Article 1 Purpose
The purpose of these Terms and Conditions is to prescribe matters related to the terms and procedures for using services (“CXP Services”) offered by Clarios Experience Platform (“CXP”) of Clarios Delkor Corporation (the “Company”), and the rights, obligations and responsibilities of the Company and Members (“you” or “Member”), and other necessary matters.

Article 2 Validity and Amendment

1. The Company will provide CXP Services to you on the condition that you agree to these Terms and Conditions. Once you agree to these Terms and Conditions, these Terms and Conditions will apply with priority to the Company’s providing CXP Services and your use of CXP Services.

2. In case of any amendment to these Terms and Conditions, the reason for and the effective date of such amendment, together with the current Terms and Conditions, will be posted on the CXP’s main screen from seven (7) days before the effective date until the date before the effective date. Provided, in the event of any amendment unfavorable to the Member, notice will be provided with a grace period of at least thirty (30) days in advance, in which event, CXP will display a clear comparison of the Terms and Conditions before and after the amendment in an easy-to-understand manner for the Member. If the Member does not agree to the amended Terms and Conditions, the Member may cancel his/her Subscription (Member Withdrawal). The Member’s continued use of CXP Services shall be regarded as consent to the amended Terms and Conditions.

Article 3 Standards Other than the Terms and Conditions

1. These Terms and Conditions apply together with separate terms and conditions and terms of services pertaining to the use of CXP Services.

2. Matters not prescribed in these Terms and Conditions shall be governed by the Framework Act on Telecommunications, the Telecommunications Business Act, the Regulation on Deliberation of the Information and Communication Ethics Committee, the Code of Ethics on Information and Communication, the Act on the Protection of Computer Programs, and other relevant laws and regulations.

Article 4 Definition The terms used herein shall have meanings as follows:

1. “Member” means a person who has signed up on CXP by providing his/her personal information and who receives CXP information and uses CXP Services.

2. “Member ID” means a combination of letters or numbers set by the Member to verify his/her identity for the use of CXP Services in accordance with the standards determined by the Company.

3. “Password” means a combination of letters and numbers chosen by the Member to confirm whether the Member matches the Member ID and to protect his/her privacy in communication.

4. “Subscription” means an act of concluding the agreement for the use of CXP Services (“Service Use Agreement”) by filling out the sign-up form provided by CXP and agreeing to these Terms and Conditions.

5. “Withdrawal” means an act by the Member terminating the Service Use Agreement.

6. Any terms not defined herein will be defined in separate terms and conditions and the terms of services for individual CXP Services.


Article 5 Service Use Agreement

1. The Service Use Agreement is concluded when the Member completes the Subscription by filling out the sign-up form provided by CXP with all required information and agreeing to these Terms and Conditions.

2. The Company may cancel the Subscription with respect to the Service Use Agreement that falls under any of the following:

o Applying using someone else’s name;

o Providing false information on the sign-up form or otherwise applying in a fraudulent manner;

o Applying for the purpose of disturbing social norms or good morals;

o Interfering with, or stealing information about, another person’s use of CXP Services;

o Engaging in acts prohibited by laws and these Terms and Conditions by using CXP Services; or

o Failing to meet other requirements determined by the Company.

3. The Company may suspend the conclusion of the Service Use Agreement until each of the following is resolved:

o Insufficient capacity related to CXP Services; or

o Technical errors

4. CXP Services consist of the following, which may be changed with notice to the Member:

o OMS for e-commerce management;

o Data search relating to the Company’s products, technical information and marketing;

o E-learning, product diagnostics and installation guides;

o QR code linkage customized service; and

o Inventory management and various other data analysis materials.

Article 6 Consent to Collection and Use of Member Information

1. The CXP Privacy Policy applies to the Member’s personal information.

2. The Member’s information is collected, used, managed, and protected as follows:

o Collection of personal information: The Company collects your information based on the information that you provide when you sign up for CXP Services, and all collected information will be deleted upon your Withdrawal. Provided, the foregoing does not apply to personal information that is required to be kept in accordance with laws and regulations.

o Use of personal information: The Company does not disclose or provide to a third party the Member’s personal information collected in connection with CXP Services without consent of the Member. When the Company transfers the Member’s personal information to outsource the Company’s business processing, the details of the outsourcee and the outsourced work will be notified to the Member through the CXP Privacy Policy. Provided, the foregoing does not apply (i) if requested by a government agency pursuant to relevant laws such as the Framework Act on Telecommunications; (ii) if necessary for investigations into a crime or if requested by the Information and Communication Ethics Committee; (iii) if requested according to procedures stipulated in other relevant laws; or (iv) if voluntarily disclosed by the Member.

o Management of personal information: You may modify or delete your personal information from time to time at Personal Information Management of CXP Services for the protection and management of your personal information. You may also change or adjust any part of the information that you receive if you find it unnecessary.

o Protection of personal information: Only you can access, modify or delete your personal information, and it is managed exclusively based on your Member ID and Password. Accordingly, you must not give out your Member ID and Password to others and be sure to log out and close the web browser window after using CXP Services. This is necessary to protect your information when you use a computer in a public place such as an Internet café or library where you share the computer with others.

Article 7 Information Security

1. Upon the completion of the Subscription to CXP Services, you are responsible for maintaining the confidentiality of information that you have provided, and you as the Member is responsible for all consequences of using your Member ID and Password.

2. The Member is responsible for all management of his/her Member ID and Password. If the Member discovers that his/her Member ID or Password has been used improperly, the Member must immediately report it to the Company.

3. You must check the disconnection to CXP whenever you finish using CXP Services. The Company is not responsible for any damage or loss that may arise as a result of the use of your information by a third party due to your failure to check the disconnection.

4. The Company does not use cookies to collect personal information, rejects any devices that automatically install personal information such as internet access files, and does not operate related devices.

5. When the Company becomes aware of any leakage of personal information collected and used by CXP, the Company notifies you of the items of personal information leaked and the circumstances leading up to such incident.

6. The Member shall not disclose personal information collected and used by the Company for purposes other than using CXP Services and shall comply with the Company’s Standard Terms of IT Security and Data Processing attached hereto as Appendix 1.

Article 8 Service Hours

1. In principle, CXP Services are available 24 hours a day and 365 days a year, unless there is a disruption to the Company’s business or technical operation.

2. The date or time determined by the Company for regular inspections, etc., will be exceptions to the hours under Paragraph 1.

Article 9 Suspension of CXP Services; Storage and Use of Information

1. The Company does not take any responsibility in case where messages stored or transmitted via CXP are deleted or not stored or not transmitted due to national emergency, power outage, service facility failure outside the CXP management and other force majeure events, or in case of other communication data loss.

2. In the event that the Company needs to temporarily suspend CXP Services due to difficulties in providing the normal services, the Company may suspend CXP Services by providing notice one (1) week prior to such suspension. The Company does not take any responsibility for your failure to recognize the notice during this period. Under unavoidable circumstances, the notice period may be shortened or omitted. In addition, the Company does not take any responsibility in case where messages stored or transmitted via CXP and other telecommunication messages are deleted or not stored or not transmitted due to such suspension of CXP Services, or in case of other communication data loss.

3. If CXP Services are to be permanently discontinued due to internal circumstances of the Company, such discontinuance shall follow Paragraph 2. Provided, the notice period in such event shall be one (1) month prior to the discontinuance.

4. The Company may temporarily change, revise or suspend CXP Services with prior notice, and the Company shall not take any responsibility to you or any third party in connection therewith.

5. If the Member violates these Terms and Conditions, the Company may arbitrarily restrict or suspend the Member’s use of CXP Services. In such event, the Company may not allow the Member’s access to CXP Services.

Article 10 Amendment and Termination of CXP Service

The Company is not responsible for any profit or loss expected by you using CXP Services or for any damages caused by data obtained through CXP Services. The Company does not provide any guarantee for the reliability and accuracy of information, data and facts posted by the Member on CXP.



This Exhibit sets forth certain duties and obligations of User with respect to the protection, security and privacy of information disclosed in the course of performance under the Terms and Conditions. This Exhibit is incorporated into and subject to the terms and conditions of the Terms and Conditions. In the event of inconsistencies between this Exhibit and the Terms and Conditions, the Terms and Conditions shall supersede and control.


1.1 “Company Data” means all Confidential Information and Personal Information whether provided pursuant to a Statement of Work (or other contractual agreements), project specifications, documentation, software or equipment by or on behalf of Company, its Affiliates, and/or its customers and information derived from such information, including as stored in or processed through diagnostic tools, hardware, firmware or software.

1.2 “Company Personnel” means Company employees, officers, directors, agents, contract workers and subcontractors, applicants for employment at Company and applicants seeking to work as a Company contract worker or subcontractor, and also includes all such persons when associated with Company Affiliates.

1.3 “Information Processing System(s)” means the individual and collective electronic, mechanical, or software components of User operations that store and/or process Company Data.

1.4 “Malicious Code” means any computer instructions that are not intended to provide the functionality described and that interfere with or prevent Company’ use as contemplated in this terms and conditions. Malicious Code includes without limitation such computer instructions commonly known as computer viruses, “Trojan horses,” anomalies, self-destruction mechanisms, copy protection schemes, and any other computer instructions that interfere with or prevent Company from using the Company Information or as described in its specifications or as contemplated in this terms and conditions. Malicious Code also includes without limitation any computer instructions that can: (i) disable, destroy, or otherwise alter the Company Information or any hardware on which the executes; or (ii) reveal any data or other information accessed through or processed or stored by the to anyone outside of Company without Company’ knowledge and prior approval.

1.5 “Personal Information” means information that can be used to identify, locate, or contact an individual, alone or when combined with other personal or identifying information.

1.6 “Privacy Laws” means all applicable Korean and international laws that regulate the processing, storage or use of Personal Information.

1.7 “Process”, “Processing” or “Processed” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction

1.8 “Provider” means any third party with access to Company Data by, through or under User including sub-contractors of whatever tier.

1.9 “Ransomware” is a type of malware threat actors use to infect computers and encrypt computer files until a ransom is paid. After the initial infection, ransomware may attempt to spread to connected systems, including shared storage drives and other accessible computers.

1.10 “Security Incident” is an event that may potentially disclose Company information or make information unavailable. Security Incidents will be considered confidential and will be treated in accordance with the confidentiality requirements of this terms and conditions, except notice to Company Personnel, company’s customer, or other parties pursuant to Privacy Laws or Company policy.

1.11 “Security Vulnerability” means status of network services, operating system, application level, or associated functions of networks, computer systems that could allow a Security Incident to occur. Security Vulnerabilities also include physical vulnerabilities to the premises containing or permitting access to Company Information.


2.1. User will implement and maintain security measures in accordance with industry standards and applicable law for electronic and other media that are suitable to protect the security of information processed or stored, including without limitation, physical, network, host, web, and data security, including:

2.1.1. Implementing detection, prevention, and recovery controls to protect against Malicious Code and Ransomware, including training its personnel on Cybersecurity prevention and detection.

2.1.2. Employing security controls and tools to monitor Information Processing Systems and log user activities, exceptions, unauthorized information processing activities, suspicious activities, phishing emails, malicious downloads, and Security Incidents.

2.1.3. Requiring its Providers to securely, and safely dispose of media (including but not limited to hard copies, disks, CDs, DVDs, optical disks, USB devices, hard drives) containing Company Data when no longer required by the establishment of procedures

2.1.4. Encrypting using best industry practices all Company Data in transit and at rest, including offline back-up copies thereof, stored by User at User’s data center, that are tested at least annually.

2.2. User will maintain security measures consistent with applicable law and industry standards, including without limitation, consistent with Payment Card Industry Standards, if applicable. User will identify in writing and make available, upon request, to Company the system security standards and documented processes used to secure User’s systems. User and/or User’s third- party processor will meet the minimum standards of either (a) NIST Cyber Security Framework (b) International Standard ISO/IEC 27001:27005 or its successor, (c) SOC Type 1 Type II or SOC 2 Type II. If User is not ISO or SOC certified or has other information based on region of location, User shall provide documentation on industry best practices being followed.

2.3. As defined in 2.2, upon request, User and/or User’s third-party processor will provide an audit report annually for review by Company. If User is not compliance certified, User shall provide information on what internal audits are done.

2.4. User shall have a Security Incident response process in place to manage and to take immediate corrective action for any Security Incident, including, but not limited to Ransomeware.

2.5. User will secure all areas, including loading docks, holding areas, telecommunications areas, cabling areas and off-site areas that contain Information Processing Systems or media containing Company Data by the use of appropriate security controls in order to ensure that only authorized personnel are allowed access and to prevent damage and interference.

2.6. User will not store Company Data on personally owned equipment not controlled by User.

2.7. To protect Information Processing Systems and system files containing Company Data, User will ensure that access to source code is restricted to authorized users who have a direct need to know.

User will develop configuration standards for all system components that address all known Security Vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Institute (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).


User shall notify Company of a Security Incident, including but not limited to Ransomware, as soon as practicable, but no later than forty-eight (48) hours after User becomes aware of a Security Incident by sending notice to Notification will include the occurrence of any unauthorized access, use, violation, compromise, or breach of security (electronic or physical), involving the computing environment, information or communication systems, facilities, equipment, or transportation means involved in handling of Company Data. User will cooperate, work with, and provide necessary information concerning such breach, in a manner enough for Company to evaluate the likely consequences and any legal or regulatory requirements arising out of the event unless the sharing of such data is prohibited by law. User shall use its best efforts to immediately terminate any security breaches or suspicious activity. User shall not allow any security breach or suspicious activity to persist for any amount of time or for any reason except as required by law, or as deemed reasonably necessary by User to determine the identity of the perpetrator and to stop such breach or suspicious activity. If any breach of the security, confidentiality, or privacy of the Company Data requires notification by User to any party under any of the Privacy Laws, Company shall have sole control over the timing, content, and method of such notification and User shall reimburse Company for its out-of-pocket costs in providing the notification.

3.1 Subsequent Reports and Notifications:
As mutually agreed upon, after the initial notification hereunder, User shall subsequently update t Company’s security team on User’s efforts with respect to Security Incidents via the email address noted above or a dedicated teleconference bridge-line established for the event.

3.2 Security Incident Resolution
User shall provide Company with written documentation of the cause, remedial steps and future plans to prevent a recurrence of the same or similar breach or suspicious activity. User shall immediately implement the proposed remedial plan or discuss for a mutually agreed upon timeframe. If such remedial plan is unacceptable, based on Company’s reasonable judgment, User shall promptly but in any event no later than five (5) days enter into good faith negotiations to address the proposed remedial plan. User shall reasonably cooperate with Company security investigation activities and with the preparation and transmittal of any notice or any action, which Company in its sole discretion may deem appropriate or required by law, to be sent or done for customers or other affected third parties regarding any known or suspected security breach.

3.3 Final Report
User shall provide Company, with a final written report of each Security Incident within three (3) business days of resolution or a determination that the problem cannot be satisfactorily resolved within such time period (in which case, an estimated date for final resolution shall be proposed) and such report shall include:

  • User’s Name
  • User’s Incident Coordinator and contact information
  • Date Incident Occurred and Length of Outage
  • Incident Executive Overview
  • Incident Details: - How/when the incident was initially detected
    - When/How the incident was initially reported to Company
    - Description of what resources/services were impacted
    - Description of impact of Security Incident to Company (volume and type where applicable)
    - Containment – How was the incident contained
    - Root Cause - What was the cause for disruption
    -Corrective Action During the Incident – What steps were taken to reduce exposure during the incident (in most cases, there are interim steps taken to reduce exposure, e.g., Filtering, rerouting services, etc.).
    -Permanent Corrective Action/Preventative measures – What permanent corrective actions have been put in place as a result of this incident

  • Conclusion

3.4 Right to Security Assessment
In event of a Security Incident, Company shall have the right to conduct an Assessment, to validate that all necessary and timely remedial actions have been taken by User to correct the Security Incident. In addition to the foregoing, Company shall have all rights and remedies available to it as outlined in the Terms and Conditions and/or as otherwise prescribed by United States law.


4.1.Required Background Checks - Subject to local law and jurisdiction, background checks that must be performed and documented prior to permitting User personnel to have access to Company Data. User is responsible for obtaining and maintaining documentation. Audits may be performed by Company upon reasonable notice to User and during normal business hours.

4.2.Employ a formal user registration and de-registration procedure for granting and revoking access and access rights to all Information Processing Systems.

4.3.Prior to allowing Providers to access Company Data, User will require Providers to agree in writing to terms substantially like the confidentiality provisions of this terms and conditions to maintain the confidentiality of Company Data.


User shall maintain logs of all Security Incidents and will support Company in our investigation of a possible Security Incident via MS Teams or other mutually agreed upon application upon request. Logs shall minimally be a summary, including date and information on incident (not including other client details if applicable).


6.1.Access to any Company Data: (a) shall be subject to compliance with all applicable Company policies and procedures, (b) shall be limited solely to such Company Data as is required for User to execute its rights under the Terms and Conditions, and (c) may be restricted or revoked by Company in its sole discretion at any time without notice. User will not grant access to Company Data to any third party or use any third-party computer systems to access Company Data without first obtaining Company’s written consent.

6.2.Company Data will be and remain, as between the parties, the property of Company. User will not modify, reformat, reorganize or delete Company Data in any manner without the express written consent of Company and only in the manner permitted in writing by Company. User will not possess or assert any lien or other right against or to Company Data. Company shall own and retain all right, title and interest, including all intellectual property rights, in and to all Company Data and any information submitted to the applications by its users that is not otherwise User’s confidential information. User acknowledges and agrees that notwithstanding any reformatting, modification, reorganization or adaptation of the Company Data (in whole or in part) during its incorporation, storage or processing, or the creation of derivative works from the Company Data, the Company Data will remain as such and will be subject to the terms and conditions of this terms and conditions. This terms and conditions do not grant to User any license or other rights, express or implied, in the Company Data, except as expressly set forth in this terms and conditions.


7.1.Consistent with the requirements of this agreement, User will maintain an information security policy that is approved by User’s management, published and communicated to all User Personnel.

7.2.User will review the information security policy at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.

7.3.User and its Personnel will not attempt to access, or allow access to, any Company Data which they are not permitted to access under this terms and conditions or the Terms and Conditions. If such access is attained, User will follow the reporting process described in this terms and conditions.

7.4.User agrees that Company Personal Information will not be given to any third party for any use whatsoever except as specified in the Terms and Conditions.


8.1.If access to any Company computer network (“Company Network”) is required by User, then Company shall determine the nature and extent of such access. If remote access is given to User, then any and all information relating to such remote access shall be considered Company’s Confidential Information. In addition, any and all, access to a Company Network shall be subject to the following:

8.1.1. Company’s Network will be used by User solely to execute its rights and perform its obligations under the Terms and Conditions.

8.1.2.Access to a Company Network will be restricted to User’s Personnel who need access for User to fulfill its obligations under the Terms and Conditions; and no access rights will be transferred to any other individuals without the prior written consent of Company.

8.2.Without limiting any of its other rights, Company shall have the right to restrict and monitor the use of the Company Network, and to access, seize, copy and disclose any information, data or files developed, processed, transmitted, displayed, reproduced or otherwise accessed on a Company Network. Company may exercise its rights reserved hereunder: (a) to ensure compliance by User’s Personnel with Company’s policies and procedures while on a Company Network; (b) to work with User to investigate conduct that may be illegal or may adversely affect Company; and (c) to prevent inappropriate or excessive personal use of any Company Network. User will advise its Personnel concerning the rights stated hereunder.

8.3.While on Company’s premises, User will not connect hardware (physically or via a wireless connection) to any Company Networks unless necessary for User to perform services under this terms and conditions or a SOW. Company has the right to inspect or scan such hardware before or during use.

8.4. Network Access Control - Access to internal, external, Provider and public network services that allow access to Information Processing Systems shall be controlled. User will:

8.4.1.Ensure that current industry best practice standard authentication mechanisms for network users and equipment are in place and updated as necessary.

8.4.2.Ensure electronic perimeter controls are in place to protect Information Processing Systems from unauthorized access.

8.4.3.Ensure a stateful firewall is in place for each Internet connection and between any DMZ and the Intranet. Firewalls shall be configured to deny all traffic except the traffic that is required for business reasons.

8.4.4.Ensure authentication methods are used to control access by remote users.

8.4.5.Ensure physical and logical access to diagnostic and configuration ports is controlled.

8.4.6.Ensure wireless implementations are only used if required for business reasons, put into practice WPA, WPA2, 802.11i or a superseding standard and must not use WEP.


9.1As applicable to the services provided under the Terms and Conditions, at least once per year (or more frequently if requested by Company or required by applicable law), User shall conduct or arrange for vulnerability assessment and penetration testing of User’s security processes and procedures, including vulnerability assessment and penetration testing of its services and deliverables under the Terms and Conditions, in order to identify potential Security Vulnerabilities. User shall conduct, arrange, or validate testing on all computers and systems used directly or indirectly in support of Company business.

9.2User shall select an independent, qualified vendor to contact the Testing, sending upon request, an executive summary of the testing results including any vulnerabilities corrected (Without disclosing any security privacy protections).

9.3User shall regularly patch and update software and OSs to the latest versions, ensuring devices are properly configured and that security features are enabled.


10.1.In the event User has or in the course of performance under this terms and conditions will Process Company Data then User and agents, contract workers and/or others acting on its behalf or under its control may not Process Personal Data except as required for purposes of fulfilling the express purposes of the Terms and Conditions.

10.2.Privacy Laws. Any Personal Data processed or stored by the User in the course of performing its services or as part of any deliverable or other information provided to Company will be Processed or stored and protected in accordance with all applicable Privacy Laws. User expressly warrants that its Processing of Personal Data will comply with all Privacy Laws. User will at all times perform its obligations under this terms and conditions in such a manner as to not, by its actions, or inaction contrary to this terms and conditions, cause Company to be in violation of applicable Privacy Laws and/or any other applicable laws.

10.3.User Shall include the following for protection of Personal Information:

10.3.1.Delineation and Identification of Personal Information. Taking all necessary steps and implementing appropriate processes to delineate and identify Personal Information for special handling within User’s organization, including without limitation supplemental controls over certain types of Personal Information more particularly regulated by Privacy Laws.

10.3.2.Restricted Access. Ensuring that Personal Information will be accessible only by authorized personnel, with suitable user authentication, sign-on and access controls that satisfy the requirements of this Exhibit.

10.3.3.Encryption of Personal Information – Transmission. When Processing Personal Information, connections to Company computing environments and any other transmission via data transmission services or using the Internet will be protected using any of the following cryptographic technologies: IPSec, SSL, SSH/SCP, PGP, or other technologies that provide substantially similar or greater levels of security. Encryption algorithms will be of sufficient strength to protect data to commercially reasonable security levels and will utilize industry recognized hashing functions. Transmission may not use any cryptography algorithms developed internally by or for User. Encryption must be in full compliance with export laws applicable to the Company Data being transmitted.

10.3.4.Encryption of Personal Information – Storage. Storage, back-up or other retention of Personal Information at rest will be protected using one or more of the encryption technologies approved in this Exhibit for data transmission.

10.3.5.Back-up, Emergency/Disaster Recovery Systems. Applying the requirements of this Section to Personal Information stored on back-up media, servers or repositories, transported, or transmitted, stored or recovered as part emergency or disaster recovery systems maintained by or for User.

10.3.6.Information Retention and Disposal. (i) Cooperating with Company in administering its retention requirements concerning Company Data and employing Record controls required to enable such compliance, and (ii) returning or if authorized by Company, discarding, destroying and otherwise disposing of Personal Information in a secure manner to prevent unauthorized Processing of Personal Information consistent with Company policies and applicable law.

10.3.7.Data Transfer to and From Third Parties Outside of Originating Country. Ensuring that no Personal Information (or any other data if restricted by law) is transmitted or permitted to be accessed from outside the country of its origin without determining requirements of and complying with the Privacy Laws in the originating and destination countries.

10.4.Data Subject Rights. Taking into account the nature of the Processing, User shall assist Company by implementing appropriate technical and organisational measures to enable Company to fulfil its obligations (as reasonably understood by Company) to respond to and otherwise address Data Subject’s exercise of their rights under the Privacy Laws.

10.4.1.User shall (i) promptly notify Company if it, or any Subcontractor, receives a request from a Data Subject under any Privacy Law in respect of Company Personal Data; and (ii) ensure that neither it, nor any Subcontractor, responds to that request except on the written instructions of Company or as required by applicable law to which it, or such Subcontractor, is subject, in which case User shall to the extent permitted by applicable law inform Company of that legal requirement before it, or any Subcontractor, responds to the request.

10.4.2.Personal Data Breach. User shall notify Company immediately (and in any event within twenty four (24) hours) upon User or any Subcontractor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow it to meet any obligations under the Privacy Laws to inform affected Data Subjects and/or Supervisory Authority(ies) of the Personal Data Breach.

10.4.3.At a minimum, any notification made by User to Company shall (i) describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned; (ii) describe the likely consequences of the Personal Data Breach; and (iii) describe the measures taken or proposed to be taken to address the Personal Data Breach.

10.4.4.User shall (at its own cost) co-operate with Company and take (and procure that any applicable Subcontractor shall take) such reasonable steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.