DocuSign Envelope ID: 6BE73965-BAEF-4791-B930-DABA9714DC055
re
&.
a
11.
12.
‘g° DARKTRACE
SECURITY
71
Taking into account the nature, scope, context and purposes of processing, the Data Processor has implemented
and will maintain the administrative, physical, technical and organisational measures as described in the Darktrace
Information Security Policy to protect any Personal Data accessed or processed by it against unauthorised or unlawful
processing or accidental loss, destruction, damage or disclosure. The parties agree that for the purposes of the
processing hereunder, the measures contained within the Darktrace Information Security Policy are appropriate, given
the nature of the data to be processed and the harm that might result from such unauthorised or unlawful processing
or accidental loss, destruction, disclosure, access or damage.
PERSONAL DATA BREACH NOTIFICATION
8.1
In the event that the Data Processor suffers a Personal Data Breach, the Data Processor shall inform the Data Controller
within twenty-four (24) hours upon learning of the same and reasonably cooperate with the Data Controller to mitigate
the effects and to minimise any damage resulting therefrom. To the extent reasonably possible, the notification to the
Data Controller shall include: (i) a description of the nature of the incident, including where possible the categories and
approximate number of data subjects concerned and the categories and approximate number of Personai Data records
concerned; (ii) the name and contact details of the Data Processor’s data protection officer or another contact point
where more information can be obtained; (iii) a description of the likely consequences of the incident; and {iv} a
description of the measures taken or proposed to be taken by the Data Processor to address the incident including,
where appropriate, measures to mitigate its possible adverse effects
SUBPROCESSORS
9.1
9.2
9.3
Save as expressly provided herein, the Data Processor will not use subprocessors for the processing of Personal Data.
For the purposes of providing Support Services alone: (i) The Data Controller hereby authorises the Data Processor to use
its affiliates specified in the Support Services Datasheet to process Personal Data (the “Affiliate Subprocessors”}; (ii} The
Data Processor shall have in place with the Affiliate Subprocessors a written agreement equivalent to the terms contained
herein to protect Personal Data; and (iii) The EU Model Clauses shall appiy to the extent the processing of Personal Data
by the Affiliate Subprocessors involves a transfer of Personal Data which originates in the EEA to a third country outside
of the EEA. For such purposes, the Data Controller hereby authorises the Data Processor to enter into the EU Model
Clauses with the Affiliate Subprocessors on the Data Controller's behalf.
Save for the foregoing, the Data Processor shall not engage any subprocessors without the prior written authorisation of
the Data Controller. In the event that the Data Controller authorises the use by the Data Processor of any other
subprocessors, the Data Processor shall procure that such subprocessors enter into a written agreement containing
provisions no less stringent than this DPA.
The Data Processor shall be fully liable for any breach by the subprocessors of any data protection obligations set
out in this Clause.
ASSISTANCE WHEN HANDLING REQUESTS FROM DATA SUBJECTS
10.1
AUDIT
11.1
Taking into account the nature of processing and the information available to the Data Processor, the Data Processor will
provide reasonable support to the Data Controller: (i) in complying with any legally mandated request for access to or
correction of any Personal Data by a data subject under Chapter III GDPR (and where such request is submitted to the
Data Processor, the Data Processor will promptly notify the Data Controller of it); (ii) in responding to requests or
demands made to the Data Controller by any court or governmental authority responsible for enforcing privacy or data
protection laws; or (iii) in its preparation of a Data Protection Impact Assessment.
The Data Processor agrees to maintain ISO 27001 certification for the duration of the Term. The Data Processor will use
an external auditor to verify that its security measures meet ISO 27001 standards in accordance with the ISO certification
process. On the Data Controllers written request, and subject to appropriate confidentiality obligations, the Data
Processor will make available to the Data Controller: (i} a copy of the current certificate in relation to the [SO 27001
certification; and (ii) Information reasonably requested by the Data Controller in writing with regards to the Data
Processor’s processing of Personal Data under this DPA. The Data Controller agrees to exercise any right it may have to
conduct an audit or inspection under GDPR (or the EU Model Clauses if they apply) by requesting the foregoing
information.
RETURN/DESTRUCTION OF PERSONAL DATA
12.1
Upon termination of the Agreement, the Data Processor shall delete or return all Personal Data in accordance with the
Data Controller’s written instructions.
V01.04.2020 MCA SHRINKWRAP 14
