In the event that the Service Agreement between you and Oracle refers to the Oracle Data Processing Agreement for Oracle Services (“ATD”), further details on the relevant data transfer mechanism applicable to your order for Oracle Services are available in the DPA. In particular, for personal data services transferred from the European Economic Area (“EEA”), Switzerland or the United Kingdom (“United Kingdom”), such transfers are subject to Oracle`s Binding Corporate Rules for Subcontractors (BCR-P) or the terms of the EU Standard Contractual Clauses. Oracle maintains lists of Oracle partners and subcontractors that may process personal data from services. For more information, please contact my Oracle Support Document ID (support.oracle.com) 2121811.1 or any other applicable primary support tool provided for the Services. Your Oracle Cloud Services order identifies the Oracle Cloud Services agreement that governs the order. If your order was placed on or after June 26, 2019 and refers to the Oracle Cloud Services Agreement available on www.oracle.com/contracts, that order will be governed by the June 26, 2019 release of the Oracle Cloud Services Agreement. For each “Add-on Order” to an Original Cloud Services Order, the version of the Oracle Cloud Services Agreement in effect on the date of the Original Order will apply to the Add-on Order, even if the Add-on Service Order is placed after an updated version of the Cloud Services Agreement is posted. An “add-on order” is an order that updates the quantity or type of cloud services previously ordered, for example. B by adding capacity, new user subscriptions, or additional SaaS service applications. You control access to personal data from your Services by your End Users, and your End Users must address to you any request related to their Personal Data from the Services. To the extent such access is not available to you, Oracle will provide reasonable assistance with requests for access, deletion or deletion, restriction, rectification, receipt and transmission, blocking access, or objection to the processing of personal data from the Services on Oracle systems. Oracle may process personal data from the Services for processing activities necessary to perform the Services, including to test and apply new product or system versions, patches, updates, and upgrades, and to resolve bugs and other issues you have reported to Oracle.

As part of our ongoing efforts to help our customers meet their data protection and security requirements under the EU General Data Protection Regulation (GDPR) and other European data protection laws and regulations in the EU/EEA, the UK and Switzerland (“European Data Protection Act”), Oracle EMEA Ltd has obtained EU/EEA-wide approval from the European Data Protection Authorities for its Binding Corporate Rules for Processors (“BCR-p”) to receive. Oracle employees are required to maintain the confidentiality of personal information. Employee obligations include written confidentiality agreements, regular training to protect information, and compliance with company policies to protect confidential information. For personal data contained in system data collected in the EU, our legal basis for processing such information is our legitimate interest in performing, maintaining and securing our products and services and the efficient and proper operation of our business. Personal data may also be processed on the basis of our legal obligations or our legitimate interest in fulfilling those legal obligations. You are the controller of the personal data of the Services processed by Oracle to provide the Services. Oracle will process your personal data on the Services in accordance with your Service order and additional documented written instructions to the extent necessary for Oracle to (i) comply with its obligations under applicable data protection law, or (ii) assist you in complying with your controller`s obligations under applicable data protection laws relating to your use of the Services. Oracle will promptly notify you if we believe your instructions violate applicable data protection law. Additional charges may apply. The Data Processing Agreement includes a European DPA Addendum that contains additional terms for processing personal data processed by Oracle on behalf of customers and subject to the data protection laws of the EU/EEA, the United Kingdom, and Switzerland. The European DPA Addendum also contains Oracle`s binding corporate rules for processors.

Oracle contributes to these audits by providing you with the information and support reasonably necessary to perform the audit, including any relevant records of processing activities that apply to the Services. If the required audit scope is addressed in a SOC 1 or SOC 2, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified external auditor within the last twelve months, and Oracle provides you with such a report confirming that there are no material changes to the audited controls, You agree to accept the results contained in a third-party audit report instead of requesting an audit of them. The controls that are the subject of the report. . . .