1. SECURITY PRACTICES. Genki is responsible for the security measures set out in the Agreement and shall maintain and implement the following technical and organizational measures in relation to the security of the Customer Configuration. Customer remains the primary system/account administrator and is responsible for the integrity, security, maintenance and appropriate protection of Customer Data by:(i) selecting and purchasing appropriate security Services;(ii) implementing appropriate encryption and logical access controls; and (iii) maintaining appropriate application security controls. Certain Genki services are available to help Customers meet these requirements.

1.1. Physical Security. The following physical security controls apply to Customer Data residing in data center or office premises either owned or leased by Genki International Partners Limited or its Affiliate in connection with the provision of Services to Customer (and expressly excludes third party hosting Services):

(A) Servers and devices dedicated to Customer’s use as part of the Customer Configuration provided by Genki will be located in a controlled access data center (or portion thereof) either operated by or dedicated to use by Genki or its Affiliate.

(B) Genki operates or audits the use of an electronic access control system which logs access to physical facilities, managed by a professional security guard force in line with its current processes.

(C) Access to the raised production floor of the data halls will be restricted to Genki employees or its agents who need access for the purpose of providing the Services. Access within data center facilities is in zones and provisioned based on physical access rights required by a given individual. Access to designated “meet me” rooms will be available to customers, subject to data center escort policies.

(D) The data center will be staffed 24/7/365 and will be monitored by video surveillance, recording to a centralized location, and viewed by the onsite security force.

(E) Genki limits access to physical facilities to authorized individuals by proximity-based access cards and biometric hand scanners or other approved security authentication methods.

(F) Except as specifically stated in the Agreement, Genki will not relocate the Customer Configuration from a Genki date center in one country to a data center in another country without Customer’s express written permission.

(G) Following the termination of the Agreement or a Customer Configuration, Genki will wipe data from those hard drives and storage devices dedicated to Customer use prior to re-use.

1.2. Administrative Controls.

(A) Screening. Genki will perform pre-employment background screening of its employees who have access to Customer’s account, and is committed to employee supervision, training, and management.

(B) Genki Access. Genki will restrict the use of administrative access codes for Customer’s account to its employees and other agents who need the access codes for the purpose of providing the Services. Genki personnel who use access codes shall be required to log on using an assigned user name and password.

(C) Customer Access. As the primary system administrator, Customer is responsible for the management of their account, including creation, change management, and termination, and enforcement of related remote working and password controls.

1.3. PCI-DSS. With respect to the security of cardholder data, as that term is defined in the Payment Card Industry-Data Security Standard, which Genki may possess or otherwise store, process or transmit on Customer’s behalf, Genki agrees to provide (i) those physical, technical, and administrative safeguards described in the Agreement and (ii) the Services selected by Customer and described in the Agreement; provided that Customer remains responsible for ensuring all PCI-DSS requirements are met with respect to such cardholder data. Genki does not maintain PCI-DSS Service Provider, or equivalent, accreditation with regards to services hosted however if required of the Customer a compliant service provider option is available.

1.4. Reports of and Response to Security Breach. Genki will report to Customer as soon as reasonably practicable in writing and in accordance with applicable law, of a material breach of the security of the Customer Configuration which results in unauthorized access to Customer Data resulting in the destruction, loss, unauthorized disclosure or alteration of Customer Data of which Genki becomes aware. Upon request, Genki will promptly provide to Customer all relevant information and documentation that Genki has available to Genki regarding the Customer Configuration in connection with any such event. Genki shall be under no obligation to notify routine security alerts in respect of the Customer Configuration (including pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing, or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers, or similar incidents) save as otherwise specifically set out in the Agreement.

1.5. Customer Data Return. The Services enable Customer to retrieve, correct, or delete Customer Data. Depending on the Services, Customer may not have access to the Customer Configuration or Customer Data during a suspension of Services, or following the termination of the Agreement. Customer is responsible for retrieving a copy of Customer Data prior to the termination of the Agreement. Genki may delete Customer Data at any time following termination of the Agreement.

2. PRIVACY PRACTICES. Customer and Genki will comply with applicable laws in relation to their collection and processing of any Sensitive Data in the provision and use of the Services. If and to the extent the EU Directive 95/46/EC or the EU General Data Protection Regulation (EU) 2016/679 (together with any transposing, implementing, or supplemental legislation “GDPR”) applies to the processing Personal Data (as defined in the GDPR)(i) Genki will process Personal Data only in accordance with Customer’s instructions, except as required by applicable law, and Customer acknowledges that this Agreement, together with Customer’s configuration and use of the Services, represents its complete instructions to Genki on the processing of such Personal Data; and (ii) the Privacy Statements and Disclaimers available at https://genkipartners.com will form part of this Agreement.