Data & Network Security Schedule (V10 September 2019)

This global Data & Network Security Schedule (“DNSS”) and its Addenda form part of the Agreement or

Purchase Order. Capitalized terms not specifically defined herein shall have the meaning set forth in the

Agreement. This DNSS shall be considered a Schedule under the Agreement and shall be deemed a part

of the Agreement by and between [insert MICRO FOCUS company/entity] (“MICRO FOCUS”), a insert

country corporation, having a principal place of business at Insert address and [insert Supplier Name]

(“Supplier”).

1. PURPOSE OF THE DNSS & ORDER OF PRECEDENCE.

1.1 Purpose of the DNSS. The purpose of the DNSS is to establish:

1.1.1 Supplier’s obligations in relation to the use and Processing of Data;

1.1.2 Minimum data security standards applicable to the Services or Products provided by Supplier; and

1.1.3 Minimum security standards to be met by Supplier in relation to the Processing of Data and access to MICRO FOCUS Information Systems.

1.2 Order of Precedence. Nothing in this DNSS relieves Supplier of any obligations under the

Agreement, nor shall be deemed a waiver by MICRO FOCUS of any rights or remedies therein.

In the event any term or condition in this DNSS conflicts with a term or condition of any

Agreement with Supplier, then the term or condition of this DNSS shall take precedence and

control over any conflicting terms in the Agreement.

1.3 Addenda to the DNSS:

Addendum 1 - Minimum Information Security Requirements Addendum 2 - Privacy

- Appendix 1 Standard Contractual Clauses for Processors - Appendix 2 HIPAA - Appendix 3 German Commissioned Data Processing Agreement

2. DEFINITIONS.

2.1 “Agreement” means any terms and conditions under which Supplier will provide Services or

Products to MICRO FOCUS, as requested from time to time, and as may further be described

in Addendums that may be attached.

2.2 “Applicable Laws” means applicable local, state, and federal laws, executive orders, rules,

regulations, ordinances, codes, orders, and decrees of all governments or agencies of

domestic or foreign jurisdictions (including privacy laws) in which services are performed or to

which services are performed pursuant to the Agreement.

2.3 “Agent/Subcontractor Agreement/ Business Associate Agreement” or “ASA/BAA” means

the agent/subcontractor agreement or business associate agreement required by MICRO

FOCUS in relation to protected health information as defined under HIPAA.

2.4 “Customer” means an enterprise customer of MICRO FOCUS or its Affiliates.

2.5 “Confidential Data” means all non-public proprietary or confidential information of MICRO FOCUS or a third party (including a Customer) which is obtained by or made available to Supplier in connection with the Services, whether in oral, visual, written, electronic or other

tangible or intangible form, whether or not marked or designated as “confidential” and including, without limitation, information relating to strategy, MICRO FOCUS financials, analytical reports, pricing, internal processed or policies, provided, however, that Confidential Information does not include any information that: (a) is obtained by Supplier on a non-confidential basis from a third-party that was not legally or contractually restricted from disclosing such information; (b)was in Supplier’s possession prior to MICRO FOCUS’ disclosure hereunder; or (c) was or is independently developed by Supplier without using any Confidential Information.

2.6 “Data” means Confidential Data, MICRO FOCUS Personal Data and all other non-public data

Processed by Supplier through the MICRO FOCUS Information Systems or provided to or

accessed by Supplier in connection with the Services.

2.7 “Information Security Assessment” means a review of systems used to support MICRO

FOCUS by an individual or individuals who are knowledgeable in the security assessment of

software. Qualified individuals have proven these skills through obtaining their Offensive

Security Certified Professional (OSCP) certification or a combined years of experience and

Common vulnerabilities and Exposures (CVE) credits as approved by MICRO FOCUS.

2.8 “Sensitive Personal Data” means any information (a) relating to a person’s racial or ethnic

origin, political opinions, religious or philosophical beliefs, trade union membership, health or

sex life (or as otherwise defined by applicable Privacy Law); (b) which may facilitate identity

theft; (c) which may permit access to an individual’s financial account; (d) which requires

notification under any data breach notification law if compromised; and (e) Social Security

Number (SSN) or National ID number, driver's license number, credit or debit card information

or other payment card information, bank account or other financial information, health care,

insurance or payment information.

2.9 “HIPAA” means the federal Health Insurance Portability and Accountability Act of 1996, 42

U.S.C. §§ 1320d – 1320d-8.

2.10 “MICRO FOCUS Personal Data” means any Personal Data, including Sensitive Personal Data

of which MICRO FOCUS, its affiliates or Customers is the Controller (as defined in Addendum

4 to the DNSS) which MICRO FOCUS or its Affiliates will provide to Supplier for Processing on

its or their behalf.

2.11 “Information Systems” means any systems, including, but not limited to, net-services,

networks, computers, personal computing device, mobile devices, removable media,

communication systems and other information systems used and all associated authentication

methodologies.

2.12 “Network Connection” means a connectivity method into MICRO FOCUS Information

Systems which is approved by MICRO FOCUS.

2.13 “Personal Data” means any information relating to an identified or identifiable living individual

(such as name, mailing address, phone number or email address) or as otherwise defined by

applicable Privacy Law.

2.14 “Payment Card” means any payment card/device that bears the logo of the founding

members of the PCI DSS, which are American Express, Discover Financial Services, JCB

International, MasterCard Worldwide, or Visa, Inc. including, but not limited to credit cards,

debits cards and gift cards.

2.15 “Payment Card Industry Security Standards Council” or “PCI-SSC” is the consortium of

the major credit card companies that is responsible for the development, management,

education, and awareness of the PCI Security Standards, including the Data Security Standard

(PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction

Security (PTS) requirements.

2.16 “Process”, “Processing”, or “Processed” means any operation or set of operations which is

performed whether or not by automatic means (including, without limitation, accessing,

collecting, recording, organizing, retaining, storing, adapting or altering, retrieving, consulting,

using, disclosing, making available, aligning, combining, blocking, erasing and destroying Data)

and any equivalent definitions in Applicable Laws to the extent that such definitions should

exceed this definition.

2.17 “Product” or “Products” means any software, code, or logic bearing component (including,

but not limited to, applications, mobile applications, websites, i-frames, pixel tags, operating

system software, BIOS and firmware, middleware, software development kits, compiled

binaries, source code, open source, processors, memory card, or storage capable

components.)

2.18 “Security Breach” means an actual or reasonably suspected breach of security leading to the

accidental or unlawful destruction, loss, exfiltration, alteration or unauthorized disclosure of, or

access to Data, Information Systems, Product or Service.

2.19 “Service” or “Services” means the services to be provided by Supplier pursuant to this

Agreement, as further described in a Statement of Work.

2.20 “Supplier” includes any third party who Processes Data, or provides a Service or Product in

the fulfilment of Supplier obligations under the Agreement.

2.21 “Supplier’s Facilities” means the facilities in or from which Supplier or its agents, employees

or subcontractors Processes Data.

3. ACCESS, USE, AND DISCLOSURE.

3.1 Supplier shall only Process Data and access Information systems to the extent and manner

necessary to provide the Services, in accordance with MICRO FOCUS’ instructions as set out

in this Agreement or as otherwise authorized by MICRO FOCUS in writing.

3.2 Supplier shall comply with the obligations set out in Addendum 4 (Privacy) in relation to the

Processing of MICRO FOCUS Personal Data.

3.3 Any access to or use of MICRO FOCUS Information Systems or Processing of Data by or on

behalf of Supplier for any other purpose shall be deemed a material breach of the Agreement

by Supplier.

3.4 Supplier shall not sell, rent, transfer, distribute, disclose, copy, alter, or remove MICRO FOCUS

Data, MICRO FOCUS Information System, or Product unless authorized in writing by MICRO

FOCUS.

3.5 In the event of any change to the scope of the Services, Products or Data made available to Supplier, the parties shall review the DNSS and consider any amendments required by either party as a consequence of the change in scope.

4. SECURITY REQUIREMENTS.

4.1 Supplier shall:

4.1.1 Ensure all Processing of Data and provisioning of Services and Products complies with all Applicable Laws. Supplier shall ensure that, where required, Supplier has made the appropriate legal notifications, filings, and registrations and obtained the appropriate permits, as required by Applicable Laws. If Supplier cannot Process the Data or provide Services or Products in accordance with such Applicable Laws and this DNSS, or believes that MICRO FOCUS instructions violate Applicable Laws, then Supplier shall immediately notify MICRO FOCUS in writing.

4.1.2 Meet or exceed physical, technical, and administrative safeguards as identified in this DNSS and any of its Addenda, including the HIPAA BAA/ASA (Annex 2 to Addendum 4), to ensure that MICRO FOCUS Data, Product and Services are protected against Security Breach.

4.1.3 Impose on Supplier subcontractors the same obligations imposed on Supplier under the Agreement and this DNSS for the protection of Data, Services, and Products. Supplier shall be responsible for the acts and omissions of its Subcontractors including such actions resulting in a breach of this Agreement.

4.1.4 Designate in writing a primary and alternate information security program manager to act as Supplier’s contact.

(a) Primary (Name, Title, email): __________________________

(b) Alternate (Name, Title, email): _________________________

4.1.5 Develop, implement and maintain a comprehensive information security program with information security industry standard safeguards in place to define roles and responsibilities, protect Data and to provide Services or Products which comply with the contractual obligations set out in this DNSS and the Agreement. Supplier shall ensure that such information security program is documented, available, and communicated to Supplier employees and subcontractors.

4.1.6 Provide (a) appropriate training in relation to the handling and protection of Personal Data; and (b) annual training regarding compliance with physical, technical, and administrative information security safeguards and compliance with this DNSS to Supplier employees and subcontractors.

4.1.7 Regularly, no less frequently than annually, test and monitor the effectiveness of Supplier’s and Supplier subcontractor’s security program relating to Data, Services and Product to ensure compliance with the security requirements of the Agreement, this DNSS and Applicable Laws. Supplier shall adjust and strengthen its information security program based on the results of such testing and monitoring, as well as in response to operational changes that may have a material effect on Supplier’s information security program.

4.2 Supplier personnel security shall

4.2.1 Ensure that criminal background checks and drug screenings, consistent with Applicable Laws, are conducted for all employees and subcontractors who provide Product or Services or Process Data.

4.2.2 Perform criminal background checks which must include all cities, counties, states and federal jurisdictions (or equivalent) where the employee or subcontractor resided or worked for the past seven (7) years. Both felony and misdemeanor records must be checked.

4.2.3 Within the scope of the background check, not assign any person to perform work under the Agreement who has been convicted of a computer, violent, property, fraud, or financial crime which should reasonably preclude the individual from performing the assigned work.

4.2.4 Agree to the MICRO FOCUS Drug Testing and Background Check Addendum. If any employee, agent or subcontractor of the Supplier is expected to or does perform work under the Agreement at any MICRO FOCUS site or on behalf of MICRO FOCUS at a customer site for 30 or more days during any given 12-month period, subject to Applicable Laws.

5. DATA, SERVICE AND PRODUCT SECURITY REQUIREMENTS.

5.1 Mobile Device Security. If Supplier is using mobile devices to support or provide Services to

MICRO FOCUS, Supplier shall:

5.1.1 Implement a policy that prohibits the use of any mobile and portable devices that are

not administered and/or managed by Supplier.

5.1.2 As defined in Addendum 1, section 4, use encryption, to protect all Data stored on,

transmitted by, or remotely accessed by mobile and portable devices.

5.1.3 When using network-aware mobile and portable devices that are not laptop computers

to access and/or store Data, such devices must:

(a) Apply remote wipe capabilities; (b) Promptly initiate deletion of all Data when the device is lost or stolen; and, (c) Automatically delete all stored Data after a reasonable number, not to exceed ten

(10), consecutive failed login attempts.

5.2 Call Recording Data. If Supplier is Processing call recordings, then this section shall apply.

5.2.1 Supplier shall not enable, activate, nor make operational any call recording capabilities

for Data collected and processed on behalf of MICRO FOCUS unless approved by

MICRO FOCUS in writing.

5.2.2 Supplier shall notify the other party that Supplier is recording the conversation

(“Recording Notice”) and include the ability to disable inbound and outbound call

recordings if so requested.

5.2.3 Recording Notice shall comply with Applicable Laws and must include the clear and

specific purpose of the recording such as quality monitoring, workforce management,

agent and customer service representative training, evaluation and verification, dispute

resolution or accurate incident reconstruction.

5.2.4 Permission must be obtained from MICRO FOCUS in writing for 50% or greater

recording of Call Recording Data.

5.2.5 If Supplier intends to use call recordings for Supplier’s internal training purposes,

Supplier shall redact all Personal Data.

5.2.6 Call recordings must be promptly deleted after Supplier satisfies the specific purpose

stated in the Recording Notice, which must in no case be longer than 90 calendar days

after the original recording was made, unless otherwise authorized by MICRO FOCUS

in writing.

5.2.7 Call recordings must be protected in accordance with this DNSS and the Agreement.

5.3 Cloud, XaaS, ASP or other Hosting Services. If Supplier will be hosting or providing an MICRO

FOCUS customer or MICRO FOCUS employee-facing solution/service/website (“Solution”), this

section shall apply.

5.3.1 For any MICRO FOCUS customer or MICRO FOCUS employee-facing Solution hosted

on behalf of MICRO FOCUS, but not MICRO FOCUS branded, Supplier shall (a)

clearly and conspicuously communicate to users that Supplier is the Solution provider;

and (b) clearly and conspicuously communicate Supplier’s privacy policy to the users. If

the Solution is co-branded, both companies’ privacy policies must be clearly and

conspicuously posted.

5.3.2 Prominently notify users if their Data will be hosted or Processed outside the country of

origin, as required by Applicable Law.

5.3.3 Provide appropriate controls to maintain logical data segregation of Data from

Supplier’s other customer data. It must not be possible for data to be disclosed to other

parties, nor should Supplier personnel with direct access to Data have cross customer

access with MICRO FOCUS competitors.

5.3.4 For any internet-accessible application requiring MICRO FOCUS user access, Supplier

shall accept and implement SAMLv2 MICRO FOCUS assertions.

5.3.5 Ensure Solution is routinely scanned for viruses.

5.3.6 Ensure the Solution is free of common web application security vulnerabilities as

defined by, but not limited to, the OWASP Top 10

(https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project).

5.3.7 Any vulnerability findings discovered by either MICRO FOCUS or Supplier will be

addressed in a mutually- agreed upon Remediation Plan and Supplier shall comply

with, and complete, such Remediation Plan within a mutually-agreeable timeframe set

forth therein.

5.3.8 Must not reference hosted third-party code such as JavaScript without the provider of

the code falling under Supplier control via contract to ensure compliance with security

control outlined in this DNSS.

5.4 Processing Payment Cards. If Supplier will be Processing Payment Card Data, then this section

shall apply. All capitalized terms used in this section 5.7, but not defined in this DNSS shall

have the meaning ascribed to them in PCI SSC DSS.

5.4.1 Supplier shall comply with the current Payment Card Industry Security Standards

Council Data Security Standards ("PCI SSC DSS").

(a) Prior to commencement of Services and annually thereafter, Supplier shall

provide (i) a copy of the executive summary from the current Report on

Compliance (“RoC”) or a letter of attestation signed by a PCI SSC certified QSA

describing the scope and Services assessed; and (ii) an Attestation of

Compliance (“AoC”) signed by a PCI SSC certified QSA.

(b) PCI compliance artifacts as described in this section 5.7 shall be submitted to

MICRO FOCUS via encrypted email.

5.4.2 Upon completion of the services under any Statement of Work or termination of the

Agreement, Supplier will promptly remove all Payment Card Data from Supplier’s

Information Systems in accordance with the required process under PCI SSC DSS or

other applicable standard no later than the earlier of 90 days from termination of the

services.

5.4.3 Supplier will notify MICRO FOCUS immediately if at any time Supplier is not in

compliance with PCI SSC DSS and if at any time Supplier knows of any third party

claim regarding PCI SSC DSS compliance.

6. INFORMATION SECURITY ASSESSMENTS

6.1 Information Security Assessments. MICRO FOCUS, or a third party chosen by MICRO FOCUS,

may perform a security assessment (“Information Security Assessment”) of Supplier’s

Information Systems, Services, Solutions and Products. Supplier will work cooperatively with

MICRO FOCUS to determine whether additional or different security measures are required to

protect the Data, Services or Product. Any Information Security Assessment performed by

MICRO FOCUS shall be subject to the limitations identified in section 6.3 of this DNSS.

6.1.1 MICRO FOCUS may perform an Information Security Assessment:

(a) Prior to Supplier providing service to MICRO FOCUS (“Pre-service

Assessment”);

(b) Annually or upon termination/expiration of the Agreement, upon at least 10

calendar days advanced written notice from MICRO FOCUS (“Routine

Compliance Assessment”); and

(c) In the event of a Security Breach and upon one calendar day prior written

notice. MICRO FOCUS reserves the right to be a participant in, and Supplier

shall cooperate with such participation in, any Security Breach investigations

involving Data, including MICRO FOCUS’ review of forensic data relating to the

Security Breach.

6.1.2 Supplier shall promptly disclose to MICRO FOCUS all relevant information requested

by MICRO FOCUS in order to allow MICRO FOCUS to complete a security risk

assessment. Supplier shall permit MICRO FOCUS to perform an Information Security

Assessment using industry standard tools and manual techniques. The results of the

Information Security Assessment shall be treated as both Confidential Data and

confidential data of the Supplier.

6.1.3 During an Information Security Assessment, MICRO FOCUS, or a third party selected

by MICRO FOCUS, may (a) inspect Supplier’s Facilities where Data is Processed,

Services are performed, or Product is developed, and, (b) view copies or extracts of

Supplier’s records and processes resulting from Supplier’s fulfilment of the

requirements of the Agreement, including this DNSS. MICRO FOCUS reserves the

right to perform an Information Security Assessment by any of the following methods:

onsite inspection, questionnaires with requests for supporting documentation, technical

testing, conference calls, or a combination of such methods.

6.1.4 If MICRO FOCUS reasonably determines that any portion of the Information Security

Assessment must be performed at Supplier’s Facilities, the assessment will be

performed (a) not more frequently than once per calendar year (unless there has been

a Security Breach), (b) at MICRO FOCUS’ expense for travel and per diem, (c) on a

date and time mutually agreeable to Supplier and MICRO FOCUS, and (d) pursuant to

any other restrictions and/or limitations mutually agreed to by MICRO FOCUS and

Supplier in writing.

6.2 Vulnerability Assessment and Scanning. MICRO FOCUS may perform periodic vulnerability

assessments using industry standard tools and processes including penetration testing and

review by individuals and teams who are chartered with such review to assess the security of

Supplier, Services, and Product (“Vulnerability Scanning”).

6.2.1 Assessment results shall be communicated to Supplier and treated as both

Confidential Data and confidential data of Supplier.

6.2.2 Authorized MICRO FOCUS cyber security professional(s) may work with Supplier to

identify and validate review and scan findings on production and test systems.

6.2.3 If Supplier utilizes a third party co-location facility in support of Services, Supplier shall

be responsible for (a) informing such third party of MICRO FOCUS’ rights and (b)

ensuring Supplier has written authorization from such third party allowing MICRO

FOCUS to conduct Vulnerability Assessment and Scanning.

6.2.4 The Vulnerability Assessment process includes background research using publicly

available information.

6.3 Scope of Information Security Assessments and Vulnerability Scanning. Information Security Assessments, and Vulnerability Scanning shall not entitle MICRO FOCUS to view, or in any way access records and/or processes:

6.3.1 Not directly related to Data Processed or Services provided by Supplier to MICRO

FOCUS;

6.3.2 In violation of Applicable Laws; and/or

6.3.3 In violation of Supplier’s confidentiality obligations owed to a third party that Supplier

makes MICRO FOCUS aware of in writing.

6.4 Remediation Plan. Any findings during an Information Security Assessment will be addressed in a mutually agreed upon remediation plan and Supplier shall comply with, and complete, such remediation plan within a mutually agreeable timeframe set forth therein (“Remediation Plan”).

7. NOTIFICATION.

7.1 All Notifications, whether related to Security Breach, Inquiry, or DNSS non-compliance,

shall be made to MICRO FOCUS Cyber Defense Center via (a) email at mailto:

cybersecurity@microfocus.com and (b) telephonically to 9-1-806-151-5713 or 9-1-806-151-

5714.

7.2 Notification of Security Breach. In the event that Supplier experiences or reasonably suspects a

Security Breach affecting Data, Services or Products, Supplier shall use commercially

reasonable efforts to provide MICRO FOCUS with Notification within 12 hours after Supplier

becomes aware of the Security Breach.

7.3 Notification of Inquiry. Except where expressly prohibited by Applicable Laws, Supplier shall,

prior to any disclosure, notify MICRO FOCUS of any claim or information request received from

a judicial, governmental authority, Customer or MICRO FOCUS employee, that it receives (each,

for purposes of this DNSS an “Inquiry”) to allow MICRO FOCUS to object and intervene.

7.3.1 In the event Supplier is expressly prohibited by law from notifying MICRO FOCUS, Supplier shall formally request the inquirer to seek the Data directly from the Data Controller

7.3.2 Notification of an Inquiry to MICRO FOCUS shall include a copy of the request and any supporting details. Supplier shall use commercially reasonable efforts to provide MICRO FOCUS with notification within 12 hours after Supplier becomes aware of an Inquiry.

7.4 Within 5 business days of receipt, Supplier shall promptly provide MICRO FOCUS with such

information and assistance, at no additional cost to MICRO FOCUS, as is required by any court

of competent jurisdiction or national regulatory authority, or as is required to timely respond to or

otherwise address any Inquiry, access request, complaint, enforcement notice, claim or similar

action raised.

8. NETWORK CONNECTIVITY & NETWORK SECURITY.

If Supplier is (1) utilizing a remote Network Connection or (2) utilizing a Network Connection at an

MICRO FOCUS Facility to Process Data or provide Services, this section shall apply.

8.1 Supplier’s Use of Network Connection.

8.1.1 Network Connection, duration of connection and mechanism to transmit Data between

Supplier and MICRO FOCUS shall be through MICRO FOCUS IT approved secure

solution.

8.1.2 Supplier may only use the Network Connection for the business purposes as

authorized by MICRO FOCUS.

8.1.3 Supplier will allow only Supplier’s employees who are approved in advance by MICRO

FOCUS (“Authorized Supplier Employees”) to authenticate and access MICRO FOCUS

Information Systems or MICRO FOCUS Owned Equipment.

8.1.4 Supplier shall be solely responsible for ensuring that Authorized Supplier Employees

are not security risks, and upon MICRO FOCUS’ request, Supplier will provide MICRO

FOCUS with any information reasonably necessary for MICRO FOCUS to evaluate

security issues relating to any Authorized Supplier Employee.

8.1.5 Supplier will promptly notify MICRO FOCUS whenever any Authorized Supplier

Employee no longer requires access to MICRO FOCUS Information Systems or

MICRO FOCUS Owned Equipment.

8.2 Use of MICRO FOCUS Owned Equipment at Supplier Facilities.

8.2.1 MICRO FOCUS may, at MICRO FOCUS’ sole discretion, loan to Supplier equipment or

software for use in Supplier Facilities (“MICRO FOCUS Owned Equipment”) under the

terms of an MICRO FOCUS Equipment Loan Agreement. MICRO FOCUS Owned

Equipment will be used solely by Supplier at Supplier’s Facilities and for the purposes

set forth in the Agreement or a MICRO FOCUS Equipment Loan Agreement.

8.2.2 Supplier may not modify the configuration of the MICRO FOCUS-Owned Equipment

unless otherwise set forth in the Agreement or MICRO FOCUS Equipment Loan

Agreement.

8.3 Use of Supplier-Owned Equipment at MICRO FOCUS Facilities. MICRO FOCUS may, at

MICRO FOCUS’ sole discretion, authorize Supplier to utilize Supplier-owned equipment in

MICRO FOCUS Facilities. Supplier-owned equipment must conform to the applicable security

standards set forth in this DNSS.

8.4 Security of MICRO FOCUS Network. Supplier shall ensure its use of the Network Connection

(and Supplier’s use of MICRO FOCUS-Owned Equipment) is secure and is used only for

authorized purposes, and that MICRO FOCUS Data and Information Systems are protected

against improper access, use, loss, alteration, or destruction.

9. DATA RETENTION.

9.1 During Agreement Term and Termination.

9.1.1 Supplier shall retain Data over the term of the Agreement unless otherwise agreed to with MICRO FOCUS. If Supplier cannot retain the Data, Supplier will regularly provide such Data to MICRO FOCUS for MICRO FOCUS to retain.

9.1.2 Supplier shall provide MICRO FOCUS with a means to access and manage Data and, where it is not possible for MICRO FOCUS to do so itself, provide MICRO FOCUS with a copy of all Data held by it in the format and on the media reasonably specified by MICRO FOCUS, or update, correct or delete Data on MICRO FOCUS’ request.

9.1.3 Unless otherwise agreed to by MICRO FOCUS and Supplier in writing, in a manner consistent with Applicable Laws, Supplier shall either (a) destroy all Data, including, without limitation, any and all copies and derivatives thereof, no later than 90 calendar days after the termination or expiration of the Agreement or portion thereof; or (b) return all Data in an agreed upon format to MICRO FOCUS or MICRO FOCUS’ designated recipient no later than 30 calendar days after the termination or expiration of the Agreement or portion thereof.

9.1.4 If Supplier is unable to return or destroy the Data per Applicable law, Supplier shall (a) notify MICRO FOCUS, (b) cease from actively Processing the retained MICRO FOCUS Personal Data, (c) and implement security measures to protect the data.

9.1.5 Supplier may retain limited transactional data to meet legal or business requirements.

9.1.6 Upon request by MICRO FOCUS, Supplier will provide MICRO FOCUS with a certificate or attestation of return or destruction in accordance with Addendum1, section 4.3.

9.1.7 If MICRO FOCUS reasonably suspects that Supplier has not adequately removed or returned Data, MICRO FOCUS or a third party selected by MICRO FOCUS may audit Supplier. If the audit identifies Supplier’s unauthorized retention of Data, then Supplier shall reimburse MICRO FOCUS for the cost of the audit.

9.1.8 Data Placed on ‘Legal Hold’. Supplier will not block, erase or dispose of any Data which Supplier has been notified it must retain in response to an MICRO FOCUS “Legal Hold”. In the event that Supplier believes it is legally required to destroy Data on Legal Hold, Supplier must notify, consult and cooperate with MICRO FOCUS prior to any destruction. Supplier obligations to retain such “Legal Hold” Data shall not be limited by

any agreed-to records or data retention policies or internal policies of Supplier. If Supplier cannot retain the “Legal Hold” Data, Supplier will provide the Data to MICRO FOCUS for MICRO FOCUS to retain.

10. REQUIRED USE OF CRYPTOGRAPHY.

10.1 All Data transmitted by Supplier over any unsecure network or wirelessly (including but not

limited to email, instant messaging and web traffic), stored on portable devices, removable

media and in transit between Supplier’s facilities must be encrypted. Supplier shall at all times

meet or exceed the Cryptography requirements outlined in Addendum 1 of this DNSS.

10.2 All MICRO FOCUS Data stored on Supplier’s and Supplier subcontractor’s Information

Systems must be encrypted at rest.

11. DISASTER RECOVERY.

11.1 Supplier shall maintain a disaster recovery plan for restoring its current and offsite Data files

Processed pursuant to the Agreement.

11.2 Supplier will be responsible for weekly backups and preservation of any Data Processed on

behalf of MICRO FOCUS. All backup copies of Data shall be treated as Confidential Data.

11.3 Supplier will maintain a business continuity plan for restoring its critical business functions.

11.4 Upon request, Supplier will allow MICRO FOCUS to view the disaster recovery and business

continuity plans.

ADDENDUM 1 to the DNSS

MINIMUM INFORMATION SECURITY REQUIREMENTS

This Addendum 1 forms part of the DNSS. Capitalized terms not specifically defined herein shall have the meaning set out in the Agreement.

This Addendum 1 to the DNSS sets forth minimum information security requirements for Supplier’s

Information Systems as required by MICRO FOCUS. Supplier shall either meet or exceed these

requirements at all times.

In technical control sections of this agreement the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. (https://www.ietf.org/rfc/rfc2119.txt)

1 SYSTEM SECURITY. 1.1 System Administration.

1.1.1 Administrator accounts should only be used for the purpose of performing administrative activities, where such activities cannot be performed by an account with lesser-privileges.

1.1.2 Each account with administrative privileges must be traceable to a uniquely-identifiable individual.

1.1.3 Batch system administration activities, such as daemons, jobs, and scripts, must not run with administrative privileges unless no alternative exists.

1.1.4 System accounts or built-in application accounts must not be used to provide generic or unauthorized access.

1.1.5 All access to Information Systems must be authenticated. This includes console access, individual accounts, administrative accounts, and any automated relationships with other systems.

1.1.6 Separation of duties must be maintained so that individuals and accounts must not have access to development and test environments as well as production environments.

1.1.7 Only required services and protocols should be enabled; all others must be explicitly disabled.

1.1.8 All Information Systems or mobile device assets containing Data must be identified, tracked and logically labeled and managed in accordance with the Data sensitivity classification.

1.2 Account Management.

1.2.1 All unnecessary default system accounts must be disabled.

1.2.2 Each account must be assigned to a unique individual, application, or process.

1.2.3 All accounts must be reviewed at least annually to determine if they are still required. Accounts must be disabled upon user termination or user change of roles and responsibilities.

1.2.4 All accounts that utilize passwords for authentication must use passwords that comply with section 3 and must not use Supplier-provided defaults.

1.3 Physical Security. Areas where MICRO FOCUS-Owned Equipment is stored, where Information Systems are used in Processing Data, or where Services or Products are being provided or manufactured must:

1.3.1 Restrict Access to authorized persons only;

1.3.2 Utilize identification and authentication controls to authorize and validate the access;

1.3.3 Securely maintain an audit trail of all access, including times of entry and departure;

1.3.4 Securely manage visitors:

(a) Grant access only for specific authorized purposes;

(b) Record the date and time of entry and departure;

(c) Ensure that all visitors are escorted and supervised at all times; and,

(d) Issue instructions to visitors on security and emergency procedures.

1.3.5 Have physical separation, such as cages or secured doors, and must be controlled and restricted to authorized persons only in areas where Data is Processed, Services are provided, or Products are developed or stored;

1.3.6 Ensure systems are protected against interference with configuration or continued operation;

1.3.7 Ensure video camera surveillance must not capture keyboard and/or console actions and information;

1.3.8 Process, transfer and store hardcopy materials containing Data in a secure manner. Hardcopy materials must be destroyed when no longer needed for business or legal purposes in a manner which ensures that Data cannot be reconstructed. One of the following destruction methods must be used: confetti cut, cross cut shred, incineration, or pulping of the hardcopy materials. All hardcopy disposal containers must be secured with tamper proof locks.

1.4 Media Reuse and Disposal. All media must be securely erased electronically by overwriting or degaussing, through cryptographic erasure, or else physically destroyed prior to disposal or reassignment of the system. The media sanitization procedures must follow the procedures contained in NIST SP 800-88, Guidelines for Media Sanitization, which can be found at http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf (the “NIST Guide”).

1.5 Backup and Recovery. Supplier shall perform at least table top testing of the disaster recovery plan every 6-months.

1.5.1 Systems must have a formal backup/recovery strategy and plan that must be periodically tested, and a record of tests and results must be maintained for audit.

1.5.2 Backup media must be protected against unauthorized disclosure, alteration, or destruction. Possible mechanisms include, but are not limited to, cryptographic transformation and physical controls.

1.6 Anti-Virus Configuration. Any Information System or Product must have current anti-virus software configured for automatic updates no less than once per week. Such software must be configured to scan for and promptly remove viruses.

1.7 Endpoint Protection. All Information Systems must have reasonable up-to-date versions of system security agent software which must include host firewall, malware protection and up-to-date patches and virus definitions. Such software must be configured to scan for and promptly remove or remediate identified findings on endpoint systems.

2 MALICIOUS USE OF PRODUCT OR HARDWARE.

2.1 Disallowed Uses of Product. No hardware, software or other Product used in support of MICRO FOCUS must ever be used for any malicious purpose.

2.2 Approved Use of Diagnostic Tools.

2.2.1 Diagnostic tools may only be used by personnel whose job function requires usage and must be limited to relevant Information Systems. Tools that may impact the performance of the services provided pursuant to the Agreement through degradation of availability or performance must not be used.

2.2.2 Data gathered as a result of monitoring and recording any network traffic by any means, must be properly protected against unauthorized disclosure, alteration, and destruction. Such Data must only be stored if necessary and must be immediately and securely disposed of when no longer needed.

3 PROTECTION OF PASSWORDS.

3.1 Password Protection.

3.1.1 Passwords must be protected at all times and should not be reversible from storage, using a strong one-way function such as Bcrypt. Where passwords must be stored in a reversible format as when used with a password manager, strong cryptography as outlined the Cryptography requirements outlined in Addendum 1 of this DNSS. Where passwords must be stored for the automation of application related processes, access to the passwords must be restricted so that they can only be read by the specific application processes and super user accounts requiring access.

3.1.2 Access to files containing passwords must be logged

3.1.3 Initial passwords must be changed by the user on first use.

3.1.4 All passwords must be promptly changed if they are suspected of being compromised or known to have been disclosed to unauthorized parties; users must be able to change their own passwords.

3.1.5 Passwords must be uniquely identifiable and each user must be accountable and responsible for any action taken under that user’s own user ID and password. Users must not share or divulge their password to anyone.

3.1.6 The display and printing of passwords must be masked, suppressed, or otherwise obscured such that unauthorized parties will not be able to observe or subsequently recover them. Passwords must not be logged or captured as they are being entered.

3.1.7 Passwords must be encrypted when transmitted across any network.

3.1.8 Requestor’s identity must be verified for any password changes; password change processes must not circumvent password security controls.

3.1.9 Passwords and usernames must not be hard coded in clear text into shell scripts or source code.

3.2 Password Selections.

3.2.1 Passwords complexity should never be less than 3 out of 4 character classes and must have character class choices such as upper case letters, lower case letters, numeric digits, or special characters.

3.2.2 Password length must be configured to be at least 8 characters.

3.2.3 A mechanism must be in place to prevent the reuse of at least the last 6 passwords.

3.3 Password Lockout. Accounts must be set to lockout on not more than 10 consecutive failed login attempts.

3.4 Password Expiration. Password expiry must be defined in organizational password guidance policy in-line with a documented risk assessment of the environment with user passwords expiring every 90 days when used within environments requiring PCI DSS compliance.

4 MICRO FOCUS APPROVED CRYPTOGRAPHY.

4.1 Key Lifecycle.

4.1.1 Keys must be generated in a secure manner.

4.1.2 Keys must only be available to authorized users.

4.1.3 Keys must be protected from unauthorized use, disclosure, alteration, and destruction.

4.1.4 If the private key associated with an asymmetric key pair is compromised for any reason, all associated certificates must be revoked.

4.1.5 Keys must have an appropriate lifetime after which they are securely destroyed.

4.2 MICRO FOCUS Approved Cryptography. Supplier will implement and maintain industry-standard cryptography.

4.2.1 Transmission.

(a) The vendor must maintain secure protocols and cipher suites within the

environment as accepted by the wider security industry and documented by

Qualys SSL Labs best practices.

https://www.ssllabs.com/projects/documentation/

(b) An "A" rating or above is required on the Qualys SSL Labs SSL Server Test:

https://www.ssllabs.com/ssltest/. Upon MICRO FOCUS’ request, Supplier shall

provide server test documentation.

4.2.2 Storage. For storage and database (to include back up media) encryption, AES CCM or GCM authenticated encryption modes must be used and configured in a secure, industry best practices manner which may be validated by MICRO FOCUS.

4.2.3 Use of Hash Algorithms.

(a) The SHA-256, SHA-384, and SHA-512 hash algorithms are approved as

minimum acceptable algorithms for performing digital signatures and

HMACs.

(b) For systems which will not leverage an MICRO FOCUS-provided

authentication solution, industry best practices must be followed to hash

the password in storage.

https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

4.2.4 PGP. RIPE-MD/160 Algorithm. RIPE-MD/160 algorithm is approved for use with the OpenPGP protocol.

4.2.5 If at any time the above noted cryptography is no longer recognized as an industry best practice, or if Supplier is unable to implement cryptography consistent with this DNSS, Supplier must receive MICRO FOCUS Cyber Security written approval prior to implementing alternate cryptography.

5 NETWORK SECURITY.

5.1 Network Operations and Management.

5.1.1 Supplier must maintain an intrusion detection system to monitor, detect, and report misuse patterns, suspicious activities, unauthorized users, and other actual and threatened security risks to Data. Supplier shall make available, in an expedited manner if so requested, the necessary support to implement any changes required to maintain the security of the Data and Information System.

5.1.2 Supplier’s intrusion detection system must provide the ability to capture Data for audit purposes of all actual and suspected access exceptions and make such Data available to MICRO FOCUS upon request.

5.2 Network Access Controls.

5.2.1 Networks used in the provisioning of Services for MICRO FOCUS must have dedicated separately-defined logical domains or network compartments, each protected with suitable security perimeters and access control mechanisms. All such networks must implement bi-directional anti-spoofing filters on network boundary devices.

5.2.2 Network access control devices between networks used in the provisioning of Services for MICRO FOCUS and uncontrolled networks must not allow access by default; “deny all” shall be the default state. Networks, IP addresses, and ports must be specifically authorized before access is permitted between networks managed on behalf of MICRO FOCUS and any other networks.

6 PATCHING VULNERABILITIES.

6.1 Security Products. Supplier must maintain security Products on the latest supported version, including implementing any security-related updates made available by security Product vendor. Supplier shall monitor and implement any necessary changes to enhance the security status of the Product or Service.

6.2 Patch and Vulnerability Administration.

6.2.1 Supplier must have a process to review and assess the risk and threat to the environment of all vendor security directives and advisories in a timely and effective manner. Patches must be implemented in a timeframe commensurate with the risk level unless otherwise agreed to with MICRO FOCUS Cyber Security.

6.2.2 Any known or identified vulnerabilities which impact the confidentiality, integrity, or availability of the Product, Service or Data with a Common Vulnerability Scoring System (CVSS) rating of 4 or higher shall be remediated prior to commencement of Services or within 14 days from release of patch or remediation. All vulnerabilities with a rating less than 4 should be implemented within 30 days.

7 CHANGE MANAGEMENT.

7.1 Prior to implementing any new Products, Services, Information Systems or changes to Products, Services, or Information Systems, Supplier must ensure sufficient analysis and testing is performed:

7.1.1 The Product, Service or Information System or any change thereof correctly addresses the functional requirements;

7.1.2 The change does not introduce new known vulnerabilities or security deficiencies;

7.1.3 The change or action does not break or negatively impact the Product, Service or Information System;

7.1.4 The change has been documented and approved by Supplier and MICRO FOCUS;

7.1.5 Supplier’s information security team has tested and approved the change; and,

7.1.6 A process to roll-back the change has been documented.

8 EVENT LOGGING.

8.1 Supplier must have processes and programs to log, detect, report, and resolve any system or security events which may compromise the security of the system. This includes, but is not limited to, access to critical business and infrastructure files, shared files, and successful or failed user authentication.

8.2 Devices and systems requiring security event logging. Network, domain, application and Services infrastructure (including but not limited to, servers, databases, applications, physical access control systems) when used as part of the security controls in support of the Services or Product provided under the Agreement must provide auditable logs of security events.

8.3 Log Entry Content. Log content must capture sufficient information to recreate events and activities in support of forensic activities.

8.3.1 Log entries must indicate, at a minimum: date, time, IP address, system information, user, object, type of transaction or activity, success or failure of transaction, and log source.

8.3.2 Denied access attempts to critical files must be logged.

8.3.3 All authentication transactions must be logged.

8.3.4 All Information Systems that generate or store logs of security events must use a Network Time Protocol (NTP) to synchronize the system clocks.

8.3.5 Log entries should be stored in Universal Time Coordinated (UTC) or Greenwich Mean Time (GMT).

8.4 Log Access Control. Logs must be labeled as “Confidential” and must be protected from unauthorized disclosure, alteration, and destruction.

8.5 Log Retention. Log entries must be retained online for a period of 180 days and archived for a period of 3 years to support forensics and litigation, unless otherwise pursuant to Applicable Laws. Whenever the retention times expressed in this standard conflict with Applicable Laws, the Applicable Laws takes precedence. Archived logs should be retrievable within 7 business days.

8.6 Log Review and Reporting. Documented processes and procedures must be in place for automated or manual reviews, monitoring, and alerting of security-significant events. System logs should be reviewed at least once a month. If necessary, reports shall be drafted and filed in accordance with Applicable Laws.

ADDENDUM 2

Micro Focus Group GDPR Terms for Suppliers

1. Definitions. The following definitions shall apply to this Appendix A. Capitalized terms not otherwise defined in this Appendix A shall have the meanings set forth in the Relevant Agreement.

a. "Data controller", "data processor", "data subject", "personal data", "special categories of personal data" and "processing" shall be as defined in GDPR.

b. “GDPR Data” means all personal data including (where relevant) special categories of personal data which is provided by Micro Focus to Supplier pursuant to the Relevant Agreement or in connection with the products and/or services provided by Supplier thereunder to the extent that GDPR applies to such data.

c. “Relevant Agreement” means the agreement entered into between Supplier and Micro Focus in which Supplier has agreed to and/or is required to process personal data on behalf of Micro Focus as a data processor.

d. "Security Breach" means any breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction, loss, alteration, damage, unauthorized disclosure of or access to the GDPR Data.

2. GDPR Terms.

With effect from 25 May 2018:

a. The following processing may be performed by Supplier in relation to the Relevant Agreement:

i. Subject-matter of processing

The processing of GDPR Data by Supplier shall be that which is necessary to

comply with Supplier's obligations under the Relevant Agreement.

ii. Duration of processing

The duration of the processing shall be the term of the Relevant Agreement.

iii. Type of GDPR Data

The GDPR Data processed by Supplier shall be as defined above.

iv. Categories of data subjects

The data subjects shall be the subjects of the GDPR Data as defined above.

b. Micro Focus agrees that it shall at all times comply with all requirements applicable to it under GDPR as a data controller or data processor as applicable.

c. Micro Focus and Supplier acknowledge that for the purposes of GDPR, Micro Focus is

the data controller and Supplier is the data processor of any GDPR Data.

d. When processing GDPR Data, Supplier shall, in addition to the measures taken by Micro Focus, implement and maintain all appropriate technical and organizational measures in such a manner (i) to ensure a level of security appropriate to the risk to the GDPR Data when it is processed by Supplier (ii) to protect the GDPR Data from Security Breaches and (iii) to enable Supplier to assist Micro Focus in the fulfilment of its obligations to respond to requests from data subjects exercising their rights under the GDPR.

e. Supplier shall not engage another processor (a "sub processor") without Micro Focus’s prior written authorization.

f. Supplier hereby stipulates that it shall:

i. provide all assistance to Micro Focus as is reasonably requested to enable Micro

Focus to comply with its obligations pursuant to the GDPR;

ii. process the GDPR Data only on documented instructions from Micro Focus, including with regard to transfers of GDPR Data to a third country or an international organization, unless (1) required to do so by European Union or EU Member State law to which Supplier is subject; in such a case, Supplier shall immediately inform Micro Focus of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest or (2) in its opinion, an instruction given by or on behalf of Micro Focus infringes the GDPR, in which instance Supplier shall immediately inform Micro Focus of such opinion;

iii. ensure that persons authorized to access the GDPR Data on behalf of Supplier are limited to those who require access to it for the purpose of complying with Supplier's obligations under the Relevant Agreement and that such authorized persons have committed themselves to contractual obligations of confidentiality or are under an appropriate statutory obligation of confidentiality;

iv. not process or transfer the GDPR Data outside of the European Economic Area (or permit the GDPR Data to be so processed or transferred) unless it has obtained Micro Focus' prior written authorization;

v. without prejudice to the generality of 2. f (i) above, assist Micro Focus in ensuring compliance with its obligations pursuant to GDPR Art. 32-36 taking into account the nature of the processing carried out by Supplier and the information available to Supplier;

vi. promptly (and in any event within 24 hours of becoming aware of a Security Breach) notify Micro Focus of the Security Breach and provide Micro Focus with details of the Security Breach (such details to include but not be limited to, (1) the identity of any affected data subjects (2) any recommended remedial measures that should be taken by it and/or Micro Focus in respect of the Security Breach and (3) all information necessary to enable Micro Focus to assess the risk posed by the Security Breach and establish whether it is required to notify the relevant data protection authorities);

vii. at the choice of Micro Focus, delete or return all GDPR Data to Micro Focus within seven days of the end of the provision of services relating to processing, and delete all copies of such GDPR Data unless European Union or EU Member State law requires the Supplier to retain a copy of the GDPR Data in which case the Supplier shall (to the extent permitted by law) inform Micro Focus of such

retention requirement; and

viii. allow Micro Focus and/or its representatives to conduct audits (including inspections) of all data processing facilities, procedures, documentation and other matters required to demonstrate compliance with the GDPR and this Appendix A. Without prejudice to the foregoing, the Supplier shall contribute to such audits in a reasonable manner, and provide all information reasonably necessary to demonstrate compliance with the GDPR and this Appendix A.

g. Subject to paragraph 2. d of this Appendix A, where Supplier engages a sub processor for carrying out specific processing activities on behalf of Supplier, Supplier shall ensure that any such sub processors are contractually bound by the same data protection terms as set forth herein. Where a sub processor fails to fulfill its data protection obligations, Supplier shall remain fully liable to Micro Focus in respect of any breach of this Appendix A that is caused by an act, error or omission of such sub processor.

h. The Supplier agrees that it shall at all times comply with all requirements applicable to it under the GDPR as a data processor.

3. General.

a. Supplier and Micro Focus hereby acknowledge and agree that any provisions in the Relevant Agreement which provide better protection for Micro Focus against liability arising out of a breach by Supplier of the data protection provisions in the Relevant Agreement than the protection available in respect of other breaches, should be read as if such provisions also apply to breaches of this Appendix A and in particular:

i. any indemnities set out in the Relevant Agreement in which Supplier indemnifies and holds Micro Focus and/or its affiliates harmless from any losses arising out of Supplier's breach of any of its data protection obligations under the Relevant Agreement, shall be read as if such indemnities also apply to losses arising out of Supplier's breach of this Appendix A or any part thereof; and

ii. any liability caps for data protection breaches which are higher than the other caps in the Relevant Agreement shall be read as if such liability caps also apply to losses arising out of Supplier's breach of this Appendix A or any part thereof; and

iii. any exemptions to the liability limitations that are set out in the Relevant

Agreement which apply to the data protection obligations in the Relevant Agreement, shall apply to losses arising out of Supplier's breach of this Appendix A or any part thereof.

APPENDIX 1 TO ADDENDUM 2

STANDARD CONTRACTUAL CLAUSES FOR PROCESSORS

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in

third countries which do not ensure an adequate level of data protection

Data Exporter and Data Importer (as defined in Appendix 1),

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with

respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data

exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a) “personal data”, “special categories of data”,

“process/processing”, “controller”, “processor”,

“data subject” and “supervisory authority” shall

have the same meaning as in Directive 95/46/EC

of the European Parliament and of the Council of

24 October 1995 on the protection of individuals

with regard to the processing of personal data and

on the free movement of such data;

(b) “the data exporter” means the controller who

transfers the personal data;

(c) “the data importer” means the processor who

agrees to receive from the data exporter personal

data intended for processing on his behalf after

the transfer in accordance with his instructions

and the terms of the Clauses and who is not

subject to a third country's system ensuring

adequate protection within the meaning of

Article 25(1) of Directive 95/46/EC;

(d) “the sub-processor” means any processor

engaged by the data importer or by any other sub-

processor of the data importer who agrees to

receive from the data importer or from any other

sub-processor of the data importer personal data

exclusively intended for processing activities to

be carried out on behalf of the data exporter after

the transfer in accordance with his instructions,

the terms of the Clauses and the terms of the

written subcontract;

(e) “the applicable data protection law” means the

legislation protecting the fundamental rights and

freedoms of individuals and, in particular, their

right to privacy with respect to the processing of

personal data applicable to a data controller in the

Member State in which the data exporter is

established;

(f) “technical and organizational security measures”

means those measures aimed at protecting

personal data against accidental or unlawful

destruction or accidental loss, alteration,

unauthorized disclosure or access, in particular

where the processing involves the transmission

of data over a network, and against all other

unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special

categories of personal data where applicable are

specified in Appendix 1 which forms an integral part

of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data

exporter this Clause, Clause 4(b) to (i), Clause

5(a) to (e), and (g) to (j), Clause 6(1) and (2),

Clause 7, Clause 8(2), and Clauses 9 to 12 as

third-party beneficiary.

2. The data subject can enforce against the data

importer this Clause, Clause 5(a) to (e) and (g),

Clause 6, Clause 7, Clause 8(2), and Clauses 9 to

12, in cases where the data exporter has factually

disappeared or has ceased to exist in law unless

any successor entity has assumed the entire legal

obligations of the data exporter by contract or by

operation of law, as a result of which it takes on

the rights and obligations of the data exporter, in

which case the data subject can enforce them

against such entity.

3. The data subject can enforce against the sub-

processor this Clause, Clause 5(a) to (e) and (g),

Clause 6, Clause 7, Clause 8(2), and Clauses 9 to

12, in cases where both the data exporter and the

data importer have factually disappeared or

ceased to exist in law or have become insolvent,

unless any successor entity has assumed the

entire legal obligations of the data exporter by

contract or by operation of law as a result of

which it takes on the rights and obligations of the

data exporter, in which case the data subject can

enforce them against such entity. Such third-

party liability of the sub-processor shall be

limited to its own processing operations under

the Clauses.

4. The parties do not object to a data subject being

represented by an association or other body if the

data subject so expressly wishes and if permitted

by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself,

of the personal data has been and will continue to

be carried out in accordance with the relevant

provisions of the applicable data protection law

(and, where applicable, has been notified to the

relevant authorities of the Member State where

the data exporter is established) and does not

violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration

of the personal data processing services will

instruct the data importer to process the personal

data transferred only on the data exporter's behalf

and in accordance with the applicable data

protection law and the Clauses;

(c) that the data importer will provide sufficient

guarantees in respect of the technical and

organizational security measures specified in

Appendix 2 to this contract;

(d) that after assessment of the requirements of the

applicable data protection law, the security

measures are appropriate to protect personal data

against accidental or unlawful destruction or

accidental loss, alteration, unauthorized

disclosure or access, in particular where the

processing involves the transmission of data over

a network, and against all other unlawful forms

of processing, and that these measures ensure a

level of security appropriate to the risks

presented by the processing and the nature of the

data to be protected having regard to the state of

the art and the cost of their implementation;

(e) that it will ensure compliance with the security

measures;

(f) that, if the transfer involves special categories of

data, the data subject has been informed or will

be informed before, or as soon as possible after,

the transfer that its data could be transmitted to a

third country not providing adequate protection

within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the

data importer or any sub-processor pursuant to

Clause 5(b) and Clause 8(3) to the data protection

supervisory authority if the data exporter decides

to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon

request a copy of the Clauses, with the exception

of Appendix 2, and a summary description of the

security measures, as well as a copy of any

contract for subprocessing services which has to

be made in accordance with the Clauses, unless

the Clauses or the contract contain commercial

information, in which case it may remove such

commercial information;

(i) that, in the event of subprocessing, the

processing activity is carried out in accordance

with Clause 11 by a sub-processor providing at

least the same level of protection for the personal

data and the rights of data subject as the data

importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to

(i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the

data exporter and in compliance with its

instructions and the Clauses; if it cannot provide

such compliance for whatever reasons, it agrees

to inform promptly the data exporter of its

inability to comply, in which case the data

exporter is entitled to suspend the transfer of data

and/or terminate the contract;

(b) that it has no reason to believe that the legislation

applicable to it prevents it from fulfilling the

instructions received from the data exporter and

its obligations under the contract and that in the

event of a change in this legislation which is

likely to have a substantial adverse effect on the

warranties and obligations provided by the

Clauses, it will promptly notify the change to the

data exporter as soon as it is aware, in which case

the data exporter is entitled to suspend the

transfer of data and/or terminate the contract;

(c) that it has implemented the technical and

organizational security measures specified in

Appendix 2 before processing the personal data

transferred;

(d) that it will promptly notify the data exporter

about:

(i) any legally binding request for disclosure of

the personal data by a law enforcement

authority unless otherwise prohibited, such

as a prohibition under criminal law to

preserve the confidentiality of a law

enforcement investigation,

(ii) any accidental or unauthorized access, and

(iii) any request received directly from the data

subjects without responding to that request,

unless it has been otherwise authorized to do

so;

(e) to deal promptly and properly with all inquiries

from the data exporter relating to its processing

of the personal data subject to the transfer and to

abide by the advice of the supervisory authority

with regard to the processing of the data

transferred;

(f) at the request of the data exporter to submit its

data processing facilities for audit of the

processing activities covered by the Clauses

which shall be carried out by the data exporter or

an inspection body composed of independent

members and in possession of the required

professional qualifications bound by a duty of

confidentiality, selected by the data exporter,

where applicable, in agreement with the

supervisory authority;

(g) to make available to the data subject upon request

a copy of the Clauses, or any existing contract for

subprocessing, unless the Clauses or contract

contain commercial information, in which case it

may remove such commercial information, with

the exception of Appendix 2 which shall be

replaced by a summary description of the

security measures in those cases where the data

subject is unable to obtain a copy from the data

exporter;

(h) that, in the event of subprocessing, it has

previously informed the data exporter and

obtained its prior written consent;

(i) that the processing services by the sub-processor

will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any sub-processor

agreement it concludes under the Clauses to the

data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has

suffered damage as a result of any breach of the

obligations referred to in Clause 3 or in Clause

11 by any party or sub-processor is entitled to

receive compensation from the data exporter for

the damage suffered.

2. If a data subject is not able to bring a claim for

compensation in accordance with paragraph 1

against the data exporter, arising out of a breach

by the data importer or his sub-processor of any

of their obligations referred to in Clause 3 or in

Clause 11, because the data exporter has

factually disappeared or ceased to exist in law or

has become insolvent, the data importer agrees

that the data subject may issue a claim against the

data importer as if it were the data exporter,

unless any successor entity has assumed the

entire legal obligations of the data exporter by

contract of by operation of law, in which case the

data subject can enforce its rights against such

entity.

The data importer may not rely on a breach by a

sub-processor of its obligations in order to avoid

its own liabilities.

3. If a data subject is not able to bring a claim

against the data exporter or the data importer

referred to in paragraphs 1 and 2, arising out of a

breach by the sub-processor of any of their

obligations referred to in Clause 3 or in Clause

11 because both the data exporter and the data

importer have factually disappeared or ceased to

exist in law or have become insolvent, the sub-

processor agrees that the data subject may issue

a claim against the data sub-processor with

regard to its own processing operations under the

Clauses as if it were the data exporter or the data

importer, unless any successor entity has

assumed the entire legal obligations of the data

exporter or data importer by contract or by

operation of law, in which case the data subject

can enforce its rights against such entity. The

liability of the sub-processor shall be limited to

its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject

invokes against it third-party beneficiary rights

and/or claims compensation for damages under

the Clauses, the data importer will accept the

decision of the data subject:

(a) to refer the dispute to mediation, by an

independent person or, where applicable, by

the supervisory authority;

(b) to refer the dispute to the courts in the

Member State in which the data exporter is

established.

2. The parties agree that the choice made by the

data subject will not prejudice its substantive or

procedural rights to seek remedies in accordance

with other provisions of national or international

law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this

contract with the supervisory authority if it so

requests or if such deposit is required under the

applicable data protection law.

2. The parties agree that the supervisory authority

has the right to conduct an audit of the data

importer, and of any sub-processor, which has

the same scope and is subject to the same

conditions as would apply to an audit of the data

exporter under the applicable data protection

law.

3. The data importer shall promptly inform the data

exporter about the existence of legislation

applicable to it or any sub-processor preventing

the conduct of an audit of the data importer, or

any sub-processor, pursuant to paragraph 2. In

such a case the data exporter shall be entitled to

take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the

Member State in which the data exporter is

established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the

Clauses. This does not preclude the parties from

adding clauses on business related issues where

required as long as they do not contradict the Clause.

Clause 11

Subprocessing

1. The data importer shall not subcontract any of its

processing operations performed on behalf of the

data exporter under the Clauses without the prior

written consent of the data exporter. Where the

data importer subcontracts its obligations under

the Clauses, with the consent of the data exporter,

it shall do so only by way of a written agreement

with the sub-processor which imposes the same

obligations on the sub-processor as are imposed

on the data importer under the Clauses. Where

the sub-processor fails to fulfil its data protection

obligations under such written agreement the

data importer shall remain fully liable to the data

exporter for the performance of the sub-

processor's obligations under such agreement.

2. The prior written contract between the data

importer and the sub-processor shall also provide

for a third-party beneficiary clause as laid down

in Clause 3 for cases where the data subject is not

able to bring the claim for compensation referred

to in paragraph 1 of Clause 6 against the data

exporter or the data importer because they have

factually disappeared or have ceased to exist in

law or have become insolvent and no successor

entity has assumed the entire legal obligations of

the data exporter or data importer by contract or

by operation of law. Such third-party liability of

the sub-processor shall be limited to its own

processing operations under the Clauses.

3. The provisions relating to data protection aspects

for subprocessing of the contract referred to in

paragraph 1 shall be governed by the law of the

Member State in which the data exporter is

established.

4. The data exporter shall keep a list of

subprocessing agreements concluded under the

Clauses and notified by the data importer

pursuant to Clause 5 (j), which shall be updated

at least once a year. The list shall be available to

the data exporter's data protection supervisory

authority.

Clause 12

Obligation after the termination of personal data

processing services

1. The parties agree that on the termination of the

provision of data processing services, the data

importer and the sub-processor shall, at the

choice of the data exporter, return all the personal

data transferred and the copies thereof to the data

exporter or shall destroy all the personal data and

certify to the data exporter that it has done so,

unless legislation imposed upon the data

importer prevents it from returning or destroying

all or part of the personal data transferred. In that

case, the data importer warrants that it will

guarantee the confidentiality of the personal data

transferred and will not actively process the

personal data transferred anymore.

2. The data importer and the sub-processor warrant

that upon request of the data exporter and/or of

the supervisory authority, it will submit its data

processing facilities for an audit of the measures

referred to in paragraph 1.

{Signatures on Following Page}

IN WITNESS WHEREOF, these Clauses are duly executed and delivered on the date set out above:

Data Exporter:

____________________________

Name

____________________________

(Title)

____________________________

(Date)

Data Importer:

____________________________

Name

____________________________

(Title)

____________________________

(Date)

EU Model Contract

Details of the transfer

Data Exporter

[INSERT EXPORTER ENTITY] and its affiliated companies located in the EU, EEA and Switzerland with access to the

business applications and data on the servers, storage and other infrastructure of the Services, which may contain personal

data. The data exporter interacts with the data importer in order to manage the service and obtain support.

Data Importer(s)

[INSERT IMPORTER ENTITY/ENTITIES]

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

[INSERT DATA SUBJECT CATEGORIES]

Categories of data

The personal data transferred concern the following possible categories of data:

[INSERT PERSONAL DATA CATEGORIES]

Special categories of data

The personal data transferred concern the following special categories of data:

The personal data stored by the data exporter on the servers and other infrastructure provided as part of the Services, may

include personal data that falls into the following categories:

inions of a data subject

Processing operations

The personal data transferred will be subject to the following basic processing activities: Data importer will process the

personal data as necessary in order to deliver and support the Services.

[INSERT DESCRIPTION OF PROCESSING]

EU Model Contract

TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

This Appendix forms part of the Clauses.

Description of the technical and organisational measures implemented by the Data Importer in accordance with Clauses

4(d) and 5(c):

The Data Importer shall implement the security measures described below.

[INSERT SECURITY MEASURES].

APPENDIX 2 TO ADDENDUM 2 (PRIVACY) - HIPAA BAA/ASA

Agent/Subcontractor Agreement

This Agent/Subcontract Agreement (“Agreement”) is entered into by and between ________________________, with

offices at ______________________________ (“Business Associate”) and ___________________ [Name of

Agent/Subcontractor] (“Agent/Subcontractor”), with offices at ____________________________ (individually a “Party”

and collectively the “Parties”), and is effective as of ______________, (“Effective Date”).

Recitals:

WHEREAS, Business Associate is operating as a Business Associate under the federal Health Insurance Portability and

Accountability Act of 1996, 42 U.S.C. §§ 1320d – 1320d-8 (“HIPAA”), as amended from time to time, and is required to

safeguard individually identifiable health information that Business Associate creates, receives, maintains, or transmits

(hereinafter “Protected Health Information” or “PHI”) on behalf of a Covered Entity in accordance with the requirements

HIPAA establishes and also the requirements set forth in the Health Information Technology for Economic and Clinical

Health (“HITECH”) Act and their respective implementing regulations;

WHEREAS, Agent/Subcontractor is operating as a Business Associate as defined by HIPAA, as amended from time to time,

and is required to safeguard PHI that Agent/Subcontractor creates, receives, maintains, or transmits on behalf of the Business

Associate and/or a Covered Entity in accordance with the requirements of HIPAA and the HITECH Act and their respective

implementing regulations;

WHEREAS, HIPAA mandates that Business Associate, in its capacity as a Business Associate of a Covered Entity, enter

into this Agreement with those agents and subcontractors that perform a service on behalf of Business Associate that involves

the use or disclosure of PHI; and

WHEREAS, Business Associate and Agent/Subcontractor understand that they must enter into this Agreement so that PHI

may be disclosed to Agent/Subcontractor and to allow Agent/Subcontractor to perform functions or activities on behalf of

and/or provide services to Business Associate as set forth in Exhibit A that requires the use or disclosure of PHI.

NOW, THEREFORE, in consideration of the Parties’ continuing obligation to each other and for other good and valuable

consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties agree as follows:

Definitions

The following terms shall have the meaning ascribed to them in this Section. Other capitalized terms shall have the

meaning ascribed to them in the context in which they first appear. Terms used but not otherwise defined in this

Agreement shall have the same meaning as those terms in the federal Standards for Privacy of Individually Identifiable

Health Information, 45 CFR Parts 160 subpart A and 164 subparts A and E (the “Privacy Rule”); the federal Security

Standards for the Protection of Electronic Protected Health Information, 45 CFR Parts 160 subpart A, and 164 subparts A

and C (the “Security Rule”); and the Notification in the Case of Breach of Unsecured Protected Health Information, 45

CFR Part 164 subpart D (the “Breach Notification Rule”) (collectively the “HIPAA Rules”).

a) “Agent/Subcontractor” shall generally have the same meaning as the term “Business Associate” at 45 CFR 160.103.

b) “Breach” shall have the same meaning as the term “Breach” is defined in 45 CFR 164.402.

c) “Business Associate” shall have the same meaning as the term “Business Associate” in 45 CFR 160.103 and, as

used in this Agreement, refers to Business Associate in its capacity as an entity that creates, receives, maintains, or

transmits protected health information in providing services to a Covered Entity and/or a Business Associate.

d) “Covered Entity” shall have the same meaning as the term “Covered Entity” in 45 CFR 160.103 and refers to a

Health Plan, Health Care Provider or Health Care Clearinghouse, as those entities are defined in 45 CFR 160.103.

e) “Individual” shall have the same meaning as the term “Individual” in 45 CFR 160.103 and shall include a person

who qualifies as a personal representative in accordance with 45 CFR 164.502(g).

f) “Protected Health Information” or “PHI” shall have the same meaning as the term “Protected Health Information” in

45 CFR 160.103, and shall refer to PHI obtained from Covered Entity or Business Associate or created, received,

maintained, or transmitted by Agent/Subcontractor on behalf of Business Associate or Covered Entity, including

any PHI that is created, received, maintained, or transmitted in an electronic form (“Electronic PHI”).

g) “Required By Law” shall have the same meaning as the term “Required By Law” in 45 CFR 164.103.

h) “Secretary” shall mean the Secretary of the Department of Health and Human Services or his/her designee.

i) “Security Incident” means the attempted or successful unauthorized access, use, disclosure, modification, or

destruction of information or interference with system operations in an information system” as defined at 45 CFR

164.304.

j) “Underlying Services Agreement” shall mean any contract or purchase order, express or implied, between

Business Associate and Agent/Subcontractor for services.

k) “Unsecured Protected Health Information” or “Unsecured PHI” shall mean Protected Health Information that is

not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or

methodology specified by the Secretary in guidance as specified under section 13402(h)(2) of Pub. L. 111-5, as

defined at 45 CFR § 164.402.

II) Acknowledgment of Obligations

Agent/Subcontractor acknowledges that it is directly subject to the HIPAA Rules, as amended by the HITECH Act,

including, but not limited to, Sections 164.308, 164.310, 164.312 and Section 164.316, as well as the enforcement and

penalty provisions that the HIPAA Rules provide, as they may be amended from time to time. See 42 U.S.C. §§ 17931,

17934. Agent/Subcontractor agrees that it will (a) comply with all applicable provisions of the HIPAA Rules, as amended

by the HITECH Act and as it may be further amended from time to time; and (b) not act in any way to interfere with or

hinder Business Associate’s ability to comply with the HIPAA Rules, as amended by the HITECH Act and as it may be

further amended from time to time.

III) Obligations and Activities of Agent/Subcontractor

a) Uses and Disclosures of PHI. Without in any way limiting the confidentiality provisions of the Underlying

Services Agreement, with respect to each use and disclosure of PHI Agent/Subcontractor makes pursuant to this

Agreement, or otherwise, Agent/Subcontractor agrees as follows:

i) Agent/Subcontractor agrees to not use or disclose PHI other than as permitted or required by this Agreement

or as Required By Law.

ii) Agent/Subcontractor agrees to mitigate any harmful effect that is known to Agent/Subcontractor of a use or

disclosure of PHI by Agent/Subcontractor in violation of the requirements of this Agreement.

iii) Agent/Subcontractor agrees to report immediately, but no later than [”five calendar days”], to Business

Associate any use or disclosure of PHI not provided for by this Agreement of which it becomes aware.

iv) Agent/Subcontractor agrees to obtain written approval from Business Associate prior to entering into written

agreements with any third party including but not limited to contractor, agent, or supplier that creates,

receives, maintains, or transmits PHI on behalf of Agent/Subcontractor, and to the extent approval is granted,

ensuring that such third party agrees to the same restrictions, conditions, and requirements that apply under

the terms of this Agreement with respect to such information.

v) Agent/Subcontractor agrees to make available and provide Business Associate or, as directed by Business

Associate, Covered Entity or an Individual with access to PHI in a designated record set to meet the

requirements under 45 CFR 164.524. Such access shall be in a timely and reasonable manner, as agreed upon

by the Parties.

vi) Agent/Subcontractor agrees to make any amendment(s) to PHI in a designated record set that Business

Associate directs or agrees to pursuant to 45 CFR 164.526, or take other measures as necessary to satisfy

Business Associate’s obligations under 45 CFR 164.526, at the request of Business Associate, in a time and

manner reasonably agreed upon by the Parties.

vii) Agent/Subcontractor agrees to make its internal practices, books, and records, including any policies and

procedures, relating to the use and disclosure of PHI received from, or created or received by

Agent/Subcontractor on behalf of Business Associate, available to the Business Associate or Secretary, in a

time and manner reasonably agreed upon or designated by the Business Associate or Secretary, for purposes

of the Secretary determining a Covered Entity’s or Business Associate’s compliance with the HIPAA Rules.

viii) Agent/Subcontractor agrees to maintain and make available, within five (5) calendar days, the information

required for Business Associate to respond to a request by a Covered Entity or an Individual for an

accounting of disclosures of PHI, as necessary to satisfy Business Associate’s obligations under 45 CFR

164.528, as amended from time to time.

ix) In a time and manner agreed to by the Parties and to the extent the Agent/Subcontractor is to carry out one or

more of Business Associate's obligation(s) under Subpart E of 45 CFR Part 164, Agent/Subcontractor agrees

to comply with the requirements of Subpart E that apply to Business Associate in the performance of such

obligation(s).

b) Securing Electronic PHI.

i) Agent/Subcontractor agrees to use appropriate safeguards and comply with applicable requirements of the

Security Rule and any procedures or requirements specified in the Underlying Services Agreement with

respect to Electronic PHI to prevent the use or disclosure of Electronic PHI other than as provided for by this

Agreement.

ii) Agent/Subcontractor will implement the data security measures of the Security Rule set forth at 45 CFR

164.308, 164.310, 164.312, and 164.316, as they may be amended from time to time. Such compliance shall

include, but not limited to, the implementation of written data security policies and procedures that satisfy the

standards, implementation specifications and other requirements of the Security Rule. Those standards,

implementation specifications and any procedures or other requirements specified in the Underlying Services

Agreement include, but not limited to:

(1) Administrative safeguards, which include risk assessment and periodic reassessments; risk management

security measures; information system activity risk reviews; an assigned security official; workforce

training and sanctions; data access controls; data back-up and disaster recovery plans; and Security

Incident management.

(2) Physical safeguards, which include facility and workstation access controls; portable and removable

device and media management; device and media disposal, re-use, backup and storage controls.

(3) Technical safeguards, which include access, authentication and audit controls; data integrity and

transmission security.

c) Notification of Security Incident.

i) Agent/Subcontractor will notify Business Associate of a Security Incident that is related directly or indirectly

to the services being provided to Business Associate immediately, and in no event later than [for ENTIT and

PPS deals use “2 calendar days”] [for TS, SW, Cloud, and other non-ENTIT or non-PPS deals use “five (5)

calendar days”] after the Discovery of such a Security Incident, as those terms are defined at 45 CFR 164.304

and 164.410. Agent/Subcontractor’s notice to Business Associate shall include the applicable elements as set

forth at 45 CFR 164.410(c).

ii) Agent/Subcontractor agrees to make its employees or agents available to Business Associate and fully

cooperate with any investigations related to known or suspected Security Incidents as requested by Business

Associate.

d) Notification of Breaches of Unsecured PHI.

Agent/Subcontractor will notify Business Associate of Breaches of Unsecured PHI without unreasonable delay and in no

event later than [for ENTIT and PPS deals use “2 calendar days”] [for TS, SW, Cloud, and other non-ENTIT or non-PPS

deals use “five (5) calendar days”] calendar days after the Discovery of such a Breach of Unsecured PHI, as those terms

are defined at 45 CFR 164 subpart D. Agent/Subcontractor’s notice to Business Associate shall include the applicable

elements as set forth at 45 CFR 164.410(c).

e) Assurance of safeguards.

i) Without limiting the notification requirements set forth in this Agreement, upon request from Business

Associate, Agent/Subcontractor shall provide reasonable assurance to Business Associate that

Agent/Subcontractor has taken the steps necessary to comply with the provisions of this Agreement. Such

assurance will be done in a time and manner determined by Business Associate and may be requested prior to

engagement, annually, and/or as well as in connection with the investigation of a Security Incident or

suspected Breach at the discretion of Business Associate.

ii) Business Associate or its authorized representatives may audit, monitor and inspect Agent/Subcontractor’s or

its agents’ facilities and equipment and any documents, information or materials in Agent/Subcontractor’s or

its agents’ possession, custody or control; interview Agent/Subcontractor’s employees, agents, consultants

and subcontractors; and inspect any logs or documentation maintained by Agent/Subcontractor to the extent

relating in any way to Agent/Subcontractor’s obligations under this Agreement. An inspection performed

pursuant to this Agreement shall not unreasonably interfere with the normal conduct of

Agent/Subcontractor’s business. No such inspection by Business Associate as set forth herein shall relieve

Agent/Subcontractor or its agents of any of its obligations under this Agreement.

IV) Permitted Uses and Disclosures by Agent/Subcontractor

In accordance with the limitations in this Agreement and any Underlying Services Agreement, Agent/Subcontractor may

use or disclose PHI as necessary to perform functions on behalf of, and/or provide services to Business Associate, to the

extent such uses or disclosures are permitted by the Privacy Rule, as it may be amended from time to time.

V) Specific Use and Disclosure Provisions

a) In accordance with the limitations in this Agreement, Agent/Subcontractor may use PHI as necessary for the

proper management and administration of Agent/Subcontractor or to carry out the legal responsibilities of

Agent/Subcontractor, to the extent such use is permitted by the Privacy Rule, as it may be amended from time to

time.

b) In accordance with the limitations in this Agreement, Agent/Subcontractor may disclose PHI as necessary for the

proper management and administration of Agent/Subcontractor, provided that such disclosures are (i) Required

By Law, (ii) Agent/Subcontractor obtains reasonable assurances from the person to whom the information is

disclosed that the information will remain confidential and used or further disclosed only as Required By Law or

for the purposes for which it was disclosed to the person, and the person notifies Agent/Subcontractor of any

instances of which it is aware in which the confidentiality of the information has been Breached, or (iii) are

otherwise permitted by the Privacy Rule, as it may be amended from time to time.

c) Agent/Subcontractor may use PHI as necessary to report violations of law to appropriate federal and state

authorities, to the extent permitted by 45 CFR 164.502(j)(1).

VI) Specific Use and Disclosure Restrictions

a) Agent/Subcontractor will restrict the disclosure of an Individual’s PHI in accordance with 45 CFR

164.522(a)(1)(i)(A), notwithstanding paragraph (a)(1)(ii) of that section, when, except as otherwise Required By

Law, Business Associate notifies Agent/Subcontractor that the Individual has made such a restriction request, and

each of the following conditions is satisfied:

i) the disclosure would be to a health plan for the purposes of carrying out payment or health care operations, as

that term may be amended from time to time, and

ii) the PHI pertains solely to a health care item or service for which the health care provider involved has been

paid out-of-pocket in full.

b) In accordance with 45 CFR 164.502(b)(1), Agent/Subcontractor will limit to the extent practicable the use,

disclosure, or request of PHI to the minimum necessary to accomplish the intended purposes of such use,

disclosure, or request, respectively, except that the restrictions set forth herein shall not apply to the exceptions set

forth in CFR 164.502(b)(2). At such time when the Secretary issues further guidance on disclosure limitations, as

mandated by Section 13405(b) of the HITECH Act, Agent/Subcontractor shall comply with the applicable

limitations established in the guidance.

c) Agent/Subcontractor shall not directly or indirectly receive remuneration in exchange for any PHI unless the

Agent/Subcontractor obtains written authorization from Business Associate that includes a specification of

whether the PHI can be further exchanged for remuneration by the entity receiving the PHI of the Individual,

except that this prohibition shall not apply in the following cases, which Agent/Subcontractor will limit

remuneration to a reasonable, cost-based fee to cover the cost to prepare and transmit the Protected Health

Information for such purpose or a fee otherwise expressly permitted by other law:

i) The purpose of the exchange is for research or public health activities, as described at 45 CFR 154.501,

164.512(i), 164.512(b), and 164.514(e), or

ii) The purpose of the exchange is for the treatment of the Individual, subject to 164.506(a) and any regulation

that the Secretary may promulgate to prevent PHI from inappropriate access, use or disclosure, or

iii) The purpose of the exchange is the health care operation specifically described in subparagraph (iv) of

paragraph (6) of the definition of health care operations at 45 CFR 164.501 and pursuant to 164.506(a), or

iv) The purpose of the exchange is for remuneration that is provided by Business Associate to

Agent/Subcontractor for activities involving the exchange of PHI that Agent/Subcontractor undertakes on

behalf of and at the specific request of the Business Associate as set forth in this Agreement, or

v) The purpose of the exchange is to provide an Individual with a copy of the Individual’s PHI pursuant to 45

CFR 164.524 or an accounting of disclosures pursuant to 164.528, or

vi) The purpose of the exchange is otherwise determined by the Secretary in regulations to be similarly necessary

and appropriate.

VII) Obligations of Business Associate

a) Business Associate shall notify Agent/Subcontractor of any known limitation(s) in a Covered Entity’s notice of

privacy practices, in accordance with 45 CFR 164.520, to the extent that such limitation may affect

Agent/Subcontractor’s use or disclosure of PHI.

b) Business Associate shall notify Agent/Subcontractor of any changes in, or revocation of, permission by a Covered

Entity or an Individual to use or disclose PHI, to the extent that such changes may affect Agent/Subcontractor’s

use or disclosure of PHI.

c) Business Associate shall notify Agent/Subcontractor of any restriction to the use or disclosure of PHI that a

Covered Entity has agreed to or is required to abide by in accordance with 45 CFR 164.522 or as mandated

pursuant to Section 13405(c) of the HITECH Act, to the extent that such restriction may affect

Agent/Subcontractor’s use or disclosure of PHI.

VIII) Permissible Requests by Business Associate

Business Associate shall not request Agent/Subcontractor to use or disclose PHI in any manner that would not be

permissible under the Privacy or Security Rules if done by Business Associate or the Covered Entity.

IX) Term and Termination

a) Term. This Agreement shall be effective as of Effective Date and shall continue until terminated. The obligations

under this Agreement shall apply to each Underlying Services Agreement until the later of (i) completion,

termination, or expiration or (ii) when all of the PHI provided by Business Associate to Agent/Subcontractor or

created, received, maintained, or transmitted by Agent/Subcontractor on behalf of Business Associate is destroyed

or returned to Business Associate, in accordance with subsection c) below.

b) Termination for Cause for Failure to Comply with this Agreement by Agent/Subcontractor. Upon any failure to

comply with this Agreement by Agent/Subcontractor, Business Associate shall either:

i) Provide an opportunity for Agent/Subcontractor to cure the failure to comply or end the violation and

terminate this Agreement if Agent/Subcontractor does not cure the failure to comply or end the violation

within the time specified by Business Associate; or

ii) Immediately terminate this Agreement if Agent/Subcontractor has failed to comply with a material term of

this Agreement and cure is not possible and the Agent/Subcontractor has not implemented reasonable steps to

prevent a reoccurrence of such failure to comply.

c) Effect of Termination. Without in any way limiting Agent/Subcontractor’s obligations under the Underlying

Services Agreement:

i) Except as provided below in paragraph (2) of this subsection, upon termination of this Agreement, for any

reason, Agent/Subcontractor shall return or, at Business Associate’s prior approval and direction, destroy all

PHI received from Business Associate, or created, received, maintained, or transmitted by

Agent/Subcontractor on behalf of Business Associate that Agent/Subcontractor maintains in any form.

Agent/Subcontractor shall retain no copies of such information in accordance with the Privacy and Security

Rules, as amended from time to time. This provision shall apply to PHI that is in the possession of

subcontractors or agents of Agent/Subcontractor.

ii) In the event Agent/Subcontractor determines returning or destroying the PHI is infeasible,

Agent/Subcontractor shall provide to Business Associate notification of the conditions that make return or

destruction infeasible. Upon written notification that return or destruction of PHI is infeasible,

Agent/Subcontractor shall extend the protections of this Agreement to such PHI and limit further uses and

disclosures of PHI for so long as Agent/Subcontractor maintains such PHI.

X) Miscellaneous

a) Regulatory References. A reference in this Agreement to a section in the HIPAA Rules means the section as in

effect or as amended.

b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as

is necessary for Business Associate to comply with the requirements of its Business Associate Agreement,

HIPAA, applicable Regulatory References and other federal or state laws and regulations.

c) Survival. The respective rights and obligations of Agent/Subcontractor under Section IX (Term and

Termination), of this Agreement shall survive termination of this Agreement.

d) Interpretation. Any ambiguity in this Agreement shall be resolved to the extent reasonable to permit Business

Associate to comply with HIPAA.

e) Conflicts. To the extent a conflict exists between this Agreement and the Underlying Services Agreement, the

terms and conditions of this Agreement shall take precedence.

IN WITNESS WHEREOF, Business Associate and Agent/Subcontractor have caused this Agreement to be signed and

delivered by their duly authorized representatives, as of the date set forth below.

SUPPLIER: [Micro Focus

Contracting Entity]

Authorized Representative Authorized Global Procurement Representative

Date Date

Printed name Printed name

Title Title

APPENDIX 3 TO ADDENDUM 2

Requirements of Section 11 German Federal Data Protection Act ("FDPA")

1. In order to fully comply with mandatory provisions of Section 11 FDPA regarding the commissioning of the data

importer as a processor under the national laws applicable to the data exporter, the parties agree on the following

amendments to the Standard Contractual Clauses:

(a) Data importer will rectify, delete and/or block personal data if so instructed by data exporter.

(b) Data importer shall control, in an appropriate way, compliance with its data protection obligations and provide

related reports to data exporter.

(c) Data exporter shall have the right to control compliance of data importer with its data protection obligations

(especially with the technical and organizational measures) by adequate and reasonable means (e.g., by

requesting information or audit reports regarding the data importer's data processing systems), it being

understood that such measures may only relate to information and data processing systems that are relevant to

the services. Data importer shall support data exporter in carrying out such controls to the reasonably necessary

extent. Upon request the data importer shall prove to the data exporter that the technical and organizational

measures agreed in Appendix 2 have been implemented.

(d) Data importer shall notify data exporter, without undue delay, if it holds that an instruction violates applicable

law. Upon such notification, data importer shall have the right to refrain from or discontinue (as the case may

be) carrying out the instruction until data exporter has confirmed or changed the instruction. Data importer will

notify the data exporter about all requests by data subjects to access, delete or block personal data, about all

complaints by data subjects and objections of competent data protection authorities and all other risks and

violations.

(e). Data importer shall ensure that any of its or any of its subcontractors’ personnel entrusted with processing

personal data under these Clauses (i) have undertaken to comply with the principle of data secrecy (i.e. to not

collect, process or use personal data without authorization), and (ii) have been duly instructed on the protective

regulations of the applicable data protection laws.

(f) Data importer shall notify to data exporter the contact details of the data importer’s data protection official (if

one was appointed).

(g) Data exporter shall have the right to instruct data importer, both on a general and a case-specific basis, regarding

the "if" and "how" of the collection, processing and use of personal data in connection with the services.

Instructions may also relate to the rectifying, deletion and blocking of data. Instructions shall be given as a rule,

except where the urgency or other circumstances require that an instruction be given in a different form (e.g.,

orally, per e-mail etc.).

(h) Unless otherwise instructed by the data exporter the data importer may return all data being subject of this

agreement to the data exporter at the end of the contract and refrain from any further processing and use of the

data, if possible for the data importer without violating its own legal duties.

(i) The term of these Clauses corresponds to the term of the Commercial Agreement entered into by data exporter

and data importer. These Clauses shall automatically terminate upon any termination or expiration of the

Commercial Agreement.

2. If and to the extent necessary to comply with mandatory provisions regarding the commissioning of the data importer

as a processor under the national laws applicable to the data exporter, data exporter may propose any necessary

amendments to these provisions. Such amendments are deemed accepted by the data importer if it does not reject the

changes within four weeks after having received a notification of the amendments. The data importer shall be

informed about this consequence in the notification. If disputed, the necessity of an amendment shall be deemed

proven if the data exporter presents a respective order (which may be informal) by a competent regulator. The data

exporter is not obliged to demand that the regulator issues a formal order, or to challenge an informal order.

3. In the event of inconsistencies between this appendix and the Standard Contractual Clauses the provisions of the

Standard Contractual Clauses shall prevail. Provisions of this appendix shall however remain valid to the extent that

they do not contradict but merely amend the provisions of the Standard Contractual Clauses.

4. Should any provision or condition of this Model Contract be held or declared invalid, unlawful or unenforceable by

a competent authority or court, then the remainder of this Model Contract shall remain valid. Such an invalidity,

unlawfulness or unenforceability shall have no effect on the other provisions and conditions of this Model Contract.

The provision or condition affected shall be either (i) amended to an extent that ensures its validity, lawfulness and

enforceability, while preserving the parties' intentions, or (ii) construed in a manner as if the invalid, unlawful or

unenforceable part had never been contained therein.