Annex A: Technical and Organisational measures

ANNEX A : TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Data importer will implement and maintain the technical and organisational measures to adequately protect the data exporter’s Personal Data as further described in the DPA. Data exporter understands and agrees that these technical and organisational measures are subject to technical progress and development and Scaleflex is therefore expressly allowed to implement adequate alternative measures as long as the general security level described in the DPA is maintained.

For transfers to (Sub-) Processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a Processor to a Sub-Processor, to the data exporter.

Scaleflex selects its Sub-Processors very carefully, all of which undergo stringent security assessments and intakes. Scaleflex has imposed on them data protection obligations that correspond to the data protection provisions in the contractual relationship between Customer and Scaleflex. Taking into account the state of the art, costs of implementation, and nature of the processing, our Sub-Processors shall maintain appropriate technical and organisational measures to protect Personal Data against accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure, and access (“Security Measures”), including, as appropriate: (a) the pseudonymisation and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and (d) the regular maintenance, testing, assessment, evaluation, and updating of the effectiveness of the Security Measures.