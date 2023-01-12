ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

I. Confidentiality: Physical access checks

The Data Processor shall ensure that no unauthorised persons have access to the office, server or archive rooms. This shall transpire through:

Meltwater offices:

• Limited access lists

• Limited access lists Meltwater's Datacenter and Cloud partners (where client data is stored):

II. Confidentiality: Entry controls

The Data Processor shall prevent the use of computer systems by unauthorised persons. This shall transpire through:

Limited access lists

Secured doors

Process by which granting access to a user requires peer review

III. Confidentiality: Access controls

The Data Processor warrants that those authorised to use a data processing system shall only be able to access the data that are subject to their access authorisation and that personal data shall not be able to be read, copied, altered or removed during processing or use or after storage without authorisation. This shall transpire through:

Process by which granting access to a user requires peer review

Reviewing access logs

IV. Confidentiality: Separation controls

The Data Processor warrants that data collected for different purposes can be processed separately. There is no need for physical separation; a logical separation of the data is sufficient. This shall transpire through:

Logical separation for all clients

V. Integrity: Disclosure checks

The Data Processor warrants that personal data cannot be read, copied, altered or removed without authorisation during the electronic transmission or transport or storage on data carriers, and that it shall be possible to verify and determine at which points personal data are to be transmitted by means of data transmission equipment. This shall transpire through:

Encryption of data when in transit.

VI. Integrity: Input controls

The Data Processor warrants that it shall be possible to subsequently verify and determine whether and by whom personal data has been entered, altered or removed in data processing systems. This shall transpire through:

Logging

VII. Availability and resilience: Availability checks

The Data Processor warrants that personal data shall be protected against accidental or intentional destruction or loss. This shall transpire through:

Logging

Least Privilege Access

Backups

VIII. Availability and resilience: recoverability

The Data Processor warrants the ability to rapidly restore the availability of the personal data and the access to the data in the event of a physical or technical incident through the following measures:

Distaster recovery and business continuity plans

IX. Evaluation: Data protection management

The Data Processor has implemented a process to regularly review and assess the effectiveness of the technical and organisational protection measures to warrant the security of the processing. This includes: