Contractual standards for Data Processing on Behalf, last revised December 8, 2014 Contents Agreement on Data Processing on Behalf .......................................................................................... 1 Part 1: Contract Ensuring Data Protection and Information Security .................................................... 3 1 DESCRIPTION OF THE CONTRACT ...................................................................................................... 3 2 NON-DISCLOSURE ............................................................................................................................ 4 3 DATA PROTECTION ........................................................................................................................... 4 4 INFORMATION SECURITY .................................................................................................................. 5 5 SUBCONTRACTORS AND ACCESS CONTROL....................................................................................... 6 6 CHECKS ........................................................................................................................................... 6 7 DATA PROCESSING IN A NON-EEA COUNTRY ................................................................................... 7 Part 2: Data Protection and Information Security Strategy .................................................................... 8 1. Access control (physical) ...................................................................................................... 8 2. Access control (systems) ...................................................................................................... 9 3. Access control (user rights) ................................................................................................10 4. Disclosure control .................................................................................................................12 5. Input control ..........................................................................................................................13 6. Job control ..............................................................................................................................14 7. Availability control ................................................................................................................15 8. Segregation principle ...........................................................................................................16 9. Organizational security criteria..........................................................................................17 Part 3: Approved subcontractors ...........................................................................................................19 Part 4: Signatures ....................................................................................................................................20 Page 2 of 20