similar or equivalent organizational measures.

Security of the Processing. (1) The level of security shall take into account: (a) that a large amount of special categories of personal data POTENTIALLY and other categories of personal data can be subject to processing; (b) that, if that the scanning session identity of the whistleblowers and any other information from which the identity of the whistleblowers may be directly or indirectly deduced is chosen, confidential, (c) that information contained in a large amount of special and other categories of personal data POTENTIALLY can be subject to processing, and such data report can have a high impact on the rights and freedoms of natural persons; (c) but it is EXPECTED that most processing activities will involve no personal data or mostly general personal data, which is why a ‘medium’ level of security must be established. (2) The Data Processor shall hereafter be entitled and under obligation to make decisions about the technical and organizational security measures that are to be applied to create the necessary (and agreed) level of data security. (3) The Data Processor shall however – in any event and at a minimum – implement the following measures. The Data Processor undertakes to ensure the following technical measures: (a) that personal data stored in the Data Processor’s files is stored and transferred in an encrypted state, in accordance with encryption-at-rest and encryption-at-transitbest practice for data that may contain confidential information. It is at least encrypted to Advanced Encryption Standard (AES) 256 or an equivalent encryption standard; (b) that communication between the Whistleblower System and the end- users is secured via Secure Sockets Layer (SSL) or takes place via a similarly secured connection that meets applicable requirements; (c) that personal data stored in the Solution Whistleblower System is segregated, so that the personal data and information contained in the Solution reports and the System cannot be accessed by unauthorized persons; (cd) that access to the Solution Whistleblower System is controlled, and subject to validation in the form of e.g., multi-factor authentication (MFA), and that access controlidentifiers and login times are recorded and stored for up to 30 (thirty) days; (de) that necessary security measures are in place to prevent and limit the execution of malware or similar code, including through ongoing timely updating of software, hardware and communication systems, and code validation, and continuous testing of the hardness and resistance of the Whistleblower System through penetration testing; (ef) that the Data Controller can see if the content of the Solution Whistleblower System has been changed, and in that case, by whom; (fg) that the end-users who have used the Solution Whistleblower System have the opportunity to correct or add information in the System themselves, and that the end-users have the opportunity to the platform themselveswithdraw their report; (gh) that the Data Controller can extract the necessary data from the solution if the Data Controller wishes to stop using the SolutionWhistleblower System. Data can be extracted in a machine-readable format by the Data Controller themselves so that the Data Controller’s and Processor’s access to special categories of personal data or confidential information is minimized. The Data Processor undertakes to ensure the following organizational measures: (a) that encrypted personal data and the encryption keys are stored separately; (b) that the personal data can be recovered following technical or physical incidents, and to have procedures in place in the form of disaster recovery and business continuity plans to ensure continued operations; (c) that personal data in the Solution and regarding the Data Controller Whistleblower System is limited to what is absolutely necessary, and that, to the extent possible, the Data Processor and sub-processors are limited restricted to process processing pseudonymized personal data and do not possess, or are unable to access without the Data Controller’s permission or knowledge, personal datadata and information contained in the reports; (d) that, on the basis of the Data Controller's instructions, the Data Controller can control access to the Whistle Portal, and that changes in access conditions are logged and stored for up to one year, or as long as the contractual relationship lasts; (e) that third parties who gain legitimate access to the Solution Whistleblower System can only (only) get access to encrypted data, that activities that involve access to special and other categories of personal data or confidential personal data are logged, and that third parties Parties are subject to a non-non- disclosure clause; (ef) to have procedures in place to detect and handle data breaches, so that the Data Controller can inform the data subjects without undue delay;. (fg) that, upon discovery of a data breach, the necessary information is registered for the purpose of case analysis and for possible follow-up investigations requested by the Data Controller; (gh) procedures for the correct and secure processing of physical material taken from the Solution solution for legal purposes, including storage, distribution, distribution and data extracted from home offices, and ensure that the Data Processor’s employees are instructed in the correct processing of personal data, have received security training, are subject to non- disclosure clauses and similar or equivalent organizational measures.