Annexes to the Standard Contractual Clauses

Annex 1. STANDARD CONTRACTUAL CLAUSES

This Annex forms an integral part of the clauses and must be completed and signed by the parties.

Member States may complete or specify, in accordance with their national procedures, any information to be included in this Appendix.

A. LIST OF PARTIES

Data exporter(s):

Name: As set out in Master Services Agreement

Address: As set out in the Master Services Agreement

Contact person’s name, position and contact details: As set out in the Master Services Agreement

Activities relevant to the data transferred under these Clauses: As set out in the Master Services Agreement

Signature and date: As set out in the Master Services Agreement

Role (controller/processor): As set out in the Master Services Agreement

Data importer(s):

Name: As set out in the Index Exchange’s Master Services Agreement

Address: As set out in the Index Exchange’s Master Services Agreement

Contact person’s name, position and contact details: As set out in the Index Exchange’s Master Services Agreement

Activities relevant to the data transferred under these Clauses: As set out in the Master Services Agreement

Signature and date: As set out in the Master Services Agreement

Role (controller/processor): As set out in the Master Services Agreement

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

As set out in the Master Services Agreement

Categories of personal data transferred:

As set out in the Master Services Agreement

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Not Applicable

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Continuous over the duration of the Master Services Agreement

Nature of the processing

As set out in the Master Services Agreement

Purpose(s) of the data transfer and further processing

As set out in the Master Services Agreement

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

For a maximum of 13 months upon every cookie refresh; and as applicable, any real-time ID that is a part of the transaction may also be stored in IX’s anonymized logs for a maximum period of three (3) years;

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

None

C. COMPETENT SUPERVISORY AUTHORITY

As set out in the Master Services Agreement

ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES

Index Exchange Inc. (Index) undertakes the following measures for the protection of Personal Data and the security of transactions in the provision of services.

1. Physical Access Control

Measures to prevent unauthorized persons from obtaining physical access to data processing systems including:

  • Entrance controls that ensure no unauthorized persons have access to premises where data is processed and stored.

  • Access controls for server facilities using ID cards (e.g., chip cards or magnetic cards).

  • Policies regarding the issuance of keys, key cards, ID cards and codes, including the issuance of keys for business premises and the registration of all key owners.

  • Door protection including protection against unauthorized duplication of keys and electronic door locks.

  • Building security and surveillance, including alarm systems and CCTV.

2. User Access Control

Measures to prevent unauthorized persons from accessing internal systems including:

  • Limited access to data processing systems granted exclusively to authorized persons.

  • Technical measures (e.g., through secure passwords) and organizational measures (e.g., identification and authentication of users) to prevent unauthorized persons from accessing internal systems.

  • A strong password policy that is administered and enforced by the internal IT department.

  • Storage and administration of passwords and access authorization in secure environment.

  • Access rules determined by the system administrator.

  • A predefined authorization concept: the determination of profiles, roles, transactions and objects; and the surveillance and analysis of access prevent actions that exceed the scope of the user’s access rights.

  • Ongoing review of access access privileges.

3. Admission Control

Measures to ensure only authorized users have access to systems and that data will not be read, copied, changed or deleted without authorization including:

  • Use of proprietary software designed for the processing of data.

  • Multi-factor authentication required to access systems.

  • Non-production development systems provided in a sandboxed environment isolated from production systems.

  • Exposure to vulnerabilities evaluated and appropriate measures taken to address the associated risk.

4. Transfer Control

Measures to ensure the security of data in transmission including:

  • Transport security

  • Encryption

  • Pseudonymization

5. Security Control

Measures to ensure that data is protected from accidental destruction or loss and that the data can be restored rapidly in case of a physical or technical incident including:

  • Backup procedures

  • Uninterruptible power supply

  • Protection against malware; firewalls

  • Air conditioning of the server facilities for temperature control

  • Fire detection and sprinkling system

  • Disaster recovery plan

  • A security incident response team comprised of senior members; and a SIRT policy that governs security incident response.

  • A documented plan in case of any security incidents occur and testing of incident response procedures on a periodic basis.

  • Built-in redundancy and failover mechanisms that significantly mitigate and limit client and partner impact.

  • Multiple data centres equipped and tested regularly to ensure they can handle any interruption.

6. Verification and Evaluation

Measures to ensure the security and integrity of the processing including:

  • Data protection management.

  • Data which is necessary for each specific purpose is processed.

  • Regular audit and enforcement of security policies.

  • Internal policies that together codify our data security practices approved by management, published and communicated to employees and relevant external parties, including, but not limited to:

    • Information Technology Policy

    • Information Security Policy

    • Personal Information and Privacy Policy

    • Confidential Information Policy