Data Processing Addendum

This Data Processing Addendum was last updated March 10, 2026.

This Data Processing Addendum, including its Schedules, (“DPA”) forms part of the Master Subscription Agreement found at www.aprimo.com/terms between the applicable Aprimo and Customer entities for the purchase of specific software, products and professional services as set out in further detail in the such Master Subscription Agreement, including any relevant order forms and statements of work incorporated therein, (“Services”) (and the Master Subscription Agreement defined as the “Agreement”) to reflect the Parties’ agreement with regard to the Processing of Personal Data.

In Aprimo providing the Services to Customer pursuant to the Agreement, Aprimo may Processes Personal Data on behalf of Customer. Aprimo and Customer hereby agree to the following in relation to such Processing:

TERMS AND CONDITIONS:

1. DEFINITIONS

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting or ownership interests of the subject entity.

“Aprimo” means the Aprimo entity listed in the Master Subscription Agreement and applicable order forms, statements of work, or other documentation incorporated therein by reference.

“Authorized Affiliate” means any of Customer’s Affiliate which (a) is subject to the Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom; (b) is permitted to use the Services pursuant to the Agreement between Customer and Aprimo; and (c) falls under the jurisdiction of this DPA, as expressly intended by Customer and Aprimo.

“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations.

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Customer” means the customer entity that executed the Agreement. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and its Authorized Affiliates to the extent required by Data Protection Laws.

“Customer Data” means the data that is uploaded, shared or submitted by or on behalf of Customer in relation to the Services provided by Aprimo pursuant to the Agreement.

“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including those of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States (including the CCPA).

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Europe” means the European Union, the European Economic Area, Switzerland and the United Kingdom.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.

“Personal Data” means any information relating to an identified or identifiable natural person where such information is Customer Data.

“Processing” or “Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

“Regulator” means a government agency or law enforcement authority.

“Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur- lex.europa.eu/eli/dec_impl/2021/914/oj.

“Sub-processor” means any Processor engaged by Aprimo, or if and to the extent applicable, an Aprimo Affiliate and may include Aprimo Affiliate(s) themselves as may be required by Data Protection Laws.

2. PROCESSING OF PERSONAL DATA

2.1 Customer’s Obligations. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. Customer shall ensure it provides or otherwise obtains any required notices and/or consents from Data Subjects under Data Protection Laws such that Aprimo may lawfully Process Personal Data. Further, Customer’s instructions to Aprimo for the Processing of Personal Data shall at all times comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquires Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject or violate Data Protection Laws. Customer agrees not to Process, or allow the Processing of, any Customer Data in connection with the Services that (i) would subject Aprimo to compliance obligations under the Payment Card Industry Data Security Standards (“PCI DSS”); or (ii) qualifies as Protected Health Information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”) or any similar laws or regulations, unless explicitly agreed to in writing by Aprimo. The foregoing restriction includes, without limitation, the Processing of bank account numbers and credit card numbers with the Services.

2.2 Aprimo’s Obligations. Aprimo shall treat Personal Data as “Confidential Information” (as such term is defined in the Agreement) and shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement, including specifically the applicable order forms, statements of work, or similar written instruments as expressly agreed to by Aprimo and Customer; (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer, including through e-mail, where such instructions are consistent with the terms of the Agreement and any rights and obligations therein. Furthermore, Aprimo may Process Personal Data in order to comply with Data Protection Laws, including to prevent fraudulent or illegal activity.

2.3 Details of the Processing. The Processing of Personal Data by Aprimo shall only relate to the provision of the Services as outlined in the Agreement and this DPA. Additional details regarding the duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects involved, are further described in Attachment I of this DPA.

2.4 Customer Instructions. Aprimo shall inform Customer immediately (i) if, in its reasonable opinion, an instruction from Customer constitutes a breach of Data Protection Law; or (ii) if Aprimo is unable to follow Customer’s instructions for the Processing of Personal Data due to the possibility that it will cause Aprimo to violate of law, regulation or similar.

3. RIGHTS OF DATA SUBJECTS

3.1 Data Subject Request. Aprimo shall (where not prohibited by law) promptly notify Customer of any request it has received from a Data Subject (“Data Subject Request”). Aprimo shall not respond to a Data Subject Request and shall provide reasonable cooperation to Customer in responding to such Data Subject Request, including by providing the information reasonably necessary to respond to such Data Subject Request.

3.2 Required Assistance. Taking into account the nature of the Processing, Aprimo shall assist Customer by implementing and ensuring it maintains appropriate technical and organizational measures consistent with the requirements set forth in Data Protection Laws.

4. PERSONNEL AND DATA PROTECTION OFFICER

4.1 Confidentiality, Reliability and Limitation of Access. Aprimo shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements.

4.2 Data Protection Officer. Aprimo, or Aprimo’s Affiliate(s) have appointed a data protection officer. The appointed person may be reached at SecurityTeam@Aprimo.com.

5. SUB-PROCESSORS

5.1 Appointment of Sub-processors. Aprimo itself, or Aprimo’s Affiliates (depending upon the contracting entity to this DPA and the Agreement) may be retained as Sub-processors. Aprimo or Aprimo’s Affiliates may engage third-party Sub-processors to provide the Services to Customer. Aprimo, or Aprimo’s Affiliate (as applicable), has entered into a written agreement with each Sub-processor containing data protection obligations no less protective than those required by Data Protection Laws.

5.2 List of Sub-processors and Notification of New Sub-processors. Aprimo’s current list of Sub-processors is annexed hereto as Attachment III. Customer hereby consents to these Sub-processors, their locations and processing activities. Aprimo shall provide reasonable notice through a notification (via e-mail, through the Aprimo software, or otherwise) of any additional Sub-processor prior to authorizing any such Sub-processor(s) to Process Personal Data.

5.3 Objection Right for New Sub-processors. Customer may object to Aprimo’s use of an additional Sub-processor by notifying Aprimo promptly in writing within fifteen (15) days of receipt of Aprimo’s notice. If Customer objects to the additional Sub-processor, Aprimo will use reasonable efforts to make available to Customer a change in the to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Aprimo is unable to make available such change within a reasonable period of time, Customer may terminate the applicable part of the Services with respect only to those Services which cannot be provided by Aprimo without the use of the objected-to Sub-processor by providing written notice to Aprimo.

5.4 Liability. Aprimo shall be liable for the acts and omissions of its Sub-processors to the same extent Aprimo would be liable if performing the services of each Sub-processor directly under the terms of this DPA.

6. CERTIFICATIONS; AUDIT; IMPACT ASSESSMENT

6.1 Certification. Upon Customer’s written request, Aprimo shall make available the information reasonably necessary to demonstrate compliance with this DPA. Upon Customer’s written request which shall be made no more than once in any given twelve (12) month interval, provided this DPA remains in effect, and subject to the confidentiality obligations set forth in the Agreement, Aprimo shall provide a copy of its then current third-party SOC 2 Type II audit report that Aprimo generally makes available to its customers at the time of such request.

6.2 Audit. Where required by Data Protection Laws, Aprimo shall allow Customer to audit Aprimo solely to demonstrate its compliance with this DPA. Such audit may include inspections and assessments conducted by Customer. With respect to any assessment or audit that is conducted: (i) the timing and scope shall be mutually agreed to by Aprimo and Customer; (ii) the assessment or audit shall be conducted during regular business hours of Aprimo; (iii) Customer shall not have access to Aprimo’s internal systems; and (iv) the audit shall take place not more than once in any twelve (12) month period. The scope of such audit must also be reasonably tailored to verify only Aprimo’s compliance with this DPA, and shall not be permitted for any other purpose.

6.3 Data Protection Impact Assessment. Upon Customer’s request, Aprimo shall provide Customer with cooperation reasonably necessary to fulfill Customer’s obligation under Data Protection Laws to carry out a data protection impact assessment in relation to the Services.

7. SECURITY INCIDENT NOTIFICATION

7.1 Notification. In the event Aprimo becomes aware of a confirmed security breach of Customer’s Personal Data, Aprimo will notify Customer without undue delay. Aprimo shall provide information reasonably requested by Customer in connection with such breach. Aprimo will provide reasonable assistance to Customer as may be necessary for Customer to satisfy any of its notification obligations imposed under Data Protection Laws in connection with such breach. Aprimo shall also act reasonably in remediating and/or taking action that is reasonably necessary to prevent such breach from reoccurring.

8. REGULATORS

8.1 Assistance with Regulators. To the extent required by Data Protection Laws, Aprimo will provide Regulators with the information and assistance reasonably necessary to investigate security breaches relating to Customer Personal Data. Aprimo will provide Regulators with information and assistance reasonably necessary to demonstrate that the Services comply with Data Protection Laws to the extent that a Regulator’s request concerns the processing of Customer Personal Data under the Agreement and this DPA.‍

9. RETURN AND DELETION OF CUSTOMER DATA

9.1 Data Deletion. Prior to, or upon expiration or termination of the Agreement, Aprimo shall at the request of Customer in accordance with Aprimo’s then existing data retention and data return policies and procedures: (i) return Customer Data to Customer; or (ii) delete Customer Data. For the avoidance of doubt, immediately following termination or expiration of the Agreement, Aprimo shall have no obligation to store or hold on to Customer Data, unless expressly agreed to in the Agreement. Until Customer Data is deleted or returned, Aprimo shall continue to comply with this DPA.

9.2 Data Return. If Customer has purchased certain software as part of the Services, Customer may be given the ability to download Customer Data for the duration of the active subscription for such software while the valid order form, statement of work, or similar agreement for such software remains in effect.

10. AUTHORIZED AFFILIATES

10.1 Authorized Affiliate Rights and Relationship. To the extent required by law, Authorized Affiliates may only exercise any rights as a Controller in respect to this DPA, through the Customer entity which has signed the Agreement, provided however, only to the extent Authorized Affiliates have established any rights under this DPA pursuant to applicable law and are intended beneficiaries under the Agreement. Any communications relating to any complaint, allegation or claim arising in connection with this DPA, may only be communicated to and discussed with Aprimo by the Customer entity that has signed the Agreement with Aprimo. This DPA itself does not and is not intended to establish direct rights of Authorized Affiliates regarding the provision of the Services.

10. LIMITATION OF LIABILITY

11.1 Limits on Liability. The aggregate liability of each Aprimo and Customer and their respective Affiliates, collectively, arising from or related to this DPA, regardless of the legal basis (contract, tort, or otherwise), is governed by the ‘Limitation on Liability’ (or similar) section of the Agreement. References to a party’s liability in that section apply to the total combined liability of that party and its Affiliates under the Agreement and this DPA collectively.

For clarity, Aprimo’s and its Affiliates’ total liability for all claims by Customer and its Authorized Affiliates under the Agreement and this DPA is a single aggregate limit, covering all claims collectively under both the Agreement and the DPA. This limit does not apply separately to each Authorized Affiliate or the Customer as individual contractual parties to any DPA.

12. EUROPE SPECIFIC PROVISIONS

12.1 Definitions. For the purposes of this section 12, these terms shall be defined as follows:

“European Personal Data” means the Personal Data subject to European Data Protection Laws.

“European Data Protection Laws” means the Data Protection Laws applying in Europe.

“SCC Module 2 and/or 3” means Standard Contractual Clauses, Module Two (Controller-to-Processor) and Module Three (Processor-to-Processor), respectively.

“Third-Country Transfer” means a transfer of European Personal Data that is not subject to an adequacy decision by the European Commission.

12.2 GDPR. Aprimo will Process Personal Data in accordance with the GDPR requirements directly applicable to Aprimo’s provision of its Services.

12.3 Transfer mechanisms for data transfers. If, in the performance or use of the Services, European Personal Data is subject to a Third-Country Transfer, and the Standard Contractual Clauses are required by European Data Protection Laws to lawfully transfer European Personal Data, the SCC Module 2 and/or 3 transfer mechanisms shall apply in Aprimo’s Processing of Personal Data in relation to the Services.

In relation to where the SCC Module 2 and/or 3 apply, the following shall be established, to the maximum extent permitted by Data Protection Law, provided that the following does not conflict with the Standard Contractual Clauses:

Clause 7 of the Standard Contractual Clauses: The optional “Docking clause” shall apply.

Clause 8.5 of the Standard Contractual Clauses: Section 9 of this DPA shall govern the rights and obligations regarding the deletion of Customer Data and Personal Data in connection therewith.

Clause 8.9 of the Standard Contractual Clauses: Section 6 of this DPA shall govern Customer’s right to audit Aprimo under this DPA.

Clause 9(a) of the Standard Contractual Clauses: Section 5 of this DPA shall govern Aprimo’s use of Sub-processors. For the avoidance of doubt, Customer hereby grants to Aprimo general written authorization to engage in Sub-processors in order to provide the Services.

Clause 11(a) of the Standard Contractual Clauses: The optional paragraph shall not apply.

Clause 13(a) of the Standard Contractual Clauses: The version of clause 13(a) that applies to Customer shall be included, and if, in accordance with the provisions of such clause 13(a), the Customer and Aprimo may select, the applicable Supervisory Authority, such Supervisory Authority shall be that of Ireland.

Clauses 14(f), 16(b) and 16(c) of the Standard Contractual Clauses: Where Customer exercises any of its rights to suspend the processing of Personal Data within the Services or its right to terminate any specific Services pursuant thereto, Customer shall notify Aprimo in writing setting out in sufficient detail the material non-compliance and the basis for such determination (including identifying the provisions of the Standard Contractual Clauses with which, in Customer’s reasonable opinion, there is a material non-compliance by Aprimo and the applicable laws and practices that are not met). Within 30 days after receipt of such notice or any other timeframe agreed by the parties, if Aprimo does not: (i) demonstrate that such material non-compliance is not in breach of the Standard Contractual Clauses or (ii) make available to Customer a change in the specific Services or Customer’s use or configuration of the Services that remedies such material non-compliance, then Customer may terminate the specific Services.

Clause 15.1(a) of the Standard Contractual Clauses: Any and all communications, instructions, notifications, enquiries, requests, correspondence, co-operation, requests and assistance needs between Aprimo and Customer shall be made exclusively through Aprimo and Customer.

Clause 17 of the Standard Contractual Clauses: Except as otherwise expressly agreed in writing, Option 1 shall apply and the governing law shall be that of Ireland.

Clause 18(b) of the Standard Contractual Clauses: The applicable jurisdiction shall be deemed Ireland.

Annex I: The details for Annex I are set out in Attachment 1 of this DPA.

Annex II: The details for Annex II are set out in Attachment 2 of this DPA.

Annex III: The details for Annex III set out in Attachment 3 of this DPA.

Further, where data transfers are governed by United Kingdom Data Protection Laws, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “Approved Addendum”) issued and approved by the ICO and effective as of 21st of March 2022 shall apply and is fully restated and incorporated herein by reference. The information required to complete the relevant tables in the Approved Addendum shall be deemed completed based upon and consistent with the terms and conditions set forth in this DPA, and in particular, this Section 12, as well as the information set forth in the attachments incorporated by reference. In relation to the Approved Addendum, the following shall apply:

1. The Approved Addendum is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales;
2. The party details as set out in Part A of Attachment 1 to this DPA, inserted in Table 1 (Parties) of such UK Addendum;  
3. The first option in Table 2 of the Approved Addendum to clarify that the Approved Addendum incorporates the EU Standard Contractual Clauses;  
4. The list of parties and the description of the transfer of personal data, each as set out in Part A and B of Attachment 1 to this DPA, inserted in Table 3 (Appendix Information) of the Approved Addendum;  
5. The description of the technical and organizational security measures set out in Attachment 2 to this DPA, inserted in Table 3 (Appendix Information) of the Approved Addendum;  
6. The list of sub-processors as set out in Attachment 3 to this DPA, inserted in Table 3 (Appendix Information) of the Approved Addendum; and 
7. The option “Exporter” set out in Table 4 of the Approved Addendum. 

13. COMPLIANCE

13.1 Compliance with Laws. If either party determines that any applicable laws prevent its compliance with this DPA, it will promptly notify the other party and attempt to recommend or implement changes to the Processing or Services to address any legal or regulatory concerns. If no feasible solution is available, the Customer may terminate the affected Service or suspend data transfers.

ATTACHMENT I

A. LIST OF PARTIES

Data exporter(s):

1. Name: Customer
2. Address: As set out in the Agreement and/or Order Form(s) above.
3. Contact person’s name, position and contact details: Set out in the Agreement above.
4. Activities relevant to the data transferred under these Clauses: Digital Asset Management, Software as a Service and related professional services, if set forth in the Agreement.
5. Role: controller and data exporter.

Data importer(s): 

1. Name: The Aprimo entity set forth in the Agreement.
2. Address: The Aprimo address set forth in the Agreement.
3. Contact person’s name, position and contact details: Darren Del Duco, DPO darren.delduco@aprimo.com with a copy to SecurityTeam@Aprimo.com.
4. Activities relevant to the data transferred under these Clauses: Digital Asset Management, Software as a Service and related professional services, if set forth in the Agreement.
5. Role: Processor and importer.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

• Customer may submit Personal Data to the Services, the extent of which is determined exclusively by the Customer, provided Customer is compliant with the terms of the Agreement. Data Subjects may include, without limitation: Employees, contractors and/or other individuals who may be authorized to receive or participate in the receiving of Services from Aprimo, such as “end users” who access Aprimo’s software.

Categories of personal data transferred

• Individual Name (First and Last);
•  Individual Business Email;
• Employer;
• Geo-location;
• Login time;
• Audit Analytics;
• Photos, videos and other types of images (whether static or in-motion) of individuals (if applicable, at Customer’s discretion);
• Other Personal Data contained within Customer’s data assets or intellectual property that is processed as part of the Services, including, but not limited to, data assets uploaded by Customer to Aprimo’s platform.
• Only applicable for specific instances where certain Artificial Intelligence products and features are used: Aprimo may use Microsoft Corporation face recognition technology to process Customer’s users’ biometric data as its service provider or Sub-processor. Microsoft may process and store face templates for the purposes of providing face verification and/or identification services on Aprimo’s behalf.

Frequency of personal data transferred

• Continuous basis for the duration of the Agreement, as agreed between Aprimo and Customer.

Nature of the processing

• To provide the Services described in this Agreement.

Purpose(s) of the data transfer and further processing

• To provide the Services described in the Agreement, in accordance with instructions provided by Customer.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

• Personal Data will be retained for the duration of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

Ireland Data Protection Commission

ATTACHMENT II

Aprimo maintains the following technical, organizational measures to ensure the security of Personal Data:

Measures of pseudonymisation and encryption of personal data	• Pseudonymization, where possible; • Encryption at rest and encryption in transit; • Limited timespan for using personal data “in the clear” (i.e., in identifiable form);
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	• Confidentiality arrangements; • Information security policies and procedures; • Backup procedures; • Remote storage; • Mirroring of hard disks (e.g., RAID technology); • Uninterruptible power supply; • Anti-virus/firewall protection, security patch management; • Intrusion prevention, monitoring and detection; • Availability controls to protect personal data against accidental destruction or loss;
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	• Business continuity plan; • Disaster recovery procedure; • Incident response plan;
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing	• Internal and external audit program, audit reports and documentation; • Testing of back up processes and business continuity procedures; • Risk evaluation and system monitoring on a regular basis; • Vulnerability and penetration testing on a regular basis;
Measures for user identification and authorisation	• Internal policies and procedures; • User authentication controls, including secure methods of assigning selecting and storing access credentials and blocking access after a reasonable number of failed authentication access; • Restricting access to certain users; • Access granted based on a need-to-know, supported by protocols for access authorization, establishment, modification and termination of access rights; • Logging and reporting systems; • Control authorization schemes; • Differentiated access rights (profiles, roles, transactions and objects); • Monitoring and logging of accesses; • Disciplinary action against employees who access personal data without authorization; • Reports of access; • Access procedure; • Change procedure;
Measures for the protection of data during transmission	• Encryption in transit; • Pseudonymization, where possible; • Transport security; • Network segregation; • Logging; • Electronic signatures;
Measures for the protection of data during storage	• Encryption at rest; • Access controls; • Separation of databases and logical segmentation of Customer personal data from data of other vendor customers; • “Internal client” concept / limitation of use; • Segregation of functions (production/testing); • Procedures for storage, amendment, deletion, transmission of data for different purposes; • Process Personal Data in multiple separate locations or by using multiple parties;
Measures for ensuring physical security of locations at which personal data are processed	• Establishing security areas, restriction of access paths; • Establishing access authorizations for employees and third parties with a need-to-know; • Access control system (ID reader, magnetic card, chip card); • Key management, card-keys procedures; • Door locking (electric door openers etc.); • Security staff, janitors; • Surveillance facilities, video/CCTV monitor, alarm system; • Securing decentralized processing equipment and personal computers;
Measures for ensuring events logging	• User identification and authentication procedures; • ID/password security procedures (special characters, minimum length, change of password); • Automatic blocking (e.g., password or timeout); • Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts; • Creation of one master record per user; • Encryption and pseudonymization;
Measures for ensuring system configuration, including default configuration	• Up-to-date baseline configuration documentation and settings;
Measures for internal IT and IT security governance and management	• Information security policies and procedures; • Incident response plan; • Regular internal and external audit: • Review and supervision of information security program;
Measures for certification/assurance of processes and products	• ISO27001 comply with requirements but not certified • SOC II
Measures for ensuring data minimisation	• Documentation regarding which data categories need to be processed; • Ensure that the minimum amount of data is processed to fulfill the purpose of the processing; • Personal data is stored in the EU or US and only remote access or view-only access is enabled;
Measures for ensuring data quality	• Personal data is kept accurate and up to date; • Data is corrected upon request or where necessary;
Measures for ensuring limited data retention	• Records retention schedule; • Data retention policy; • Personal data is deleted or irreversibly anonymized after expiration of the retention period;
Measures for ensuring accountability	• Internal policies and procedures; • Privacy by design and by default; • Records of data processing activities; • Privacy Impact Assessments, where required; • Adequate agreements with third parties; • Criteria for selecting the sub-processors; • Vendor onboarding process and questionnaire; • Monitoring of contract performance; • Information Security training program;

ATTACHMENT III