DPA – Exhibit B

Measure

Description

Measures of pseudonymisation and encryption of Personal Data

For the purpose of transfer control, an encryption technology is used (e.g. remote access to the company network via two factor VPN tunnel and full disk encryption). The suitability of an encryption technology is measured against the protective purpose.

The Controller is assigned a unique encryption key, generated using a FIPS 140-2 compliant crypto library, which is used to encrypt and decrypt all of the Controller’s archived data. In addition to the unique encryption keys, all data being written to the storage grid includes the Controller’s unique account code. The Processor’s systems that write data to the storage grid retrieve the encryption key from one system and the customer code from another, which serves as a cross check against two independent systems. The Controller’s encryption key is further encrypted with a Processor key stored within a centralised and restricted key management system. In order for the Processor to access Personal Data via the master key, the key management system provisions individual keys following a strict process of approval that includes multiple levels of executive authorisation. Use of these master encryption keys is limited to senior production engineers and all access is logged, monitored, and configured for alerting by security via a centralised Security Incident and Event Management (“SIEM”) system.

The Controller’s archived data is encrypted at rest using AES256 bit encryption

Data in transit is protected by Transport Layer Security (“TLS”).

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorisation concept. In accordance to the “least privilege” and “need-to-know” principles, each role has only those rights which are necessary for the fulfilment of the task to be performed by the individual person.

To maintain data access control, state of the art encryption technology is applied to the Personal Data itself where deemed appropriate to protect sensitive data based on risk.

Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

All our applications are built stateless by using Cloud-formation templates and can be easily recreated in different geographical regions. Data is stored in triplicate across 2 data centres, with 2 separate cross connections. The data centres can be switched in the event of flooding, earthquake, fire or other physical destruction or power outage protect Personal Data against accidentaldestruction and loss.

The Processor maintains redundancy throughout its IT infrastructure in order to minimize the lack of availability to or loss of data. Backups are maintained hourly and daily in accordance with our backup procedures. The Processor maintains a disaster recovery policy and at least once per calendar year practice executing the policy.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

The Processor conducts multiple internal audits. The Processor strives to automate audits hence the majority of our monitoring of its infrastructure is automated and running 24/7 and based on various frameworks (CIS, NEST etc.). The Processor obtains an external security and compliance audit once per calendar year.

Measures for user identification and authorisation

Remote access to the data processing systems is only possible through the Processor’s secure VPN tunnel. If the users first authenticate to the secure VPN tunnel, after successful authentication authorisation is executed by providing a unique user name and password to a centralised directory service. All access attempts, successful and unsuccessful are logged and monitored.

Measures for the protection of data during transmission

Data in transit is protected by Transport Layer Security (“TLS”).

Measures for the protection of data during storage

Personal Data is only retained internally, and on the third party data centre servers, which are covered by ISO certifications.

The Controller’s archived data is encrypted at rest using AES256 bit encryption and data in transit is protected by Transport Layer Security (“TLS”).

Measures for ensuring physical security of locations at which Personal Data are processed

Due to their respective security requirements, business premises and facilities are subdivided into different security zones with different access authorisations. Third party data centres are monitored by security personnel. Access for employees is only possible with an encoded ID with a photo on it. All other persons have access only after having registered before (e.g. at the main entrance).

Access to special security areas for remote maintenance is additionally protected by a separate access area. The constructional and substantive security standards comply with the security requirements for data centres.

Measures for ensuring events logging

System inputs are recorded in the form of log files therefore it is possible to review retroactively whether and by whom Personal Data was entered, altered or deleted.

Measures for ensuring system configuration, including default configuration

Our system configuration is based on the Security Technical Implementation Guides (STIG). System configuration is applied and maintained by software tools that ensure the system configurations do not deviate from the specifications. Deviations will be fixed automatically and reported to our SOC.

Measures for internal IT and IT security governance and management

Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g. service provision). At a technical level, multi-client capability includes separation of functions as well as appropriate separation of testing and production systems.

The Controller’s Personal Data is stored in a way that logically separates it from other customer data.

Measures for certification/assurance of processes and products

The Processor utilises third party data centres that maintain current ISO 27001 certifications. The Processor will not utilise third party data centres that do not maintain the aforementioned certifications and/or attestations, or other substantially similar or equivalent certifications and/or attestations.

Upon the Controller’s written request (no more than once in any 12 month period), the Processor shall provide within a reasonable time, a copy of the most recently completed certification and/or attestation reports (to the extent that to do so does not prejudice the overall security of the Services). Any audit report submitted to the Controller shall be treated as Confidential Information and subject to the confidentiality provisions of the Agreement between the parties

Measures for ensuring data minimisation

If Personal Data is no longer required for the purposes for which it was processed, it is deleted promptly. It should be noted that with each deletion, the Personal Data is only locked in the first instance and is then deleted for good with a certain delay. This is done in order to prevent accidental deletions or possible intentional damage.

Measures for ensuring data quality

All of the data that the Processor possesses is provided by the Controller. The Processor does not assess the quality of the data provided by the Controller. The Processor provides reporting tools within our product to help the Controller understand and validate the data that is stored.

Measures for ensuring limited data retention

The Processor uses a data classification scheme for all data that it stores and our retention policy specifies how each type of data is retained. When a record with Personal Data is deleted then it will be permanently evicted from our active databases. The data is retained in our backups until they are rotated out by more recent backups per the data retention policy.

Measures for ensuring accountability

The Processor internally reviews its information security policies semi-annually to ensure they it is still relevant and are being followed. All employees that handle sensitive data must acknowledge the information security policies. These employees are re-trained on information security policies once per year. A disciplinary policy is in place for employees that do not adhere to information security policies.

Measures for allowing data portability and ensuring erasure

The Services have built-in tools that allows the Controller to export and permanently erase data.

Measures to be taken by the (Sub-) processor to be able to provide assistance to the Controller (and, for transfers from a Processor to a Sub-processor, to the Data Exporter).

The transfer of Personal Data to a third party (e.g. customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred outside the EEA, the Processor provides that an adequate level of data protection exists at the target location or organisation in accordance with the European Union’s data protection requirements, e.g. by employing contracts based on the EU SCCs.