To ensure that it is possible to verify and determine whether and by whom personal data has been entered, modified or deleted in data processing systems: – systems are monitored to detect security events to ensure a quick solution. – Logs are stored and indexed centrally. Critical protocols, for example. B security protocols, are kept for at least one year. Timestamps can be assigned to unique user names to investigate non-compliances or security events. 1. The data subject may apply this clause to the data exporter, clause 4(b) to i), clause 5(a) to (e) and (g) to (j), clause 6(1) and (2), clause 7, clause 8(2) and clauses 9 to 12 as third party beneficiaries. (g) make available to the data subject, upon request, a copy of the terms or of an existing contract for further processing, unless the terms or contract contain commercial information, in which case he or she may withdraw that commercial information, with the exception of Annex 2, which shall be replaced by a summary description of the security measures where the data subject cannot obtain a copy from the data exporter; i) Personal data referred to in Articles 9 or 10 of Regulation 2016/679 of 27 April 2016 Article 31 provides that data controllers and processors (or their representatives) shall cooperate with the supervisory authorities. 2. The parties agree that the choice of the data subject shall not affect his or her substantive or procedural rights of redress, in accordance with other provisions of national or international law.

(h) in the event of further processing, it has previously informed the data exporter and obtained its prior written consent; This Data Processing Agreement (“DPA”) sets out the obligations of the data protection parties arising from the processing of personal data by the processor on behalf of the data controller in connection with the offer, service contract or other agreement between the parties (“the Agreement”). For the purpose of securing the personal data processed, Mailgun uses industry best practices as set out in Annex 2 to this Agreement. Data controllers should have a data protection authority with all the data processors they use. Data processors should also have a data processing agreement with all subcontractors they use. 2.2 The terms “personal data”, “data subject”, “processing”, “controller” and “processor”, as used in these conditions, have the meanings set out in the GDPR, regardless of whether European or non-European data protection legislation applies. Internal control measures and documents shall be made available to the manager upon request. (ii) any other correspondence, request or complaint received from a person, supervisory authority or other third party concerned in connection with the data processing. In the event that such a request, correspondence, request or complaint is addressed directly to the processor, the processor must immediately inform the data controller and provide all details….