Annex 2

Measures and controls for the security and protection of Company’s Data Subjects personal information
Partner will take reasonable steps to ensure the reliability of any third party acting under its supervision or on its behalf, who may have access to Company’s Data Subjects personal information and will prevent unauthorised persons from gaining any access to Company’s Data Subjects personal information.

Partner shall treat all Company’s Data Subjects personal information as confidential information for as long as it is Partner’s possession or control and, shall not lease, sell or otherwise distribute Company’s Data Subjects personal information.

Partner will not use Company’s Data Subjects personal information for any purpose other than what have been contracted to perform and only use Company’s Data Subjects personal information to the extent necessary for the performance of the Agreement.

Partner will take, at least, the following measures for protecting Company’s Data Subjects personal information from unauthorized use or disclosure on its systems and/or computers (“Systems”):

  • Will maintain Company’s Data Subjects personal information on its Systems separated from personal information of other data subjects that are not related to the Company and/or any Promoted Company.
  • Will use, and regularly update, trusted anti-virus software or programs to protect Partner’s Systems against malware, including viruses, worms, trojans etc.
  • Will use a strong authentication mechanism (2FA) to its Systems.
  • Passwords management:
    • Will ensure that Partner’s Systems in use are password protected.
    • Will avoid any sharing of passwords to its Systems and following an involuntary, or a suspicions of involuntary, disclosure of a passwords to its Systems immediately change passwords.
    • Will regularly change passwords to its systems.
    • Will ensure that passwords are always stored in encrypted form, not available to third parties.
  • Will not share Systems with another person.
  • will insure software updates for System’s operating system from time to time and will avoid and prevents the installation and use of unauthorized hardware and softwares on its Systems.
  • To the extent that Partner use cloud services Partner will:
    • evaluate the suitability of the cloud provider’s data management solutions in protecting personal information (for example, the ability to control access to information, to secure information while at rest, in transit, and in use, and to sanitize information).
    • weigh the risks involved in cryptographic key management with the facilities available in the cloud environment and the processes established by the cloud provider.

Partner shall notify Company without undue delay upon Partner becoming aware of a breach, or suspects that a breach has occurred, affecting, or that may affect, Company’s Data Subjects Personal information and will provide Company with sufficient information as may be required by Company to this effect.

If Partner is required by applicable law to transfer, disclose or permit access to Company’s Data Subjects personal information by a third party, including by public authorities or similar bodies, Partner will promptly notify Company in advance, or at the earliest opportunity, to this effect and provide the required cooperation to limit the extent and scope of such transfer, disclosure or processing.

Upon termination of the Agreement, or upon Company's written request at any time during the term of the Agreement, Partner shall cease using Company’s Data Subjects personal information, and will securely and completely destroy or erase all Company’s Data Subjects personal information in its possession or control, including without limitations to any copies thereof, and at Company’s request, Partner shall provide Company with a written signed confirmation confirming that it has fully complied with this requirement.