Annex 2 to Restricted Transfer Addendum: Technical and Organizational Measures

Description of the technical and organizational measures implemented by the parties (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Adagio's technical and organizational measures are available at https://adagio.io/legal/tom and are hereby incorporated by reference and which will control in the event of a conflict with this Annex 2 as long as such measures are at least as protective as those set forth in this Annex 2. Adagio may update these measures from time to time, provided that such updates maintain or enhance the overall level of protection.

Each Party agrees to the following Information Security Policies and Standards:

1. Each party will implement security requirements for such party’s personnel and all subcontractors or agents who have access to Personal Data. These are designed to:

1.1 Prevent unauthorized persons from gaining access to Personal Data processing systems (physical access control);

1.2 Prevent Personal Data processing systems being used without authorization (logical access control); 

1.3 Ensure that persons entitled to use a Personal Data processing system gain access only to such Personal Data as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control).

1.4 Ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control).

1.5 Ensure the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Data Processing (entry control);

1.6 Ensure that Personal Data are Processed solely in accordance with the Data Exporter’s instructions (control of instructions);

1.7 Ensure that Personal Data are protected against accidental destruction or loss (availability control); and

1.8 Ensure that Personal Data collected for different purposes can be processed separately (separation control).

2. Each party will ensure that these requirements are kept up to date, and revised whenever relevant changes are made to the information system that uses or houses Personal Data, or to how that system is organized.

3. Physical Security

3.1 Each party will maintain commercially reasonable security systems at all sites at which an information system that uses or houses Personal Data is located.

3.2 Each party will reasonably restrict access to such Personal Data appropriately.

3.3 Physical access control has been implemented for all of the applicable party’s data centers. Unauthorized access is prohibited through 24x7 onsite staff, biometric scanning and security camera monitoring. Data Center physical security is audited by an independent firm.

3.4 Surveillance cameras and security monitoring by building management are implemented.

4. Organizational Security

4.1 When media is to be disposed of or reused, the parties’ respective procedures have been implemented to prevent any subsequent retrieval of any Personal Data stored on them before they are withdrawn from the inventory. When media are to leave the premises at which the files are located as a result of maintenance operations, the parties’ respective procedures have been implemented to prevent undue retrieval of Personal Data stored on them.

4.2 Each party will implement and maintain security policies and procedures to classify sensitive information assets, clarify security responsibilities and promote awareness for employees.

4.3 Each party will manage all Personal Data security incidents in accordance with its established incident response procedures and applicable law, including any mandatory notification requirements. The parties shall notify each other without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data security incident affecting the other party's Personal Data, unless the Personal Data security incident is unlikely to result in a risk to the rights and freedoms of natural persons.

5. Network Security
Each party will maintain network security using commercially available equipment and industry standard techniques, including firewalls, intrusion detection systems, access control lists and routing protocols. 

6. Access Control

6.1 Only authorized staff can grant, modify or revoke access to an information system that uses or houses Personal Data.

6.2 Each party’s user administration procedures: define user roles and their privileges, and how access is granted, changed, and terminated; address      appropriate segregation of duties; and define the logging/monitoring requirements and mechanisms.

6.3 All employees will be assigned unique User-IDs.

6.4 Each party will implement access rights adhering to the “least privilege” approach.

6.5 Each party will implement commercially reasonable physical and electronic security controls to create and protect passwords.

7. Virus and Malware Controls
Each party will install and maintain anti-virus and malware protection software on their systems.

8. Personnel

8.1 Each party will implement a security awareness program to train personnel about their security obligations. This program includes training about data classification obligations, physical security controls, security practices, and security incident reporting.

8.2 Each party will have clearly defined roles and responsibilities for such party’s employees. Screening is implemented before employment with terms and conditions of employment applied appropriately.

8.3 Each party will require its employees to strictly follow established security policies and procedures. Disciplinary process will be applied if employees commit a security breach.

9. Business Continuity

9.1 Each party will implement appropriate disaster recovery and business resumption and continuity plans and will review such plans and related risk assessments regularly.

9.2 Such plans will be tested and updated regularly by the applicable party to ensure that they are up to date and effective.