Ancillary Terms

Governance & Reporting

1. Reporting Obligation

1.1. Reporting topics

(i)Team Cymru will comply with the reasonable reporting obligations to allow performance measurement, governance of the contractual relationship and monitoring of activities relevant for CLIENT's compliance with legal and regulatory requirements.

Executive Summaries of standard reports that are available are:

· ISO/IEC 27001 audit report

· NIST 800-171 self assessment

· CIS-CSAT report

· Penetration Testing reports

· Front End Failover reports if available for the product concerned

(ii)On a quarterly basis, Team Cymru will conduct with CLIENT a QBR (quarterly business review) summarizing all critical incidents, support requests, SLAs and any related Service Credits.

2. Risk Assessment and Mitigation

Team Cymru agrees to reasonably cooperate with CLIENT to clarify any questions relating to the risk assessment or segmentation, share additional information with CLIENT and/or CLIENT risk assessment providers, and if requested by CLIENT, reasonably discuss and agree upon mitigation actions in order to restore an adequate risk profile that is acceptable to CLIENT.

Business Continuity and Disaster Recovery

DISASTER RECOVERY AND BUSINESS CONTINUITY PLAN

1. CONTACT.

The following individual will serve as Team Cymru’s single point of contact for disaster recovery and business continuity issues:

Team Cymru DRBCP Contact:

Name: Andrew Korty

Title: Network and Security Operations Manager

Telephone Number: +1-847-378-3315

E-mail: secops@cymru.com

Address: 901 International Parkway, Suite 350, Lake Mary, FL 32746

2. DEFINITIONS.

The following terms will have the following meanings when used in this Schedule:

“Recovery Time Objective” or “RTO” means the maximum time that a business, or a specific business function, can be out of service before it experiences material, adverse impact, as determined by CLIENT. The business or business function will not be considered “in service” until all external and internal dependencies, including data, application, and infrastructure required by the business have been recovered.

“Recovery Point Objective” or “RPO” is the point in time to which data must be recovered after a system outage, limiting the loss of data to within manageable levels as required by the CLIENT (e.g., point of failure, (-2, -4, -8, -24,…hour backup)).

3. DRBCP COMPONENTS.

Components. Team Cymru’s DRBCP will include or address, as applicable, the following:

process descriptions and Recovery Time Objective classifications;
recovery strategy;
business and technology dependency solutions;
identification of all application inbound and outbound interfaces needed to meet the Service Levels;
recovery team roles and responsibilities;
restoration procedures;
client contacts;
offsite locations of plan.

In addition to the above, for technology recovery plans the following will be included:

roles and responsibilities of recovery personnel
infrastructure components associated with the application or service
software (operating system, utilities, application programs)
upstream and downstream dependencies associated with the application or services targeted in the technology recovery action plan
detailed recovery steps including activities, step durations, key person dependencies, component dependencies, and required supporting documentation that will enable recovery of IT services to normal procedure operation
detailed Logical Diagram (Technical Architecture)

Recovery Strategy. Team Cymru’s DRBCP will cover the following recovery strategies in order to maximize the ability to fully recover from various disaster scenarios:

planned loss of application
unplanned loss of application
planned loss of site
unplanned loss of site

Recovery Strategy. Team Cymru’s DRBCP will cover the following recovery strategies in order to maximize the ability to fully recover from various disaster scenarios: multiple operation sites in different geographical zones, ability to move staff to an alternate location, ability to work from home, ability to transfer work to trained staff at other locations, etc.

Notification and Escalation Plan. Team Cymru will maintain a notification and escalation plan for contacting CLIENT during a disaster or other event requiring use of the DRBCP, and Team Cymru will update the CLIENT contact names and alternates at least annually.

Management Review and Approval. At least annually, Team Cymru’s management will review and approve Team Cymru’s DRBCP.

4. DRBCP OBJECTIVES.

Team Cymru’s DRBCP will be designed to meet the following objectives:

Service/System/Component

RTO

RPO

Internet Connectivity

24 Hours

-48 Hours

Internet Firewall

24 Hours

-48 Hours

Web Proxy

24 Hours

-48 Hours

Web Application

24 Hours

-48 Hours

Augury/Recon System Database

24 Hours

-48 Hours

5. INVOCATION OF DRBCP.

Upon invocation of Team Cymru’s DRBCP, in the event of a disaster or other event requiring the invocation of the DRBCP, Team Cymru will ensure that its recovery consists of recovering all applicable business and technology components (e.g., infrastructure recovery, application recovery, business validation testing) in order to avoid material, adverse impact.

6. TESTING.

Team Cymru Testing. In addition to any testing requirements set forth in the Master Agreement, Team Cymru will perform the following testing:

(a) Team Cymru will conduct an end-to-end disaster recovery resiliency exercise, as defined under the testing methodology table below, on an annual basis. Among other things, such testing will validate the following, as applicable: (i) availability of all system functionality; (ii) system connectivity to the Internet; (iii) communication links to and from the back-up recovery facility; (vii) achievement of Recovery Time Objective, Recovery Point Objective, and Service Levels; and (ix) maintenance of documentation on historical test objectives, outcomes and resolved issues. Additionally, Team Cymru’s test will assess the recovery strategies and capabilities of third party provides used to support Team Cymru in its provision of Services and other Deliverables to CLIENT.

(b) Within thirty days after completion of the testing, Team Cymru will provide to CLIENT a report including a written description of all DRBCP test results in sufficient detail to allow CLIENT to assess the success of each test. Such report will include Pre, Post Test Substantiation; Evidence of RTO against published expected values; Actual Measured RTC (Recovery Time Capability). RTC cannot exceed RTO. The appropriate business personnel associated with the application will be invited to participate during the test execution to verify the post test application function meets normal operating requirements. Team Cymru will implement any reasonable recommendations made by CLIENT arising from CLIENT’s analysis of the test results.

Testing Methods. As part of the above testing, the following testing methods will be utilized by Team Cymru or CLIENT, at CLIENT’s request or option, as applicable:

Internet Connectivity: Internet Connectivity failover is tested through a combination of the following tests:

Shutting down interfaces on the Internet Routers to test failover to the remaining Internet Connections
Shutting down individual Internet Routers to test failover to the remaining Internet Connections and Internet Routers
Shutting down all site Internet Routers to test failover of Internet Connectivity to a secondary site

Internet Firewall: Internet Firewall failover is tested through a combination of the following tests:

Shutting down interfaces on the Internet Firewalls to test failover to the secondary Internet Firewall
Shutting down individual Internet Firewalls to test failover to the remaining Internet Firewall

Web Proxy: Web Proxy failover is tested by updating DNS to utilize the remaining active Web Proxies

Web Application: Web Application failover is tested by dynamically adjusting Web Proxy settings to utilize the active Web Application servers

Augury/Recon System Database: Augury/Recon System Database recovery is tested by adjusting the configuration to utilize the backup System Database server

Testing Method

Testing Requirements

Disaster

Recovery Test

The Disaster Recovery Test measures the business function’s ability to recover the technology services (e.g., system/application/data/process) from a backup source and resume operations in order to meet the applicable RTO and RPO requirements. The frequency of this test will be every 360 days. This test is appropriate only for applications not classified by CLIENT as Band 1.

Remediation Plans. If during any testing, Team Cymru (i) fails to achieve full recovery within the applicable RTOs, or RPO or (ii) fails to demonstrate its ability to maintain full production volumes and meet all applicable Service Levels while in recovery mode, Team Cymru will develop and implement, with reasonable promptness, a remediation plan to address such failure and will conduct a retest within 180 days of the failures.

Anti-bribery and Corruption, Sanctions and Fraud

(All arrangements with service providers who provide a service to or for CLIENT must be evidenced by a written agreement and contain minimum contractual clauses covering anti-bribery and corruption. Such written agreements between the service provider and CLIENT include any agreement or contract between the Parties, including each supply order, task order, statement of work or similar document entered into as part of such. The written agreement should include the anti-bribery and corruption clauses set forth below, unless it can be demonstrated that the risks they address are appropriately mitigated by other means or alternative language.)

Capitalized terms herein shall have the meaning as defined in the Agreement between the Parties, if not otherwise stated herein. The Parties agree that in the event of any conflict with the other terms of the Agreement, the terms of this Exhibit will prevail.

1. Anti-bribery/corruption

a) CLIENT does not tolerate any form of bribery in any of its business dealings.

b) Team Cymru represents and warrants, to the best of its knowledge, that neither it nor any person acting on its behalf, is controlled directly or indirectly by any official, agent, employee, or representative of (or person acting in an official capacity of):

i. a national, supranational, regional, or local government; an agency, department or instrumentality of a government;

ii. an entity with an aggregate 25% or more government ownership or control by one of the foregoing;

a. a judicial body;

b. a public international organization;

c. a political party; or

d. any body that exercises regulatory authority over CLIENT;

e. Exchanges;

including candidates for public office or for political party positions as well as members of royal or ruling families as well as, where known, immediate family members and close associates of all parties mentioned in this clause (each a "Public Official").

c) Team Cymru shall promptly notify CLIENT if circumstances during the term of the Agreement render the preceding representation and warranty inaccurate.

Team Cymru further represents and warrants that it is familiar with applicable anti-corruption laws and regulations, including the Foreign Corrupt Practices Act of 1977, as amended, the UK Bribery Act 2010 and the applicable anti-bribery and corruption laws and regulations of Singapore and has not, and will not, violate these laws. Team Cymru shall not engage in any form of bribery, collusive practice or any other form of corruption and confirms that it will not extort, solicit, receive, offer, promise or give any undue financial or other advantage whether directly or indirectly in connection with the Agreement or any other dealings with CLIENT.

d) Furthermore, neither Team Cymru nor any person acting on its behalf, shall

i. authorize the giving of, offer, promise of or give, directly or indirectly, anything of value to any Public Official or any other person for the purpose of influencing or inducing the recipient to act or refrain from acting in relation to the performance of his/her official duties, in order to secure any improper advantage, or to obtain, retain, or direct business for or to any person or entity. This includes where there is knowledge or firm belief that all or a portion of the payment or gift will be offered, given, or promised, directly or indirectly, to any Public Official or person;

ii. offer, promise or give a bribe or seek to extort a bribe either directly or indirectly from CLIENT or from an officer, agent, director, employee, contractor or advisor of CLIENT or any entity (a) that controls CLIENT, (b) that is controlled by CLIENT or (c) that is controlled by an entity that also controls CLIENT.

e) If Team Cymru's performance under the Agreement is determined by CLIENT to be contrary to any applicable anti-corruption laws or Team Cymru’s representations as set forth in this Exhibit, Team Cymru will be disqualified as a Service Provider (meaning that CLIENT has the right to automatically reject any proposal, bid or offer from Team Cymru in the future, and CLIENT has the right to terminate any existing contract with Team Cymru without notice and Team Cymru agrees that CLIENT may treat such termination as occurring for material breach).

f) Team Cymru shall not, in the performance of their obligations under the Agreement, transfer anything of value to a Public Official that has discretion over the business at issue or is otherwise closely connected to it, without the prior written consent of CLIENT. Transactions subject to prior approval should include (but are not limited to): monetary payments; business entertainment; meals, lodging or travel expenses; and gifts. Any cash payments to Public Officials are strictly prohibited.

g) Team Cymru shall not retain any agents, sub-agents, representatives, consultants, or other persons to assist in carrying out Team Cymru’s duties under this Agreement without the prior written consent of CLIENT. Where CLIENT has provided such consent, Team Cymru shall ensure that any contracted third party/subcontractor engaged with respect to the performance of the obligations under the Agreement will comply with the terms and conditions of this Exhibit. Team Cymru shall inform CLIENT immediately if it or any of its contracted third parties/subcontractors are solicited in any way for a bribe of any kind in performance of their obligations under the Agreement.

h) As an Audax portfolio company, Team Cymru participates and complies with the Environmental, Social and Governance (ESG) Policy of the Audax Private Equity Group as detailed here: https://www.audaxprivateequity.com/system/uploads/fae/file/asset/242/Audax_Group_ESG_Policy.pdf and here: https://www.audaxgroup.com/citizenship

2. Fraud

If during the duration of an Agreement Team Cymru or a person who is or was a member of the board of directors or executive committee of Team Cymru is convicted or found guilty of a crime relating to fraud, corruption, money laundering or tax evasion by a competent local, state or federal court, or other relevant regulatory authority or government body for matters which are connected to the contractual obligations of Team Cymru, Team Cymru may be disqualified as a Service Provider (meaning that CLIENT has the right to reject any proposal, bid or offer from Team Cymru in the future, and CLIENT has the right to terminate any existing contract with Team Cymru without notice and Team Cymru agrees that CLIENT may treat such termination as occurring for material breach).

Should Team Cymru or a person who is or was a member of the board of directors or executive committee of Team Cymru be involved in an ongoing proceeding run by an official body mentioned and due to charges of a crime listed above, but not yet be convicted, CLIENT shall also have the right to disqualify Team Cymru as a Service Provider. This right shall be limited to cases where the reputation of CLIENT is negatively affected.

3. Sanctions

Team Cymru shall not directly or indirectly deal with (i) a Restricted Party; or (ii) a Sanctioned Country in connection with its dealings with CLIENT.

Team Cymru represents and warrants that neither it nor its affiliates, subsidiaries, or its or their respective directors, officers, agents, employees, are Restricted Parties.

For the purpose of this clause:

"Restricted Party" means a person, entity, or any other party, including, without limitation, official or de facto authorities

i. located, domiciled, resident, incorporated or operating in a Sanctioned Country; or

ii. subject to any sanctions lists administrated by any Sanctioning Authority; or

iii. owned or controlled by a person, entity or any other party as defined in (i) and (ii) herein;

"Sanctioned Country" means any country/region subject from time to time to any sanctions and/or trade embargoes administrated by any Sanctioning Authority, as well as any other country notified by CLIENT as a Sanctioned Country. Currently these are the Crimea Region, Cuba, Iran, North Korea, and Syria; but reference should be made to https://ofac.treasury.gov/sanctions-programs-and-country-information

"Sanctioning Authority" means any authority responsible for the administration of sanctions and embargoes in the United Nations, the European Union, Switzerland, the United States of America (Office of Foreign Assets Control of the US Department of Treasury) and in any other applicable country notified from time to time by CLIENT for the purpose of this clause.

Data Handling

1. Definitions

1.1. “Authorized Persons” means Team Cymru’s employees, officers, partners, principals, contractors, sub-contractors, Sub-processors, or other agents who Process Client Data.

1.2. “CCPA” means the California Consumer Privacy Act of 2018.

1.3. “Controller” means the party that determines the purposes and means of the Processing of Client Data, and includes a “business” as defined in the CCPA.

1.4. “Data Protection Laws and Regulations” means all applicable laws which govern the use of Client Data, including the CCPA and the EU General Data Protection Regulation (“GDPR”), as amended or replaced from time to time, and any other foreign or domestic laws to the extent that they are applicable to a party in the course of its performance of the Master Agreement.

1.5. “Client Data” means any information relating to a Data Subject that is Processed by Team Cymru on behalf of the Client. For the purposes of products sold by Team Cymru, this is limited to user credentials and query terms.

1.6. “Processor” means the party which Processes Client Data on behalf of the Controller, and includes a “service provider” as defined in the CCPA.

1.7. “Regulator” means any entity which has jurisdiction to enforce Client’s and Team Cymru’s compliance with the Data Protection Laws and Regulations.

1.8. “Risk Assessments” means third-party assessments, test results, audits or reviews such as ISO27001, SSAE 16, SOC I, II, and II, SysTrust, Web Trust, or perimeter certifications.

1.9. “Security Incident” means any suspected or known unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of Client Data.

1.10. Terms such as “Data Subject”, “Processing” (and “Process”), “Controller”, “Processor” and “Supervisory Authority” shall have the meaning ascribed to them in the Data Protection Laws and Regulations. Terms such as “Sell”, “Deidentify”, and “Aggregate” shall have the meaning ascribed to them in the Data Protection Laws and Regulations.

1.11. “Team Cymru Parties” means Team Cymru, Team Cymru employees, sub-processors (i.e., any person or entity, including any Team Cymru affiliate, engaged by Team Cymru in connection with performing the Services), and agents.

1.12. “Team Cymru System” means all hardware, software, networks, platforms, databases, computers, and other information technology systems and processes that are owned, controlled or operated by or on behalf of Team Cymru.

1.13. “Personal Data” does not include any information for which Team Cymru cannot, directly or indirectly, reasonably identify, relate to, or describe a Data Subject and which Team Cymru does not associate with or link to a Data Subject.

2. Roles of the Parties

2.1. The Parties acknowledge and agree that Team Cymru will Process the Client Data in the capacity of a Processor, and that Client will be the Controller of the Client Data.

3. Obligations of the Controller

3.1. Instructions. Client shall use reasonable efforts to provide instructions to Team Cymru pursuant to this DPA that comply with Data Protection Laws and Regulations.

3.2. Data Subject and Supervisory Authority Requests. Subject to Team Cymru complying with its obligation under Section 4 below, Client shall be responsible for communications in relation to all requests made by Data Subjects under Data Protection Laws and Regulations and all communications from Regulators that relate to the Client Data, in accordance with Data Protection Laws and Regulations.

4. Obligations of the Processor

4.1. Compliance with Data Protection Laws and Regulations. Team Cymru shall at all times comply with Data Protection Laws and Regulations. when Processing Client Data. Team Cymru represents and warrants that nothing in Data Protection Laws and Regulations prevents it performing its obligations as described in the DPA. Team Cymru shall immediately notify Client if Team Cymru is subject to a formal inquiry or investigation by a Regulator.

4.2. Scope of Processing. Team Cymru shall only process the Client Data on documented instructions from Client, including with regard to transfers of Client Data to a third country or an international organization, and in such manner as is necessary for the provision of services under the Master Agreement, except as required to comply with a legal obligation to which Team Cymru is subject. Team Cymru shall immediately inform Client if, in its opinion, the execution of an instruction could violate any Data Protection Laws or Regulations. In the event Team Cymru must comply with a legal obligation, it will inform Client of that legal requirement before Processing, unless prohibited by the law. Subject to Client’s written prior authorization, Team Cymru may convert Client Data into Aggregated or Deidentified Information, which it may use for statistical analysis, business reporting, and marketing purposes.

4.3. Data Subject Requests. If Team Cymru, directly or indirectly, receives a request from a Data Subject relating to Client Data (“Request”), Team Cymru will provide a copy of the Request to Client within two business days of receipt. Team Cymru shall not further communicate with the Data Subject without the written permission of Client. Team Cymru will provide all necessary assistance at Client’s request to enable Client to respond to a Request.

4.4. Regulator Requests. Team Cymru will assist Client in addressing any communications and abiding by any advice or orders from the Regulator relating to the Client Data within the timeframe specified by the Regulator.

4.5. Law Enforcement Requests. Team Cymru shall have a policy or procedure in place describing how it processes a request for Client Data from law enforcement officials or intelligence/surveillance agencies and shall inform Client of any such request it receives before responding to such requests, unless prohibited by the law. This policy or procedure shall at a minimum restrict the disclosure of Client Data from the European Economic Area, Switzerland or the United Kingdom (“EEA Client Data”) unless Team Cymru is (a) legally compelled to do so; or (b) Team Cymru has ascertained that doing so is necessary and proportionate to a narrowly tailored investigation, after exploring in good faith requiring court orders, subpoenas, or search warrants to access such information.

4.6. Retention. Team Cymru will retain Client Data as directed by Client, or as required by applicable laws. At the termination of this Agreement, or upon Client’s written request, Team Cymru will either destroy or return the Client Data to Client unless legal obligations require storage of Client Data. If Team Cymru is legally required to store Client Data, then Team Cymru shall notify Client of the legal requirement in writing and Team Cymru will continue to safeguard the Client Data in accordance with this DPA. Upon deletion, Team Cymru shall send Client a certification that all Client Data has been destroyed.

4.7. Disclosure to Third Parties. Team Cymru will not disclose the Client Data to third parties except as permitted by this DPA or the Master Agreement or required by applicable law. In the event Team Cymru is required to disclose the Client Data by applicable law, Team Cymru shall (to the extent permitted by law) notify Client in writing and liaise with Client before complying with such disclosure request.

4.8. Confidentiality. Team Cymru will treat all Client Data as strictly confidential. Team Cymru shall ensure that all Authorized Persons are aware of the confidential nature of Client Data and have signed a confidentiality agreement. Team Cymru shall ensure that all Authorized Persons complete adequate and appropriate privacy and data security training prior to having access to Client Data. Team Cymru will ensure that Client Data is not exported, copied or saved to insecure storage locations, such as external unencrypted drives or insecure online storage.

4.9. Security.

(a) Team Cymru shall implement and maintain organizational, physical, technical, and administrative safeguards for Client Data and Team Cymru’s Systems which are designed to ensure the integrity and reliability of such Client Data and Team Cymru Systems and to prevent Security Incidents in relation to the foregoing (the “Safeguards”). Such Safeguards shall be commensurate with the type and amount of Client Data Processed by Team Cymru and the nature of the Services, and shall, at a minimum, protect Client Data from reasonably anticipated hazards and ensure compliance with Data Protection Laws and Regulations. Team Cymru represents that it has implemented and covenants that it shall maintain such Safeguards and a written information security program documenting such Safeguards.

(b) Team Cymru represents, warrants and covenants that:

(i) Team Cymru Parties will Process Client Data solely to the extent necessary to provide the Services to Client, in accordance with the DPA and Data Protection Laws and Regulations;

(ii) Team Cymru Parties will not directly or indirectly, Sell, rent, disclose, commercially exploit, or transfer any Client Data to any third party except as expressly authorized by Client;

(iii) Team Cymru Parties will comply with all of Client’s requests regarding the Processing of Client Data, and will further comply with reasonable policies established by Client of which Client provides Team Cymru prior notice;

(iv) Team Cymru Parties employ controls for software, including access controls and change management logs and systems;

(v) All Client Data is encrypted (at minimum using 256-bit encryption) when transmitted wirelessly or over public networks, and as may otherwise be required under the Data Protection Laws and Regulations;

(vi) The Safeguards include protections for physical plants and facilities, including contingency planning and redundancy;

(vii) Team Cymru Parties will regularly scan and filter for Viruses;

(viii) Team Cymru shall not provide any personal data to Client, except as necessary for Team Cymru to provide the Services;

(ix) Team Cymru maintains an information security program that undergoes annual review and audit, consisting of a full complement of information security policies and procedures, vulnerability scanning and remediation, a business continuity plan, a risk assessment, employee training, quarterly phishing drills, incident response tabletop exercises, third-party vendor management, penetration testing, and internal and external audits

4.10. Changes. The Safeguards required under this Agreement are subject to technical progress and further developments. Team Cymru shall be permitted to implement improved and upgraded measures upon prior written notice to Client.

4.11. Regular Testing, Assessing and Evaluation. Team Cymru shall implement a procedure for the regular testing, inspection, assessment and evaluation of the effectiveness of the technical and organizational measures in order to ensure the security of the processing and notify Client of any findings.

4.12. Cooperation. Team Cymru shall reasonably cooperate with and assist Client in: (a) fulfilling its legal obligations; (b) formulating a correct response; and (c) taking suitable further steps in respect to any Security Incident, Data Subject request, or Regulator request. If requested, Team Cymru shall provide reasonable assistance to Client in completing any privacy impact assessments and/or data protection impact assessment, and any consultations with government authorities, that Client considers necessary to comply with Data Protection Laws and Regulations.

5. Audit

5.1. Team Cymru shall provide Client with all certifications Risk Assessments and third-party audits to confirm that Team Cymru has complied with its obligations under this DPA. Team Cymru shall promptly correct any material risks or threats or non-conformance to industry practices identified through a Risk Assessment. Please refer to section 1.1.1.i above (‘Reporting topics’)

6. Contracting with Sub-Processors

6.1. Consent. In the event Client provides written consent to Team Cymru to subcontract any of its activities under the Master Agreement to any Sub-processor, Team Cymru shall enter into a written contract where Sub-processor is bound by the same data protection obligations of Team Cymru under this DPA. Team Cymru agrees to conduct an annual review of its Sub-processors to ensure such Sub-processors have in place proper organizational and technical safeguards to ensure the protection of Client Data.

6.2. Sub-processors List. Upon request, Team Cymru shall make available to Client an updated list of Sub-processors with the identities of those Sub-processors, their services, their country of location, and the legal transfer mechanism in place in relation to the transfers of EEA Client Data”.

6.3. Objection. Team Cymru shall not transfer Client Data to a new Sub-processor without providing prior written notice to Client. Client may object to Team Cymru’s use of a new Sub-processor by notifying Team Cymru in writing within twenty-one (21) business days after receipt of such notice. In the event Client objects to a new Sub-processor, as permitted in the preceding sentence, Team Cymru will use reasonable efforts to make available to Client a change in the Services or recommend a commercially reasonable change to Client within a reasonable period of time.

6.4. Termination. If Team Cymru is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Client may terminate the Master Agreement, by providing written notice to Team Cymru. Client may elect to suspend or terminate the Master Agreement without penalty, and receive a prorated refund of any prepaid fees for the period following such termination. In such case, Team Cymru must assist Client in deleting all Client Data from Team Cymru in an externally-readable format at no charge to Client.

6.5. Liability. Team Cymru will be liable for the acts and omissions of its Sub-processors to the same extent that Team Cymru would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

7. CLIENT DATA TRANSFERS

7.1. Written Consent. Team Cymru shall not transfer, or participate in any transfer of, Client Data from any jurisdiction to any other jurisdiction without the prior written consent of Client.

7.2. Standard Contractual Clauses (SCC). The Parties agree that SCC (as evidenced by each party’s authorized signature on the DPA) will apply to EEA Client Data that is transferred from Client to Team Cymru, either directly from the EEA or via onward transfer, to any country not recognized by the European Commission as providing as adequate level of protection for personal data (as described by the GDPR In the event that any provision of the Standard Contractual Clauses is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of the Standard Contractual Clauses and the terms of this Addendum shall remain operative and binding on the parties. If after the effective date of this DPA, the European Commission issues new SCCs for Controller to Processor contracts, the Parties agree, as evidenced by their signatures on this DPA, that the new SCCs will apply to any EEA Client Data. Such action will not invalidate or render this DPA unenforceable.

8. Information Obligations and Incident Management

8.1. Notification. Team Cymru shall notify Client immediately but no later than 24 hours of becoming aware of a Security Incident involving Team Cymru or its Sub-processors at security@<clientname>.com or such other address as Client may specify in writing.

8.2. Security Incident. Team Cymru notification, to the extent known, shall include: (a) the nature of the Security Incident; (b) the date and time upon which the Security Incident took place and was discovered; (c) the number of Data Subjects affected by the Security Incident; (d) the categories of Client Data involved; (e) the measures that were taken to address the incident, including measures to mitigate the possible adverse effects; (f) whether such proposed measures would result in a disproportionate effort given the nature of the incident; (g) the name and contact details of the data protection officer or other contact; and (h) a description of the likely consequences of the Security Incident. Team Cymru shall take all appropriate corrective action, at Team Cymru’s sole cost and expense, to prevent a recurrence of such Security Incident;

8.3. Cooperation. Team Cymru shall provide Client with all such timely information and cooperation as Client may require so that it may fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Data Protection Laws and Regulations. Client alone may notify any public authority. Team Cymru shall refrain from making public announcements regarding such Security Incident without Client’s prior written approval. Team Cymru shall provide Client with a complete report of any penetration testing performed as a result of the Security Incident as well as remediation timelines. If Team Cymru does not perform a penetration test subsequent to the Security Incident, Client shall have the right to perform an immediate audit on Team Cymru’s impacted systems. This may be done in addition to audits provided for under Section 5.2 of this Agreement.

8.4. Remediation. Upon Client’s request and pursuant to Client’s instructions, assist with or perform all remediation efforts required by Data Protection Laws and Regulations or that have been required by any governmental authority in similar circumstances, regardless of whether Data Protection Laws and Regulations explicitly imposes such remediation obligations. Remediation efforts may include without limitation (a) notifying individuals whose Client Data may have been affected; (b) establishing websites and toll-free telephone number(s) for affected individuals to receive assistance; (c) provision of free credit reports, credit monitoring and repair, and identity restoration products and insurance products for affected individuals; (d) reimbursement for the costs of placing a freeze on a consumer credit file and likewise for the costs of unfreezing the same consumer credit file; (e) investigation and resolution of the causes and impacts of the Security Incident; and (f) such other measures that Client determines are reasonable in light of the severity of the Security Incident (collectively, “Remediation Measures”). Team Cymru shall be solely responsible for the costs and expenses of all Remediation Measures.

9. Environmental, Social and Governance (ESG)

9.1 Team Cymru complies with the Environmental, Social and Governance (ESG) Policy of the Audax Private Equity Group as detailed here: https://www.audaxprivateequity.com/system/uploads/fae/file/asset/242/Audax_Group_ESG_Policy.pdf and here: https://www.audaxgroup.com/citizenship

SECURITY RISK AND DUE DILIGENCE

Security Policies

Team Cymru has a security policy demonstrating that they are committed to implementing an effective information security framework.

Team Cymru validates that the security policy is fully implemented within their organizations.

Team Cymru’s security policies and management are compliant with ISO/IEC standards

27001:2013 and undergo annual third-party audits.

Team Cymru’s security policies and management are compliant with NIST SP 800-171 and undergo annual self-assessments.

Team Cymru has a department responsible for and dedicated to security management.

Team Cymru has sufficient resources and facilities to ensure security of information.

Team Cymru has an effective system of recruiting and vetting personnel and training personnel in relation to security responsibilities and disclosure of information.

Team Cymru’s staff and contractors must be bound to maintain the confidentiality of all appropriate data including Client Data and Personal Data pursuant to executed confidentiality agreements. Team Cymru’s Suppliers or sub-processors must be bound by confidentiality provisions at least as protective as those confidentiality obligations executed by Team Cymru with Client.

Team Cymru has confidentiality policies in place to support implementation and enforcement of these obligations.

Team Cymru requires data privacy training for all personnel, including those who have access to Personal Data. Team Cymru conducts such training at least annually.

Team Cymru has a procedure for authenticating intended recipients of information prior to disclosure.

Team Cymru has a procedure for authorizing and securing temporary removal of Personal Data to temporary storage.

All Team Cymru systems undergo vulnerability scans at least monthly and are subject to a formal remediation process.

Access Controls

Team Cymru shall maintain an access control policy and associated processes governing access to its systems to ensure compliance with the following:

• Identification and authentication of individuals who access systems,

• Systems accessibility through authorization credentials,

• Authentication mechanisms designed to protect user accounts from known attack methods and the prevention of unauthorized access,

• Role-based account privileges for accounts that access confidential data,

• Password management policies and controls that require Team Cymru personnel with authorization to systems to keep passwords, keycodes, lock combinations, or other access credentials secret and to lock systems, workstations or pro-grams when unattended.

Secure System Development Lifecycle

Team Cymru has a secure software development process that ensures at a minimum that OWASP Top 10 and OWASP Mobile Top 10 are addressed.

Team Cymru has a change management process in place that requires all changes to be approved and tested prior to any change in production. The change management process must include roll back procedures.

Team Cymru has adequate segregation of duties to prevent developers from making unauthorized changes to production.

Team Cymru has an isolated development environment.

Team Cymru products undergo annual third-party penetration tests.

Quality Assurance

All features and changes go through quality assurance process with automated and manual testing. Test harnesses are updated with any additional tests, metrics, and monitoring as needed.

Handling Security Incidents

Team Cymru has effective safeguards protecting the confidentiality, integrity, and availability of data and systems.

Team Cymru has a procedure for authenticating the intended recipients of information prior to disclosure.

Team Cymru has a policy requiring all staff and system users to recognize and report security incidents to the nominated security officer.

Team Cymru has procedures to manage and mitigate the risk arising from such incidents.

Team Cymru has an incident response procedure to ensure security incidents are investigated and resolved, including lessons learned. This procedure and the team’s incident response performance are tested in annual tabletop exercises.

HEALTH AND SAFETY

Team Cymru is committed to providing its employees with a safe and healthy place of work. Team Cymru policy requires any accident at work or on work-related travel, however small, to be reported to management and HR immediately. The HR team can also assist with the submission of a claim on the Team Cymru workers’ compensation insurance policy.

Team Cymru provides a workers’ compensation insurance program or the equivalent at no cost to employees. This program or the equivalent covers any injury or illness sustained in the course of employment that requires medical, surgical, or hospital treatment. The employee has a right under applicable law and Company policy to apply for workers’ compensation benefits or the equivalent. Subject to applicable legal requirements, workers’ compensation insurance or the equivalent provides benefits after a short waiting period or, if the employee is hospitalized, immediately.

Employees who sustain work-related injuries or illnesses must inform their supervisors immediately, regardless of how minor an on-the-job injury may appear. This will enable an eligible employee to qualify for coverage as quickly as possible. Failure to report a work-related injury or accident may result in disciplinary action, up to and including discharge.

Team Cymru will not retaliate against any employee who attempts to make, or makes, a good faith claim for workers’ compensation benefits or the equivalent.

‍