Addendum To Security Agreement

The Company has taken and maintains appropriate administrative, technical, physical and procedural security measures for the protection of personal data, including the measures listed below or reasonably made available by the Company. This Splunk Cloud Security Addendum (CSA) defines the administrative, technical, and physical security measures splunk implements to protect customer content in Splunk Cloud (security program). Splunk may update this CSA from time to time to reflect changes in Splunk`s security situation, provided that such changes do not materially affect the intended level of security. 4. Data Processing. The company processes personal data for the sole purpose of providing the service to the customer. The company processes the personal data in accordance with the customer`s instructions, as documented in the agreement and this addition for the duration of the agreement. The entity will not access, use or otherwise process such personal data unless this is necessary for the provision of the service. Unless prohibited by applicable law, the company will inform the customer if it considers that an instruction is contrary to the law of an EU Member State to which it is subject, in which case the company may suspend the execution of such instruction until the customer confirms in writing that such instruction is valid in accordance with the law of the EU Member States. Any additional instructions on how the company processes personal data are subject to the prior written agreement between the company and the customer. The company will not disclose personal data to governments unless it is necessary to comply with applicable law or a valid and binding injunction from a law enforcement authorities (e.g. B a subpoena or court order). If the company receives a binding order from a law enforcement agency for personal data, the company will inform the customer of the request it has received, as long as the law does not prohibit the company from doing so.

The entity shall ensure that persons who have access to personal data or who participate in the processing of personal data are subject to appropriate confidentiality obligations and/or are subject to obligations arising from data protection or other applicable laws. 6. technical and organisational measures. Taking into account the state of the art, the costs of implementation and the nature, scale, context and purposes of the processing, as well as the risk of different likelihood and severity for the rights and freedoms of natural persons, the entity shall take appropriate technical and organisational measures with regard to personal data in order to ensure a level of security of personal data appropriate to the risk, as further described in Appendix 2 to the Addendum. When assessing the appropriate level of security, the entity shall take into account in particular the risks arising from the processing, in particular due to destruction, loss, alteration, unauthorized disclosure or access to personal data transferred, stored or otherwise processed. Description of the technical and organisational security measures implemented by the data importer in accordance with clauses 4(d) and 5(c) (or the attached document/law): 9. . .