Technical and Organisational Security Measures

1. Access Controls. Policies, procedures, and physical and technical controls to:
   1. limit physical access to its information systems, data processing equipment, data processing systems, and the facility or facilities in which they are housed to properly authorised persons;
   2. ensure that all members of its workforce who require access to the Buyer Data have appropriately controlled access and will maintain the confidentiality of the Buyer Data, and to prevent those workforce members and others who should not have access from obtaining access;
   3. authenticate and permit access only to authorised individuals and to prevent members of its workforce from providing the Buyer Data or information relating thereto to unauthorised individuals;
   4. encrypt and decrypt the Buyer Data where appropriate;
   5. provide for the use of pseudonymization where appropriate; and
   6. ensure that data collected for different purposes can be processed separately.
2. Security Awareness and Training. A security awareness and training program for all members of Katanox’s workforce (including management) who have access to the Buyer Data, which includes training on how to implement and comply with its Information Security Program.
3. Security Incident Procedures. Policies and procedures to detect, respond to, and otherwise address Security Incidents (as defined herein), including procedures to monitor systems and to detect actual and attempted attacks on or intrusions into the Buyer Data or information systems relating thereto, and procedures to identify and respond to suspected or known security or privacy incidents, mitigate harmful effects of such incidents, and document such incidents and their outcomes.
4. Contingency Planning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages the Buyer Data or systems that contain the Buyer Data, including a data backup plan, a Business Continuity Plan (”BCP”) and a disaster recovery plan, including measures to ensure the ongoing confidentiality, integrity, availability and resilience of Katanox systems and services, and to ensure the ability to restore the availability and access to the Buyer Data in a timely manner in the event of a physical or technical incident;
5. Device and Media Controls. Policies and procedures that govern the receipt and removal of hardware and electronic media that contain the Buyer Data into and out of a Katanox facility, and the movement of these items within a Katanox facility, including policies and procedures to address the final disposition of the Buyer Data, and/or the hardware or electronic media on which it is stored, and procedures for removal of Personal Data from electronic media before the media are made available for reuse.
6. Audit Controls. Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic information, including appropriate logs and reports concerning these security requirements and compliance therewith, and measures to ensure that it is possible to check and establish whether and by whom data have been input into data processing systems or removed.
7. Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of the Buyer Data and protect it from disclosure, improper alteration, or destruction.
8. Storage and Transmission Security. Technical security measures to guard against unauthorised access to the Buyer Data that is being transmitted over an electronic communications network, including a mechanism to encrypt Personal Data in electronic form while in transit and at rest in storage on networks or systems to which unauthorised individuals may have access, and to ensure that it is possible to check and establish to which bodies the transfer of Data by means of data transmission facilities is envisaged.
9. Storage Media. Policies and procedures to ensure that prior to any storage media containing Buyer Data being assigned, allocated or reallocated to another user, or prior to such storage media being permanently removed from a facility, Katanox will irreversibly delete such Buyer Data from both a physical and logical perspective, such that the media contains no residual data, or if necessary physically destroy such storage media such that it is impossible to recover any portion of data on the media that was destroyed. Katanox shall maintain an auditable program implementing the disposal and destruction requirements set forth in this Section for all storage media containing Buyer Data.
10. Assigned Security Responsibility. Katanox shall designate a security official responsible for the development, implementation, and maintenance of its Information Security Program. Katanox shall inform Katanox as to the person responsible for security.
11. Testing. Katanox shall regularly test, assess, and evaluate the key controls, systems and procedures of its Information Security Program to ensure that they are properly implemented and effective in addressing the threats and risks identified and protecting the Buyer Data. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
12. Adjust the Program. Katanox shall monitor, evaluate, and adjust, as appropriate, the Information Security Program in light of any relevant changes in technology or industry security standards, the sensitivity of the Personal Data, internal or external threats to Katanox or the Buyer Data, and Katanox’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.