Schedule 3: Security Measures

Scaleflex will implement and maintain the following Security Measure to adequately protect Customer’s Personal Data. Customer understands and agrees that these Security Measures are subject to technical progress and development and Scaleflex is therefore expressly allowed to implement adequate alternative measures as long as the general security level described in this Schedule 3 is maintained:

1. Technical measures

1.1. Access control. Scaleflex shall prevent unauthorised access to data processing systems. Personnel shall only have access to Customer data when it’s necessary for them to perform their job. Customer data shall not be read, copied, modified or deleted without authorization.

1.2. Entry control. Scaleflex shall prevent that data processing systems can be accessed by unauthorised parties.

1.3. Logging control. Scaleflex shall ensure that all events in the data processing systems can subsequently be checked.

1.4. Transmission control. Scaleflex shall ensure that Personal Data cannot be read, copied, altered or removed without authorization during electronic transmission.

1.5. Data at rest. Scaleflex shall ensure the appropriate encryption of data at rest.

1.6. Data in transit. Scaleflex shall ensure that data over the public internet is encrypted at rest according to industry best practices.

1.7. Separation control. Scaleflex shall ensure that data collected for various purposes are processed separately.

1.8. Reliability control. Scaleflex shall ensure that all functions of the data processing system are available and occurring malfunctions are notified.

1.9. Integrity control. Scaleflex shall ensure that stored Personal Data cannot get damaged by malfunctions of the system or that damaged data can be replaced by the original and correct data.

1.10. Availability control. Scaleflex shall ensure that Personal Data is protected against unintentional destruction or loss and therefore available for the Customer.

1. Organisational measures

2.1. Admission Control. Scaleflex shall prevent unauthorised persons from gaining access to Scaleflex premises.

2.2. Security and awareness training. Scaleflex shall maintain a security awareness program that includes the appropriate training of personnel on Scaleflex' security policies.

2.3. Personnel screening. Criminal background checks shall be performed for all employees before hiring. Additionally, Scaleflex will ensure that all employees have executed written confidentiality agreements.

2.4. Information security management process. Scaleflex shall maintain established documentation covering the Scaleflex information security management system.

2.5. Business continuity management process. Scaleflex shall maintain a business continuity management system, that defines the processes and procedures in the event of a disaster, including the testing and reviewing of the disaster recovery plans.

2.6. Regular evaluation of Security Measures. Scaleflex shall ensure a process for regular testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure a level of security appropriate to the risk of processing.