<br>

CORDA UAT NETWORK AGREEMENT

This Agreement (this “Agreement”) is between R3 LLC, a Delaware limited liability company and its affiliates (collectively, “R3”, “we”, “us”, or “our”), and you (“you”), and sets forth the terms and conditions that govern your rights to use Corda UAT Network (“UAT Network”), establish a node thereon and interact with nodes operated by other participants on the UAT Network (“Participants”), use the UAT Services, and, to the extent applicable, the UAT as defined in Section 1 below, and use any associated documentation therefor provided to you by R3 (collectively, the “Services”). This Agreement shall run concurrently with any commercial agreement you enter into with R3 for your use of the Services. This is a legal agreement between you and us, so please read it carefully.

1.               License to Use; Restrictions.

1.1            The UAT Services are intended for testing of functionally complete and tested CorDapps in realistic network settings to simulate the real-world business environment, including the production settings of network parameters, Corda network services and supported Corda versions. The UAT Services are not intended for use in any live production environments or with any commercial applications. The “Corda Networkmeans the set of infrastructure, services, standards, policies, agreements and governance mechanisms which enable users of Corda to enter into commercial transactions utilizing various applications. For the avoidance of doubt, UAT Network is a discrete environment (and a discrete set of services) from the Corda Network.

The UAT Services consist of the following:

(a)             Doorman Service: You will install a node, running the Corda Software, either on-premises or in a cloud environment. To join the node to the UAT Environment, the node will communicate a Certificate Signing Request (CSR) to the UAT Doorman service which, upon verification of the identifying details submitted in the CSR, will issue a Participation Certificate to your node which will enable it to operate within UAT.

(b)             Network Map Service: a service provided by R3 that accepts digitally signed documents describing network routing and identifying information from Participants and makes this information available to you and other Participants.

(c)             Notary Service: a technical service that will digitally sign a transaction presented to it by Participants prior to it being recorded on Participants’ ledgers provided no transaction referring to any of the same inputs has been previously signed by the R3 Notary Service and the transaction timestamp is within bounds.

R3 reserves the right to make substantial changes to the Services, including the UAT Services, at any time.

 

The UAT Network shall operate in accordance with the terms set forth in the User Acceptance Test Environment Service Level Agreement, which you may access via the Services and which may be updated from time to time. For the avoidance of doubt, the UAT Network is a discrete environment (and a discrete set of services) from TestNet and the Corda Network.

 

1.2            License. R3 hereby grants you a limited, revocable, non-exclusive, non-transferable, and non-sublicensable right to access and use the Services solely for your own internal use during the period commencing on the date you accept this Agreement (the “Effective Date”) and continuing until terminated by R3 (the “Term).

1.3            Restrictions.

(a)             General. You will not: (i) copy distribute, license, rent or otherwise transfer or use the Services for any purpose or in any manner other than that as expressly set forth in Section 1.2; (ii) use any confidential or proprietary information of R3 or any Participants except as authorized by the owners of such information; (iii) use the Services in any way intended or calculated to damage or interfere with the functioning of any other nodes or Participants; (iv) attempt to gain unauthorized access to the Services, any other Participant’s nodes, or any other systems or networks, or (v) use the Services for the execution of any transactions or otherwise enter into any binding agreement using the Services.

(b)             Data Restrictions.  The Services may not be used with data that (i) requires a license or other permission for use in connection with the Services unless you have all necessary rights to make such data available for use in connection with the Services, (ii) is the master or only copy of real commercial data pertaining to you, your customers, or any third parties, or (iii) is otherwise subject to restrictions on distribution or transferability under any applicable laws and regulations (“Prohibited Data”). You will not introduce into the Services or share with any Participant through the Services any Prohibited Data and will cooperate with any audit or review of information provided to ensure that the data provided does not include Prohibited Data. You acknowledge that any data made available through the Services or provided by any other Participant through the Services is intended to be used for development, testing and demonstration purposes. R3 makes no representations or warranties as to the accuracy or usefulness of any such data, and your use of such data is at your sole discretion and risk.

1.4            Participation Certificate. Use of the Service requires a certificate issued by R3 which authenticates your node as one that is authorized to use the Service and participate in the network (“Participation Certificate”). Your Participation Certificate is non-transferable, may not be duplicated and may not be shared with any other party. You are responsible for any activity that occurs under your Participation Certificate.

1.5            Software and Equipment.

(a)             You are solely responsible, at your own expense, for acquiring, installing, maintaining and securing all hardware, software and other equipment necessary to connect to and use the Services, except as otherwise provided by R3. Access to and use of the Services requires you to download and install the current Corda software. Your use of any software or other materials and content to access the Services, including but not limited to the Corda software, is subject to the applicable license terms that accompany such software, materials, and content. Such license terms, and not this Agreement, will govern your use of such software, materials, and content.

(b)             You will maintain, patch and update the Corda software as specified by R3. You acknowledge that failure to use the most current versions of the Corda software may impact your ability to access or use the Services. You will maintain, patch and update all security software and systems for your nodes on a regular basis in accordance with industry practices.

(c)             You will configure your systems, including firewalls and security systems, in accordance with the standards and specifications set forth by R3 for the System, including accepting inbound connections from any IPv4 address with a valid Participation Certificate.

1.6            Temporary Suspensions. R3 may temporarily suspend your or any of your users’ access to any portion or all of the Services at any time if R3 determines that: (a) there is a threat or attack (including a denial of service attack) on, or a security risk to, the Services or R3’s or its third party’s hosting network or infrastructure (“R3 Network”) or other event that may create a risk to the Services or Participants; (b) you or any of your users are using the Services for fraudulent or illegal activities or in violation of this Agreement; or (c) subject to applicable law, you have ceased to continue business in the ordinary course, made an assignment for the benefit of creditors or similar disposition of your assets, or become the subject of any bankruptcy, reorganization, liquidation, dissolution or similar proceeding. R3 will have no liability for any damage, liabilities, losses (including any loss of data or profits) or any other consequences that you or any of your users may incur or experience as a result of any service suspension.

1.7            Changes to Services. R3 may revise or release subsequent versions of the Services at any time and will notify you through such method as R3 may specify from time to time. R3 may require you to use the most recent version of the Services. Your continued use of the Services after such release will be deemed your acceptance of the modifications.

1.8            Data Protection. Both parties acknowledge and agree that they will comply with all the provisions of the EEA Data Protection Addendum attached hereto as Exhibit A.

2.               Proprietary Rights.

R3 or its licensors own the Services and all associated patent, copyright, trade secrets and other proprietary and intellectual property rights in and to the Services. No title to or ownership of the Services or any associated proprietary or intellectual property rights are transferred or licensed to you under or by virtue of this Agreement.

3.               Evaluation and Feedback.

3.1            You may provide R3 with data, information and feedback regarding the performance, features and functionality, as well as your evaluation, of the Services (collectively, “Feedback”). You hereby assign to R3, automatically upon the creation thereof without further consideration, all right, title and interest you may have in and to the Feedback and any improvements and modifications to the Services conceived or made as a result of such Feedback, including all proprietary and intellectual property rights in the foregoing. R3 may use and commercially exploit all such Feedback, improvements and modifications for any purpose, without any accounting or obligation to you.

3.2            You understand and agree that: R3 may monitor your use of the Services and collect and use data relating to such use for purposes of: (i) providing the Services, (ii) ensuring compliance with this Agreement, and (iii) planning, development and improvements with respect to the Services.

4.               Termination.

Either party may terminate this Agreement at any time, with or without cause, by providing written notice of termination to the other party. Such written notice shall be given via email and addressed to: UatOperations@r3.com and legal@r3.com. Upon such termination, you must promptly cease using the Services and all information related to the Services. Section 1.3, and Sections 2 through 9 will survive the termination of this Agreement.

5.               Warranties; Disclaimer.

5.1            Your Representations and Warranties. You represent, warrant and covenant that: (a) you will not provide, transmit, distribute, disclose or otherwise provide to R3 or distribute through the Service, or otherwise use, any data or information in connection with the Services (“Data”) that is Prohibited Data or is unlawful or tortious, or for which you do not own or have not procured sufficient license, right, consent and permission to copy, reproduce, store, broadcast or otherwise use; (b) your use of the Services will not violate any laws, regulations, rules, orders, licenses, permits and other governmental requirements (including privacy laws) or any obligations or restrictions imposed by third parties; (c) the Data, including R3’s use thereof in connection with this Agreement, does not and will not infringe, misappropriate or otherwise violate any intellectual property or other proprietary rights of any third party; and (d) you will be deemed the party publishing the Data to the UAT ledger and have full and sole responsibility for such publication.

5.2            Joint Representations and Warranties. Each party undertakes not to take any action that is in any way intended or calculated to damage or interfere with the functioning of the other party’s node or other IT systems, including through the introduction of any Virus. For purposes of this Section 5.2, “Virus” shall mean any software intended to damage or interfere with the intended operation of IT systems or software (including by rearranging, altering or erasing a software program or data in whole or part or otherwise), or any device, method or token that permits the circumvention of any part of information technology security, including any computer viruses, worms, time bombs, logic bombs, Trojan horses, salamis, trap doors, backdoors, undocumented passwords, protect codes or other malicious computer instructions, or any devices or techniques that can, or are designed to, threaten, assault, vandalize, subvert, disrupt, damage, copy, misappropriate, disable or shutdown an IT system, a software program, or any component thereof, including its security or user data. Each party undertakes to operate its respective node and services (including the Services) within a secure environment. In furtherance of the foregoing, each party shall use commercially reasonable efforts to ensure that such nodes and services (including the Services) remain secure from malicious attacks, and security incidents are promptly reported to the other party and appropriately managed.You undertake to comply with R3’s reasonable security policies as made available by R3 from time to time.

5.3            Disclaimers. You acknowledge and agree that the Services are provided “as is”, without warranty of any kind. To the maximum extent permitted by applicable law, R3 hereby disclaims all warranties, obligations and liabilities of R3, its licensors, and other Participants, whether express, implied or statutory, arising by law or otherwise, with respect to any error, defect, deficiency, unavailability, or nonconformity in the Services, your use of the Services, or otherwise related in any way, directly or indirectly, to the Services, including but not limited to any implied warranty of merchantability or fitness for a particular purpose, implied warranty arising from course of performance, course of dealing or usage of trade, any obligation, liability, right, remedy or claim in tort (including negligence, whether active, passive or imputed), product liability, strict liability or other theory, and claim of infringement. R3 and its licensors do not warrant that the Services will meet your needs or will be provided error-free, uninterrupted, secure, or virus-free.

You understand that the Services operate on a distributed network and R3 disclaims any responsibilities with respect to your disclosure of data to, access of data from, or the functioning of nodes on the distributed network. You acknowledge that R3 does not control the transfer of data over communications facilities, including the Internet, and that the Services may be subject to limitations, delays, and other problems inherent in the use of such communications facilities. You acknowledge that the entire risk arising out of the use or performance of the Services remains with you, to the maximum extent permitted by law.

5.4            Further Disclaimers. Without limiting the generality of Section 5.3, neither R3 nor its licensors will have any responsibilities or liability with respect to the Services. Without limiting the foregoing:

(a)             The Services could be impacted by one or more regulatory inquiries or actions, which could prevent or limit the ability (i) of R3 to continue to develop or provide the Services, (ii) certain Participants to continue to use the Services, or (iii) for you and your users to use the Services.

(b)             R3 has no obligation to update the Services or its underlying platforms and networks to address, mitigate, or remediate any security or other vulnerabilities in the Services, or such platforms or networks.

(c)             R3 is not responsible or liable for the actions or omissions of any Participant, whether such actions or omissions interoperate, communicate or otherwise involve or implicate your node or presence on such network or the Services. R3 hereby disclaims all warranties, obligations and liabilities relating to your interaction with other nodes on the Service and other Participants, including any data shared with other Participants.

6.               Limitation of Liability.

In no event will R3 or any of its licensors or other users be liable, whether in contract, warranty, tort (including negligence, whether active, passive or imputed), product liability, strict liability or other theory, for any direct, indirect, incidental, special or consequential damages, including any loss of profits or data, business interruption or other pecuniary loss, or damage, loss or other compromise of data arising out of this Agreement, including but not limited to the use or inability to use the Services, even if R3 or its licensors or other users have been advised of the possibility of such damages. Further, R3 will not be liable for any delay or failure to perform its obligations under this Agreement as a result of any causes or conditions beyond R3’s reasonable control. The foregoing limitations, exclusions and disclaimers shall apply to the maximum extent permitted by applicable law, even if any remedy fails of its essential purpose.

7.               Indemnity

To the maximum extent permitted by law, you will defend, indemnify and hold harmless R3 and the other Participants and their respective affiliates, directors, officers, employees and agents from and against any and all third party claims, actions, suits, investigations, or proceedings, as well as any and all losses, liabilities, damages, costs, and expenses (including reasonable attorneys’ fees) arising out of, accruing from, or in any way related to your breach of the terms of this Agreement or any Data or other items you furnish or otherwise make available through the Services.

8.               Governing Law; Dispute Resolution

8.1            Governing Law. This Agreement is governed by the laws of the State of New York without reference to its choice of law principles. The provisions of the 1980 U.N. Convention on Contracts for the International Sale of Goods shall not apply.

8.2            Arbitration. Any claim, dispute, or controversy (“Claim”) arising out of or relating to this Agreement or the relationships among the parties hereto shall be resolved through binding arbitration before one arbitrator administered by the International Centre for Dispute Resolution (ICDR) of the American Arbitration Association (AAA) in accordance with its International Arbitration Rules in effect at the time the Claim is filed (“Rules”). The place of Arbitration will be New York City, New York and the arbitration will be conducted in English. The arbitrator’s decision shall be final, binding, and non-appealable. Judgment upon the award may be entered and enforced in any court having jurisdiction. This clause is made pursuant to a transaction involving interstate commerce and shall be governed by the Federal Arbitration Act. Neither party shall sue the other party other than as provided herein or for enforcement of this clause or of the arbitrator’s award. The arbitrator, and not any federal, state, or local court, shall have exclusive authority to resolve any dispute relating to the interpretation, applicability, unconscionability, arbitrability, enforceability, or formation of this Agreement including any claim that all or any part of the Agreement is void or voidable.

8.3            Governing Language. This Agreement has been prepared and executed by the parties in English. In the event any translation of this Agreement is prepared for convenience or any other purpose, the provisions of the English version shall prevail.

9.               Miscellaneous.

This Agreement constitutes the entire agreement between R3 and you regarding your use and evaluation of the Services. Statements or representations made by employees, distributors, resellers or any other third party do not constitute warranties by R3, do not bind R3 and should not be relied upon by you. R3 may modify this Agreement from time to time upon written notice to you by email at the address associated with your account or by providing notice through our Services and posting the amended Agreement in a manner accessible through the Services. Unless otherwise stated in the notice, the amended Agreement will be effective immediately and your continued access to and use of the Services after we provide notice will confirm your acceptance of the changes. If you do not agree to the amended Agreement, you must stop accessing and using our Services.

If you have any questions concerning this Agreement, please contact us at: legal@r3.com.

ACCEPTED AND AGREED ON
BY





<br>

EXHIBIT A

EEA Data Protection Addendum

Scope

The terms in this EEA Data Protection Addendum (“Addendum”) apply to all services in Appendix A (the “Services”) which involve processing of personal data by R3 which is subject to GDPR. This Addendum forms part of the principal agreement (the “Principal Agreement”) between the customer (the “Customer”) and R3. This Addendum applies to the processing of Personal Data, with subject to the EU General Data Protection Regulation 2016/679 (hereinafter “GDPR”), by R3 LLC ("R3") on behalf of Customer. Terms used herein and not otherwise defined shall have the meanings ascribed to them in the GDPR.

 

Processing of Customer Personal Data; Ownership

R3 and Customer agree that with regard to the processing of Customer Personal Data, Customer is Controller and R3 is Processor. R3 will process the personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

 

R3 is not responsible for any Customer Personal Data stored or otherwise used with any R3’s proprietary software or on any network provided by R3.

 

Disclosure of Customer Personal Data

R3 will not disclose Customer Personal Data outside of R3 and its affiliates and third-party vendors facilitating business for R3 except (1) as Customer directs, (2) as set forth in the Principal Agreement, or (3) as otherwise required by law.

If a law enforcement agency or other third party contacts R3 with a legally binding demand for Customer Personal Data, R3 will attempt to redirect the third party to request that data directly from Customer (and for this purpose, R3 may disclose Customer's basic contact information to that third party). If compelled to disclose Customer Personal Data to a law enforcement agency or other third party, R3 will as soon as reasonably practicable notify Customer and provide it with a copy of the demand unless legally prohibited from doing so.

Processing Details

The parties acknowledge and agree that:

·       The subject-matter, nature and purpose of the processing is limited to Customer Personal Data as defined by and within the scope of the GDPR;

·       The duration of the processing shall be for the duration of the Customer’s right to use the Service and until all Personal Data is deleted or returned in accordance with Customer instructions or the terms of the Principal Agreement;

·       The nature and purpose of the processing shall be to provide the Service pursuant to the Principal Agreement;

·       The types of Personal Data processed by the Online Service include those expressly identified in Article 4 of the GDPR; and

·       The categories of Data Subjects are Customer’s representatives and end users, such as employees, contractors, collaborators, and customers.

 

If R3 receives a communication from a Data Subject seeking to exercise any of his or her rights under articles 12 to 23 of the GDPR, R3 will redirect the Data Subject to make its request directly to Customer. R3 will comply with reasonable requests by Customer to assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the Processor.

 

Cooperation

R3 will assist with any audits conducted by the Controller or another auditor mandated by the Controller. The Customer shall reimburse R3 for any reasonable and demonstrable expenses relating to any such audit. Customer and R3 shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate.

 

Data Security

Security Practices and Policies

R3 will maintain appropriate technical and organizational measures to protect Customer Personal Data. R3 reserves the right to amend the security measures that it has in place to protect Customer Personal Data (or equivalent), and/or its description of them, by amending the relevant web pages from time to time, provided that it does not materially reduce the level of security provided.

 

Customer Responsibilities

Customer is solely responsible for making an independent determination as to whether the technical and organizational measures set out in Appendix B ensure a level of security appropriate for the Customer Personal Data, including meeting any of Customer's security obligations under the GDPR or other applicable data protection laws and regulations. Customer will indemnify, defend, and hold harmless R3 from and against any and all losses (i) in respect of or arising out of any third party claim against R3 alleging that the measures set forth in Appendix B are insufficient or otherwise fail to comply in any respect with the requirements of the GDPR or (ii) arising or resulting from any breach of the GDPR by R3 in connection with the measures set forth in Appendix B. Customer acknowledges and agrees that taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Customer Personal Data as well as the related risks to individuals the technical and organizational measures implemented and maintained by R3 provide a level of security appropriate to the risk with respect to its Customer Personal Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls.

 

Security Incident Notification

If R3 becomes aware of a personal data breach which are likely to result in a risk to the rights and freedom of natural persons while processed by R3 (each a “Security Incident”), R3 will without undue delay (1) notify Customer of the Security Incident and provide Customer with detailed information about the Security Incident; (2) investigate the cause of the Security Incident; and (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

 

Notification(s) of Security Incidents will be delivered to one or more of Customer’s administrators by any means R3 selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on each applicable Service portal. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident, but R3 shall give Customer such assistance as Customer reasonably requests and R3 is reasonably able to provide in relation to the performance of any such third party notification obligations which arise as a result of a breach by R3 of this Addendum.

 

R3’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by R3 of any fault or liability with respect to the Security Incident.

 

Customer must notify R3 promptly about any possible misuse of its accounts or authentication credentials or any security incident related to a Service.

 

Data Transfers and Location

Customer Personal Data that R3 processes about the Customer may be transferred to, and stored and processed in, the United States or any other country in which R3 or its affiliates or sub-contractors (“Subprocessors”) with access to Customer Personal Data operate. Customer appoints R3 to perform any such transfer of Customer Personal Data to any such country and to store and process Customer Personal Data to provide the Services. All transfers of Customer Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.

 

Data Retention and Deletion

After Customer disables its account and upon expiration of the applicable retention periods, unless R3 is required to retain Customer Personal Data under European Union or Member State laws, R3 shall delete Customer Personal Data.

 

Processor Confidentiality Commitment

R3 will ensure that its personnel engaged in the processing of Customer Personal Data will be obligated to maintain the confidentiality and security of such data, including after their engagement ends.

 

Notice and Controls on use of Subprocessors

R3 may hire third parties to provide certain limited or ancillary services on its behalf. Customer consents to the engagement of these third parties and R3 affiliates as Subprocessors. Agreement to these terms constitutes Customer’s prior written consent to the subcontracting by R3 of the processing of Customer Personal Data to its Subprocessors, if such consent is required. R3 shall ensure that each Subprocessor is bound by a written contract imposing on the Subprocessor materially the same data privacy and data security obligations as are accepted by R3 in this Addendum (as applicable to the Subprocessor) or other obligations which similarly meet the requirements of article 28(3) of the GDPR. A list of third party Subprocessors can be found in Appendix A.

 

From time to time, R3 may engage new Subprocessors. R3 will give Customer notice by updating the www.corda.net website and providing Customer with a mechanism to obtain notice of that update of any new Subprocessor other than an affiliate of R3 at least 14-days in advance of providing that Subprocessor with access to Customer Personal Data.

 

If Customer does not approve of a new Subprocessor receiving Customer Personal Data, then Customer may terminate any subscription for the affected Online Service. If the affected Online Service is part of a suite (or similar single purchase of services), then any termination will apply to the entire suite. To terminate a service, please send a written notice to UatOperations@r3.com and legal@r3.com. All fees paid will be forfeited by Customer. Either party may terminate this Agreement at any time, with or without cause, by providing written notice of termination to the other party.


 

Appendix A. Services

 

R3 Corda UAT Network

Description

 

The Corda UAT Network and related Services are provided by R3 and enable users to employ a Corda node with a network identity that enables such users to transact, for demonstration purposes, with other Corda nodes on Corda UAT Network. Each includes a provisioning service that has a web application interface which allows a user to sign up with an account and use multiple node identities. The Corda UAT Network also facilitates access to a doorman service, a network map service and a notary service.

 

Customer Personal data concerns the following categories:

o   Customer full name and email address

Processing operations

The following sub-processors will be used to store information relating to such support Services:

Sub-Processor            Purpose                          Applicable Data Protection

Microsoft Azure        Hosted database for customer directory EU - US Privacy Shield


 

Appendix B – Minimum Technical and Organizational Measures for Processor Services

Organizational Security Controls

R3 will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described below ("Security Measures"). The Security Measures include governance around access to systems storing Customer Personal Data; to help restore timely access to personal data following an incident; and for regular testing of effectiveness. R3 will maintain such personal data according to the control framework defined by R3’s information security management framework.

Security Compliance

R3 will take appropriate steps to ensure compliance with Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Data Incidents

If R3 becomes aware of any data incidents, R3 will follow steps outlined above in the security incident identification section.

Security Responsibility

R3’s information security manager is responsible for ensuring that any technical solutions to the protection of personal data meet the requirements of the controller, the information owner and applicable regulation.

R3 has no obligation to protect Customer Personal Data outside of what is collected via website unless otherwise agreed upon with Customer.

Technical Security Controls

Access Policy

R3’s internal access control processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data. R3’s information security manager ensures only authorized users have access to personal data and all users are allocated unique user IDs for access to systems processing personal information.

Data

Production systems containing personal information will be logically segregated from development systems. Appropriate authentication schemes will be maintained for systems processing personal information. Systems processing personal data will adequately protect that information at rest and in transit. Personal Data will be deleted in accordance to Data Retention and Deletion section above.

Subprocessor Security

R3 reviews security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide.