Vendors/Suppliers

Wabtec Data Processing Agreement
Wabtec Privacy and Data Protection Appendix
Wabtec Third Party Security Requirements

?

DATA PROCESSING AGREEMENT

This Data Processing Agreement (the "DPA") is made between Wabtec and its service provider (“Provider”), as identified in the [name of the main service agreement] entered into on [Date TBC] between Wabtec and Provider (the "Agreement”).

BACKGROUND:

Provider provides certain services to Wabtec in accordance with the Agreement (the “Services”). Provision of the Services involves the Processing of Personal Data of Wabtec (“Wabtec Personal Data”) by Provider. This DPA governs the Processing of WabtecPersonal Data by Provider, in the course of providing the Services.

IT IS AGREED AS FOLLOWS:

1.? Definitions

For the purpose of this DPA, unless otherwise defined in the Agreement, all capitalized terms used in this DPA shall have the meanings given to them below:

Controller”, “Processor”, “Personal Data”, “Data Subject(s)”, “Processing” (the terms "Process", "Processes" and "Processed" are interpreted accordingly), “Personal Data Breach”, “Supervisory Authority” shall have the meanings given to them in the Data Protection Laws.

Data Protection Laws” means rules and regulations applicable with respect to the Processing of WabtecPersonal Data under the Agreement and this DPA, including, but not limited to, the European General Data Protection Regulation no. 2016/679 dated 27 April 2016 (“GDPR”), as amended and supplemented, as the case may be, by the relevant EU Member States laws and regulations in which Wabtec directly or indirectly operates, and the Directive no 2002/58 or any other text that may replace it and/or as amended and supplemented, as the case may be, by the relevant EU Member States laws and regulations in which Wabtec directly or indirectly operates.

2.? Data Protection Obligations

2.1?? Compliance with Laws. Provider shall at all time comply with Data Protection Laws.

2.2?? Instructions. Provider shall only Process Wabtec Personal Data (i) on behalf of Wabtec, (ii) further to written and documented instructions received from Wabtec, included, as the case may be, in this DPA and/or the Agreement (each, an “Instruction”) and (iii) to comply with applicable Data Protection Laws. Provider warrants it has no reason to believe that the legislation applicable to it prevents it from fulfilling any Instruction.

2.3?? If, in Provider’s opinion, any Instruction were to (i) appear legally prohibited, (ii) require material changes to Provider’ performance of the Services, (iii) result in a likely violation of Data Protection Laws and/or (iv) appear inconsistent with the terms of the Agreement or this DPA, Provider shall immediately inform Wabtec of its inability to follow such Instruction, and any Processing described in the Agreement and/or this DPA. In this case, Wabtec may terminate the Agreement and this DPA, without prior notice and without any right to compensation.

2.4?? Provider undertakes to keep and maintain adequate and complete documentation and records of Provider’s Processing or use of WabtecPersonal Data, in accordance with Data Protection Laws. Provider undertakes to perform, without limitation, any formality, request for authorization, approval, and data protection impact assessment, as may be prescribed by Data Protection Laws, notably further to Article 2.9 below. In any case, Provider undertakes to comply with the principles of “privacy by design” and “privacy by default”, as provided for in the Data Protection Laws.

2.5?? Roles and responsibilities. Under this DPA, Provider shall Process WabtecPersonal Data as Processor, and Wabtecshall be deemed to act as Controller. Should Provider Process WabtecPersonal Data outside the scope of this DPA, such as, without limitation, (i) for purposes of Processing other than those agreed in this DPA, (ii) for any Processing operation outside of an Instructions, or (iii) for any Processing performed for a duration other than as specified in Section 3 of this DPA, Provider shall be considered as Controller.

2.6?? Use and Purpose Limitation. Provider shall not Process WabtecPersonal Data for any purpose other than to perform the Services in compliance with the Agreement, this DPA and Instructions, and for the duration of the Agreement or otherwise indicated under relevant Instructions. In particular, and without prejudice to the foregoing, Provider shall not copy, use, reproduce, display, perform, sell, modify, destroy or transfer any WabtecPersonal Data, works derived from WabtecPersonal Data or anything that includes any WabtecPersonal Data, to any third party, except as otherwise expressly set out in this DPA, the Agreement or any Instruction.

2.7?? Limited disclosure. Provider shall not disclose WabtecPersonal Data to any third party except as necessary to perform the Services or further to an Instruction. Provider shall further ensure that access to WabtecPersonal Data to perform the Services will be granted only on a strict need-to-know basis to authorized personnel, including employees, contractors and agents, which shall be subject to appropriate confidentiality obligations, as well as provided with appropriate instructions and training on data protection principles and security. Provider also warrants that any person acting under its authority and having access to WabtecPersonal Data for the provision of the Services shall process them according to the Instructions only.

2.8?? Notification of Wabtec in case of disclosure requests / question. Provider shall notify Wabtecwithout delay upon – and in any event no later than twenty-four (24) hours after – becoming aware of (i) any legally binding request for disclosure of and/or request for access to WabtecPersonal Data by a law enforcement authority unless otherwise prohibited under applicable law, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; (ii) any legally binding request, order or inspection activity by a Supervisory Authority or other competent authority relating to Personal Data or privacy protection; or (iii) any request or question received from Data Subjects in relation to their WabtecPersonal Data, such as requests for access, rectification, portability or deletion of their WabtecPersonal Data. Except in order to confirm that such request is properly directed to Wabtec, Provider shall not respond independently to any such questions and/or requests, unless otherwise expressly agreed in writing byWabtecin such case, Provider undertakes to comply with the processes and conditions set out by Wabtecto this effect.

2.9?? Assistance to Wabtec. Provider shall timely assist Wabtec, through appropriate technical and organizational measures, to respond and act upon any requests made by a Supervisory Authority or a Data Subject under Data Protection Laws. More generally, Provider shall provide timely assistance to Wabtec, insofar as Provider is not prohibited to do so, for Wabtecto comply with its obligations under applicable Data Protection Laws. Upon Wabtec’s request, Provider shall provide Wabtecwith all cooperation and assistance needed to fulfil Wabtec’s obligation under applicable Data Protection Laws to carry out a data protection impact assessment related to Wabtec’s use of the Services, notably where the Services involve automated decision-making and profiling as well as any Processing activity performed on special categories of data pursuant to Article 9 of GDPR, geolocation data and/or any large scale Processing of WabtecPersonal Data. Provider shall provide reasonable assistance to Wabtecin the cooperation or prior consultation with the relevant Supervisory Authority in the performance of its tasks relating to this Article to the extent required under the relevant Data Protection Laws.

2.10? Security. Provider shall implement appropriate physical, technical and organizational measures to protect WabtecPersonal Data against accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of WabtecPersonal Data over a network, and against all forms of unauthorized or unlawful processing. Such measures shall ensure a level of security appropriate to the risk, including inter alia, as appropriate: (i) the pseudonymization and encryption of WabtecPersonal Data, (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, (iii) the ability to restore the availability and access to WabtecPersonal Data in a timely manner in the event of a physical or technical incident, and (iv) a process for regularly testing, assessing and evaluating the effectiveness of physical, technical and organizational measures in place for ensuring the security of any processing for the purpose of providing the Services. Provider shall in any event comply with any data security documentation that Wabtecmay provide, from time to time. Security measures are described in Appendix 3 hereto and shall be regularly assessed and updated by the parties.

2.11? Notification of Personal Data Breaches. Provider shall notify Wabtecwithout delay upon –and in any event no later than twenty-four (24) hours after – becoming aware of any breach of this DPA or any Wabtec Personal Data Breach (together, “Breach”). Provider shall timely document and provide Wabtec with all data and details relating to such breach and provide any necessary assistance to enable Wabtec to remedy any such breach and provide Wabtec with all required assistance to provide notification of any such breach to any Supervisory Authority and/or the Data Subjects impacted by such Breach. In particular, and without prejudice to any other right or remedy available to Wabtec, Provider shall promptly following discovery or notice of a Breach, at its own costs and expenses, take (i) corrective action to mitigate any risks or damages involved with such Breach and to protect Wabtec Personal Data from any further use and/or access, (ii) evidence and document such Breach, in particular its context, date of occurrence, type, extent and data involved, as well as any elements pertaining to the diagnosis of the origin or the occurrence of such Breach, and the direct and indirect consequences of this Breach, and provide Wabtec with such evidence and documents, and (iii) any other actions that may be required by applicable Data Protection Laws as a result of such Breach, subject to Wabtec’s prior written approval.

2.12? Return and Deletion of Personal Data. Upon expiration or termination of the Agreement, for any reason whatsoever, Provider shall, at the choice of Wabtec, within fifteen (15) days following such expiration or termination, (i) return all Wabtec Personal Data Processed in the course of providing the Services and copies thereof to Wabtec, (ii) permanently destroy all Wabtec Personal Data and copies thereof and, in any event, certify in writing to Wabtec that it has done so. The Parties agree that Provider may retain one copy of Wabtec Personal Data only as strictly necessary to comply with any legal, regulatory, judicial, audit or internal compliance requirements, as duly documented by Provider. In such case, Provider shall warrant that it will guarantee the confidentiality and security of the Wabtec Personal Data and will not actively Process it anymore and destroy it as soon as legally allowed.

2.13? Audit. Upon request and without undue delay, Provider shall make available to Wabtec all information necessary to demonstrate (i) Provider’s compliance with this DPA and (ii) Wabtec’s compliance with its undertakings under applicable Data Protection Laws with regard to the provision of the Services. Further, Wabtec, any third party appointed by it, bound by a duty of confidentiality, or a competent Supervisory Authority, shall be entitled to conduct an audit of Provider’s (and/or any of itssubcontractors) data Processing facilities and activities to ensure compliance with this DPA and the regulatory undertaking bearing upon Wabtec. Such audits shall be performed during normal business hours and in a way that does not interfere with normal business activities of Provider and, where relevant, Provider’ subcontractors. Provider shall reasonably cooperate with the appointed auditor to conduct this audit. Should the audit show a breach to this DPA or to the Data Protection Laws, especially but not limited to security or confidentiality requirements, Wabtec may require Provider to immediately remedy to this breach.

2.14? Subcontracting. Provider shall be allowed to engage subcontractors for carrying out specific Wabtec Personal Data Processing activities, subject to the prior written agreement by Wabtec.

2.15? Data Transfers. Provider acknowledges that some Data Protection Laws may require additional measures be taken to secure transfers of Personal Data outside the country or region they originate from. In such a case, Provider shall assist and, where relevant, Wabtec affiliates, in implementing these additional measures and, for instance, enter into separate Personal Data transfer agreements, where and as mandated under Data Protection Laws. Without limiting the generality of the foregoing, Provider shall refrain from transferring any Wabtec Personal Data to a country which would not be deemed as offering an adequate level of protection by the European Commission, without relying, for the entire duration of the Agreement, on (i) an agreement strictly based on the European Commission Decision of 5 February 2010, as provided in Appendix 1 hereto, including any European Commission Decision updating or replacing the aforementioned Decision, entered into with Wabtec and/or Wabtec affiliates or, if agreed by Wabtec, (ii) an alternate mechanism in accordance with the applicable legislation of the European Union. In the event that any transfer mechanism under Data Protection Laws of the European Union is determined by the European Court of Justice or another organism of the European Union not to be adequate, Provider shall, as soon as possible, adopt and implement an appropriate alternative transfer mechanism. In the event that Provider fails to adopt an alternative transfer mechanism within one (1) month of the invalidation decision by the European Union organism, notwithstanding anything to the contrary in the Agreement, Wabtec may terminate the Agreement, at no cost, as of right and without prejudice to Wabtec’s other rights and remedies. In any case, Wabtec and Provider agree that, in relation to transfer and Processing of any Wabtec Personal Data, the provisions of the transfer mechanisms used (e.g., separate agreement(s)) will prevail over those of the Agreement and of this DPA in case of inconsistency.

3.? Duration

This DPA shall come into force from its date of execution by both Parties, and shall remain into effect throughout the term of the Agreement. Notwithstanding the expiration or termination of the Agreement or this DPA, Section 2 of this DPA shall remain into effect provided that Provider still hold, store or otherwise Wabtec Process Personal Data as part of the Agreement or this DPA.

4.? Miscellaneous

For the performance and management of the Agreement and the DPA, the Parties, each acting independently as a Controller, will process Personal Data relating to the other Party’s personnel, as may be mentioned in this DPA (e.g. signatories for the Parties). Each Party warrants that it will inform its own Personnel on the Processing of his/her Personal Data by the other Party.

Notwithstanding anything to the contrary in this DPA or in the Agreement, the liability of Provider for any breach of this DPA shall not be subject to the limitations of liability provisions included in the Agreement, if any.

Provider shall indemnify and hold Wabtecharmless against every claim, litigation, compensation or sanction, of any nature (civil, administrative or criminal), which would arise from the violation by the Provider of the commitments contained in this DPA. Where relevant, the Provider shall compensate Wabtecfor any conviction and legal expenses, including reasonable attorney’s fees, pronounced against Wabtecin a judicial or administrative decision which has become enforceable.

The Parties acknowledge and agree that the activities performed by Provider under this DPA do not involve any right to specific compensation other than that compensation owed to Provider for the provision of Services in accordance with the Agreement.

This DPA sets out the entire agreement and understanding between the Wabtecand Provider with respect to the Processing of WabtecPersonal Data by Provider for the purpose of providing the Services and supersedes all other understandings or agreements made between Wabtecand Provider on the same subject matter. In case of conflict or inconsistency between the Agreement and this DPA, the provisions of this DPA shall prevail.

Except as mandated under applicable Data Protection Laws, any dispute relating to this DPA shall be governed by and interpreted in accordance with the law of the country and subject to the jurisdiction referred to in the Agreement.

?

APPENDIX 1

STANDARD CONTRACTUAL CLAUSES FOR THE TRANSFER OF PERSONAL DATA
FROM THE COMMUNITY TO THIRD COUNTRIES
(CONTROLLER TO PROCESSOR)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Clause 1 – Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the controller who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f)? ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2 – Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3 – Third-party beneficiary clause

1.? The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2.? The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3.? The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

4.? The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4 - Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f)? that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5 – Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

(ii) any accidental or unauthorized access; and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6 – Liability

1.? The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.

2.? If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

3.?? If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7 – Mediation and jurisdiction

1. ?? The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a)? to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b)? to refer the dispute to the courts in the Member State in which the data exporter is established.

2.? The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8 – Cooperation with supervisory authorities

1.? The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2.? The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3.? The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9 – Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10 – Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11 – Sub-processing

1.? The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.

2.? The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.

3.? The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4.? The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12 – Obligation after the termination of personal data-processing services

1.? The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2.? The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

?

APPENDIX 2
DESCRIPTION OF PROCESSING OPERATIONS

Duration of processing and retention period

Data subjects

Categories of data

Special categories of data (if appropriate)

?

APPENDIX 3

DESCRIPTION OF PROVIDER’S
TECHNICAL AND ORGANIZATIONAL MEASURES

Control Category

Control Type

Control Description

Physical

Third Party Data Center

Physical access control lists manage ingress and egress
Security fencing
Biometric readers at all main entry points
24x7x365 security officers with fixed locations at front and rear access points
24x7x365 CCTV recordings
Access control (mantraps)

Administrative

Policy

Security
Account
Password
Handling of Personal Information
Off Boarding
Access Control

Administrative

Process

Incident response
Patching

Administrative

Standards

Coding
Security Standards for Managed Applications
Server Build
Data Retention and Disposal
Key Management

Administrative

Compliance

Security Compliance
Account Compliance

Administrative

Training

Security Awareness
User Compliance Training

Technical

Preventative

Monthly Vulnerability Scans
Malware Scans
Firewall
Anti-Virus
IP Whitelisting & Blacklists

Technical

Detective

Infrastructure Access Logs
Application Access Logs
Application Audit Trails
Application Login Logs

Technical

Access Control

Roles and Permissions
VPN – Operational / Admin
2 factor authentication on application

Technical

Encryption

SSL
Data Encryption in Transit
Data Encryption at Rest
Password Encryption
Use of strong encryption protocols such as AES

Technical

User Controls

User Authentication
Account Expiry
Password Complexity
Account Lockout
Session Timeouts
Application Whitelisting

?

WABTEC PRIVACY AND DATA PROTECTION APPENDIX

This Appendix applies in the circumstances set out below. In the event of inconsistency or conflict between this Appendix and the Contract Document with respect to a subject covered by this Appendix, the provision requiring the higher level of protection for any Personal Data or other Wabtec information governed by this Appendix shall prevail. The requirements in this Appendix are in addition to any confidentiality obligations between Wabtec and the Supplier under the Contract Document. Wabtec or the applicable Wabtec Affiliate responsible for the protection of any of the Personal Data or other Wabtec information governed by this Appendix may enforce the terms of this Appendix. This Appendix is also applicable when a Supplier affiliate is providing Products, services and/or deliverables under the Contract Document directly, in its own name, in which event Supplier’s agreement to the terms of this Appendix is also given on behalf of such Supplier affiliate; and Supplier warrants that it has the power and authority to do so. As used herein, “Supplier” shall mean Supplier and Supplier Affiliate, collectively. Wabtec reserves the right to update Appendix from time to time.

SECTION I – DEFINITIONS

The following definitions and rules of interpretation apply in this Appendix. Any words following the terms “including,” “include,” “e.g.,”, “for example” or any similar expression are for illustration purposes only.

(i)? Contract Document means the relevant agreement, contract, statement of work, task order, purchase order or other document governing the provision of Products, services and/or deliverables by Supplier to Wabtec.

(ii)? Controlled Data is technical or government information with distribution and/or handling requirements proscribed by law, including, but not limited to, controlled unclassified information and license required export-controlled data, which is provided by Wabtec to the Supplier in connection with performance of the Contract Document.

(iii)? Data Protection Laws means rules and regulations applicable with respect to the Processing of Wabtec Personal Data under a Contract Document, including, but not limited to, the European General Data Protection Regulation no. 2016/679 dated 27 April 2016 (“GDPR”), as amended and supplemented, as the case may be, by the relevant EU Member States laws and regulations in which Wabtec directly or indirectly operates, and the Directive no 2002/58 or any other text that may replace it and/or as amended and supplemented, as the case may be, by the relevant EU Member States laws and regulations in which Wabtec directly or indirectly operates.

(iv)? EU Law means the laws of the European Union or of any member state of the European Union and/or the European Economic Area.

(v)? Wabtec means the Westinghouse Air Brake Technologies Corporation or a Wabtec Affiliate party to the Contract Document with Supplier.

(vi)? Wabtec Affiliate means any entity that is directly or indirectly in control of, controlled by, or under common control with Wabtec, whether now existing, or subsequently created or acquired during the term of the Contract Document.

(vii)??Wabtec Confidential Information is information created, collected, or modified by Wabtec that would pose a risk of causing harm to Wabtec if disclosed or used improperly, and is provided to the Supplier under the Contract Document. Wabtec Confidential Information includes, but is not limited to, information pertaining to business operations and strategies, trade secrets, Personal Data, Controlled Data, or Sensitive Personal Data.

(viii) Wabtec Information System(s) means any systems and/or computers managed by Wabtec, which includes laptops and network devices.

(ix)? Mobile Devices means tablets, smartphones and similar devices running mobile operating systems. Laptops are not considered Mobile Devices.

(x)?? Personal Data means any information related to an identified or identifiable natural person (Data Subject), as defined under applicable law, that is Processed in connection with the Contract Document. Legal entities are Data Subjects where required by law.

(xi)?? Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed

(xii)? Process(ing) means to perform any operation or set of operations upon Wabtec Confidential Information, whether by automatic means, including, but not limited to, collecting, recording, organizing, storing, adapting or altering, retrieving, accessing, consulting, using, disclosing by transmission, disseminating, or otherwise making available, aligning or combining, blocking, erasing or destroying.

(xiii)? Product(s) mean any goods, systems, components products, software and deliverables supplied under the Contract Document.

(xiv)? Security Incident means any event in which Wabtec Confidential Information is or is suspected to have been lost, stolen, improperly altered, improperly disclosed, improperly destroyed, used for a purpose not permitted under the Contract Document or this Appendix, or accessed by any person other than Supplier Personnel pursuant to the Contract Document or this Appendix.

(xv)?? Sensitive Personal Data is a category of Personal Data considered to be especially sensitive? and? includes? medical records and other personal health information, including protected health information (PHI), as? defined in and? subject? to the U.S. Health Insurance and Portability Act of 1996; personal bank account and payment card information and??? other financial account information; customer bank account and payment card information; national identifiers; and special categories of data under applicable law (such as racial or ethnic origin, political opinions, religious? or? philosophical beliefs, trade union membership, genetic and biometric data, home life and sexual orientation).

(xvi)? Supplier or Third Party is the entity providing goods, services and/or deliverables to Wabtec pursuant to the Contract Document. It also refers to Wabtec joint ventures.

(xvii)? Third Party Information System(s) means any Third-Party system(s) and/or computer(s) used to Process, Store, Transmit and/or Access Wabtec Confidential Information pursuant to the Contract Document, which includes laptops and network devices.

(xviii)? Supplier Personnel means all persons or entities providing services and/or deliverables under the Contract Document, including Supplier’s employees, permitted affiliates and third parties (for example, suppliers, contractors, subcontractors, and agents), as well as anyone directly or indirectly employed, engaged or retained by any of them.

(xix)?? Trusted Third Party Network Connection is a physically isolated segment of a third party’s network connected to Wabtec internal network in a manner identical to a standard Wabtec office.

SECTION II – INFORMATION SECURITY REQUIREMENTS. This Section II applies whenever a Supplier or Supplier Personnel Processes Wabtec Confidential Information, has access to a Wabtec Information System in connection with the Contract Document, or provides certain services or Products to Wabtec. Capitalized terms used in this Section II and not defined in this Appendix shall have the meaning given to them in the Wabtec Third Party Security Requirements referenced herein.

Part A: Security Controls

  1. Consistent with applicable laws and industry information security standards (including ISO 27002, FedRAMP, PCI-DSS and NIST Cybersecurity Framework), Supplier shall implement appropriate physical, technical and organizational measures (“Safeguards”) to protect the confidentiality, integrity and availability of Products, services, or information systems.
  2. Supplier shall implement Safeguards to protect Wabtec Confidential Information, including Personal Data, against accidental loss, alteration, unauthorized disclosure, unauthorized destruction or access, in particular where the processing involves the transmission of Wabtec Confidential Information over a network, and against all forms of unauthorized or unlawful processing.
  3. The Safeguards shall ensure a level of security appropriate to the risk, including inter alia, as appropriate: (i) the pseudonymization and encryption of Wabtec Confidential Information, (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, (iii) the ability to restore the availability and access to Wabtec Confidential Information in a timely manner in the event of a physical or technical incident, and (iv) a process for regularly testing, assessing and evaluating the effectiveness of physical, technical and organizational measures in place for ensuring the security of any processing for the purpose of providing the services, Products or other deliverables under the Contract Document.
  4. Supplier shall in any event comply with any data security requirements that Wabtec may provide, from time to time. Where a Supplier a) Processes Wabtec Confidential Information, b) has access to Wabtec Information System, c) develops software for Wabtec, d) provides data center services to Wabtec, e) provides to Wabtec a Product, hardware or component that includes binary code, f) supports a critical business function as defined by Wabtec and/or g) provides to Wabtec Services with high availability requirements, the Supplier shall implement the applicable security controls reflected in Wabtec Third Party Security Requirement (attached herein as Exhibit A to Appendix)
  5. Supplier may be subject to additional requests from Wabtec for Supplier to confirm its implementation of certain security controls. These requests may include surveys, certifications and attestations such as SOC1 or SOC2 Type II. Supplier agrees to respond to such requests without undue delay. Failure to respond to Wabtec’s request for these additional confirmation of security controls is a breach of Supplier’s security obligations under this Appendix.

Part B: Security Incidents

  1. Supplier shall notify Wabtec without delay – and in any event no later than twenty-four (24) hours after – upon becoming aware of any Security Incident.
  2. Supplier shall, in a timely manner, document and provide Wabtec with all data and details relating to such Security Incident and provide any necessary assistance to enable Wabtec to remedy any such Security Incident and provide Wabtec with all required assistance to provide notification of any such Security Incident to any regulatory authorities and/or Data Subjects impacted by such Security Incident.
  3. In particular, and without prejudice to any other right or remedy available to Wabtec, Supplier shall promptly, following discovery or notice of a Security Incident, at its own costs and expenses, take (i) corrective action to mitigate any risks or damages involved with such Security Incident and to protect Wabtec Confidential Information from any further use and/or access, (ii) steps to document such Security Incident, in particular its context, date of occurrence, type, extent and data involved, as well as any elements pertaining to the diagnosis of the origin or the occurrence of such Security Incident, and the direct and indirect consequences of this Security Incident, and provide Wabtec with such evidence and documents, and (iii) any other actions that may be required by applicable Data Protection Laws as a result of such Security Incident, subject to Wabtec’s prior written approval.
  4. Supplier shall report Security Incident to security [at] wabtec [dot] com.
  5. Unless prohibited by law, Supplier shall provide Wabtec reasonable notice of, and the opportunity to comment on and approve, the content of any notice related to a Security Incident prior to publication or communication to any third party (“Security Notice”), except Wabtec shall not have the right to reject content in a Security Notice that must be included to comply with applicable law, including Data Protection Laws.
  6. Should Wabtec elect to send a Security Notice regarding a Security Incident, Supplier shall provide reasonable and timely information relating to the content and distribution of that Security Notice as permitted by applicable law or regulation pursuant to the Security Notice.
  7. Other than approved Security Notices, or to law enforcement or as otherwise required by law, Supplier may not make any public statements concerning Wabtec’s involvement with a Security Incident to any third-party without explicit written authorization of Wabtec’s Legal Department.

Part C: Wabtec Audit Rights

  1. Wabtec reserves the right to conduct an audit, upon 30 days advance notice, of Supplier’s compliance with the requirements in this Appendix and applicable laws, including but not limited to: (i) review of the Supplier’s applicable policies, processes, and procedures, (ii) review of the results of Supplier’s most recent vulnerability assessment and accompanying remediation plans, and (iii) on-site assessments during regular business hours of Supplier’s physical security arrangements and Supplier Information Systems. Wabtec reserves the right to conduct a vulnerability assessment of Supplier’s systems and applications related to the services and Product if Supplier’s vulnerability assessments do not meet or exceed Wabtec application security requirements.? This right shall survive termination or expiration of the Contract Document so long as Supplier Processes Wabtec Confidential Information.
  2. Further, Wabtec, any third party appointed by it, bound by a duty of confidentiality, or a competent regulatory authority, shall be entitled to conduct an audit of Suppliers (and/or any of its subcontractors) facilities data processing facilities and activities to ensure compliance with this Appendix and applicable laws.
  3. Such audits shall be performed during normal business hours and in a way that does not interfere with normal business activities of Supplier and, where relevant, Supplier’s subcontractors.
  4. Should the audit show a breach of this Appendix or Data Protection Laws, especially but not limited to security or confidentiality requirements, Wabtec may require Supplier to immediately remedy this breach.

Part D: Additional Regulatory Requirements

If Supplier Processes Wabtec Confidential Information that is subject to additional regulatory requirements, or in a manner subject to additional regulatory requirements, Supplier agrees to cooperate with Wabtec for Wabtec’s compliance with such requirements. Such cooperation may include, without limitation, execution of additional agreements required by applicable law (e.g., EU Standard Contractual Clauses, U.S. Protected Health Information Agreement), compliance with additional security requirements, completion of regulatory filings applicable to Supplier, and participation in regulatory audits.

Part E: Supplier Personnel

Supplier is responsible for compliance with this Appendix by all Supplier Personnel. Prior to providing access to any Wabtec Confidential Information to any Supplier Personnel, Supplier must obligate them to comply with applicable requirements of the Contract Document and this Appendix. Supplier shall take reasonable steps to ensure continuing compliance by such Supplier Personnel. Supplier may not appoint any third party engaged in providing services and/or deliverables under the Contract Document without the prior written consent of Wabtec.? Where such consent has been given, any change of such third party requires Wabtec’s prior written approval.

SECTION III – PRIVACY & DATA PROTECTION

Part A. Privacy & Data Protection - General Provisions. This Part A applies whenever a Supplier and/or its Supplier Personnel Process Personal Data in connection with the Contract Document.

1.? Processing. Supplier shall, and shall ensure that all of its Supplier Personnel shall:

(a)? at all-time comply with applicable laws, including Data Protection Laws;

(b)? only Process Personal Data on, and in compliance with, Wabtec’s written instructions in a Contract Document and as issued from time to time;

(c)? Process all Personal Data fairly and lawfully and in accordance with all laws applicable to Supplier’s activities concerning Personal Data governed by this Appendix;

(d)? only collect Personal Data directly where Wabtec has provided prior written approval for such direct? collection? (including where expressly provided in the Contract Document), and, where such direct collection has been approved by Wabtec, comply with Data Protection Laws,? including provisions concerning notice, consent, access and correction/deletion; any notices to be provided and any consent language to be used when collecting such information directly from a Data Subject are subject to Wabtec’s prior and written approval;

(e)? keep and maintain adequate and complete documentation and records of Supplier’s Processing or use of Wabtec Personal Data, in accordance with Data Protection Laws;

(f)?? perform, without limitation, any formality, request for authorization, approval, and data protection impact assessment, as may be prescribed by Data Protection Laws; and

(g)?? undertakes to comply with the principles of “privacy by design” and “privacy by default”, as provided for in the Data Protection Laws.

2.? International Transfers & Hosting Locations.

(a)??? Supplier must receive approval from Wabtec prior to (i) moving Personal Data from the hosting jurisdictions identified in the Contract Document to a different hosting jurisdiction; or (ii) provisioning remote access to such Personal Data from any location other than such hosting jurisdictions identified in the Contract Document; where Wabtec approves, such approval may be conditioned on execution of additional agreements to facilitate compliance with applicable law.

(b)?? Supplier acknowledges that some Data Protection Laws may require additional measures be taken to secure transfers of Personal Data outside the country or region they originate from. In such a case, Supplier shall assist and, where relevant, Wabtec affiliates, in implementing these additional measures and, for instance, enter into separate Personal Data transfer agreements, where and as mandated under Data Protection Laws.

3.? Inquiries. Supplier shall notify Wabtec without delay upon – and in any event no later than twenty-four (24) hours after – becoming aware of (i) any legally binding request for disclosure of and/or request for access to Wabtec Personal Data by a law enforcement authority unless otherwise prohibited under applicable law, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; (ii) any legally binding request, order or inspection activity by a regulatory authority or other competent authority relating to Personal Data or privacy protection; or (iii) any request or question received from Data Subjects in relation to their Wabtec Personal Data, such as requests for access, rectification, portability or deletion of their Wabtec Personal Data. Except in order to confirm that such request is properly directed to Wabtec, Supplier shall not respond independently to any such questions and/or requests, unless otherwise expressly agreed in writing by Wabtec in such case, Supplier undertakes to comply with the processes and conditions set out by Wabtecto this effect.

4.? Confidentiality & Information Security.? Supplier shall comply with Section II above if Supplier processes Personal Data in connection with the Contract Document. Supplier shall limit disclosure of or access to Personal Data to its Supplier Personnel who have legitimate business need-to-know relating to this Contract Document, and who have received proper training and instruction as to the requirements of the Contract Document (such as confidentiality requirements) and this Appendix.

5.? Return of Personal Data and Termination. Supplier shall, within fifteen (15) days of termination of the Contract Document, or if requested during the term of the Contract Document, cease all Processing of Personal Data and return to Wabtec all copies of Personal Data. In lieu of returning copies, Wabtec may, at its sole discretion, require Supplier to destroy all copies of Personal Data, using agreed upon methods to ensure such Personal Data is not recoverable, and certify to such destruction. Supplier may continue to retain Personal Data beyond the period prescribed in this? section? above? where required by law, or in accordance with the Contract Document and/or applicable regulatory or industry standards, provided that (i) Supplier notifies Wabtec prior to the Contract Document’s termination or expiration of the obligation, including the specific reasons for such retention; (ii) Supplier? has a documented retention period and secure deletion procedure for such copies, with back-up copies retained only to the end of their legally required retention period; (iii) following such period, all copies and back-up copies are deleted in such a manner that they are not? recoverable; (iv) Supplier performs no Processing of Personal Data other than that necessitated by retaining or deleting the relevant copies; and (v) Supplier continues to comply with all the requirements of this Appendix in relation to any such retained Personal Data until the same is securely deleted. Termination or expiration of the Contract Document for any reason shall not relieve the Supplier from obligations to continue to protect Personal Data in accordance with the terms of the Contract Document and this Appendix.

6.? Supplier Personal Data. Wabtec may require Supplier to provide certain Personal Data such as the name, address, telephone number, and e-mail address of Supplier’s representatives to facilitate the performance of the Contract Document, and Wabtec and its contractors may store such data in databases located and accessible globally by their personnel and use it for necessary purposes in connection with the performance of the Contract Document, including but not limited to Supplier payment administration. Wabtec agrees to use reasonable technical and organizational measures to ensure that such information is processed in conformity with applicable data protection laws. Supplier may obtain a copy of the Supplier personal information by written request or submit updates and corrections by written notice to Wabtec.

Part B - European Privacy & Data Protection. This Part B applies whenever Processing of Personal Data by Supplier and/or Supplier Personnel in connection with the Contract Document falls within the scope of any EU Law or the laws of the United Kingdom. In addition to the other sections of this Appendix, to comply with the requirements of applicable EU law, Supplier agrees to the following (which shall prevail in the event of conflict with the other provisions of this Appendix):

1.? Supplier shall assist Wabtec in the fulfilment of Wabtec’s obligations under applicable EU law and Data Protection Laws including:

(a)? preparation of Privacy Impact Assessments (where required);

(b)? response to Data Subject access requests; and

(c) any required breach notification to Data Protection Authorities and Data Subjects.

2.? Supplier shall notify Wabtec without undue delay after becoming aware of any Security Incident involving the Processing of Personal Data that falls within the scope of this Part B.

3.? Supplier shall assist Wabtec in obtaining approval for Processing from Data Protection Authorities where required.

4.? Supplier shall, at Wabtec’s election, either return or destroy Personal Data at the termination of the Contract Document (except as required by EU or Member State law).

5.? Upon request, Supplier shall provide Wabtec with all information necessary to demonstrate Supplier’s compliance with applicable EU law.

6.? Supplier shall refrain from transferring any Wabtec Personal Data to a country which would not be deemed as offering an adequate level of protection by the European Commission, without relying, for the entire duration of the Agreement, on (i) an agreement strictly based on the European Commission Decision of 5 February 2010, as provided in Exhibit B of Appendix hereto, including any European Commission Decision updating or replacing the aforementioned Decision, entered into with Wabtec and/or Wabtec affiliates or, if agreed by Wabtec, (ii) an alternate mechanism in accordance with the applicable legislation of the European Union. In the event that any transfer mechanism under Data Protection Laws of the European Union is determined by the European Court of Justice or another organism of the European Union not to be adequate, Supplier shall, as soon as possible, adopt and implement an appropriate alternative transfer mechanism. In the event that Supplier fails to adopt an alternative transfer mechanism within one (1) month of the invalidation decision by the European Union organism, notwithstanding anything to the contrary in the Agreement, Wabtec may terminate the Agreement, at no cost, as of right and without prejudice to Wabtec’s other rights and remedies.

7.? Where both Wabtec and all Supplier Processing of Personal Data are located within the EU, EEA and/or United Kingdom, or Supplier Processing occurs outside the EU, EEA and/or United Kingdom and related international transfers are subject to a transfer mechanism other than EU Standard Contractual Clauses (e.g. adequacy, Supplier BCR-Processor or EU/Swiss- US Privacy Shield), the categories of Data Subjects’ Personal Data Processed and the types of such Personal Data Processed may concern the following:

Categories of Data Subjects

Employees; trainees; applicants; contract and temporary workers; directors and others whose personal information is shared with Wabtec in the context of an employment relationship; suppliers; distributors and agents; customers; prospects; and clients.

Examples of Types of Personal Data

Identification data (name, surname, address, email address, date and other identifying information); professional identification data (CV, professional status, education, awards, job description, hierarchical positioning, performance levels);financial and economic information (bank details, salary); system log data; geolocation data; identifiers such as any unique personal identifier or IP address;? other personal data that may be contained in business related communications and interactions, internal systems and log data; and sensitive personal data including information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, health or medical records and criminal records.

SECTION IV – MISCELLANEOUS

  1. Limitation of Liability. ?Notwithstanding anything to the contrary in this Appendix, the liability of Supplier for any breach of this Appendix shall not be subject to the limitations of liability provisions included in the Contract Document, if any.
  2. Indemnification: Supplier shall indemnify and hold Wabtec harmless against every claim, litigation, compensation or sanction, of any nature (civil, administrative or criminal), which would arise from the violation by the Supplier of the commitments contained in this Appendix. Where relevant, the Supplier shall compensate Wabtec for any conviction and legal expenses, including reasonable attorney’s fees, pronounced against Wabtec in a judicial or administrative decision which has become enforceable.
  3. Compensation: The Parties acknowledge and agree that the activities performed by Supplier under this Appendix do not involve any right to specific compensation other than that compensation owed to Third Party for the provision of Services in accordance with the Agreement.

?

Wabtec Third Party Information Security Requirements

INTRODUCTION

The Wabtec Third Party Information Security Requirements document outlines the security requirements applicable to Wabtec Third Parties, including suppliers and joint ventures. The security requirements outlined herein are applicable to Third Parties that Process Wabtec Confidential Information, have access to a Wabtec Information System, or provide certain services or Products, as described below. The security requirements are designed to vary based on the level of risk the Third Party Products or services may present to Wabtec.

Wabtec reserves the right to update this document from time to time.

SECTION I - MINIMUM SECURITY REQUIREMENTS

If a Third Party Processes Wabtec Data or Wabtec Confidential Information, or has a Direct Network Connection to the Wabtec managed network, the Third Party shall, at a minimum, do or implement the following:

Minimum Security Requirements

Written policies and procedures addressing information security, including roles and responsibilities

Accurate inventory of assets, including those that Process Wabtec Data or connect to Wabtec managed network

Security Education Training and Awareness Program to ensure workers receive regular security awareness training

Access Management Program that ensures that access to information systems, or data contained therein, is approved prior to being granted, access credentials are appropriately secured and managed to limit access to those with a legitimate business need, and Third Party’s personnel’s access to both Wabtec’s systems and Third Party’s systems is immediately revoked once there is no longer a legitimate business need for such personnel to access those systems or information contained therein.

Passwords and other pass-phrases that are of sufficient complexity and re-use, managed consistent with industry expectations

Authentication mechanism or process to protect and validate access to systems or information including timeouts and limiting failed attempts

Physical security of offices, rooms, facilities and all communication networks against external and environmental threats

Network environments that separate production and non-production systems

Industry Best Practices for network protection (i.e., Intrusion Detection, Intrusion Prevention, Data Loss, Firewalls), which are monitored where applicable

Logs of security events; logs must be kept secure

Incident Response Program to ensure timely response, reporting and management of incidents

Periodic independent reviews of the security management program that are conducted by management and identified risks are tracked and decisioned

Vulnerability Management Program to identify and remediate vulnerabilities in all systems, products, services, network devices, etc., in an effective and timely manner.?

If applicable, Secure Development Lifecyle expectations regarding code management, change management, and code reviews for software and systems used internally or provided to Wabtec

Secure disposal and re-use processes that are aligned with industry standard procedures to ensure information is destroyed

Documentation of data flows for all Wabtec Confidential Information within the Third Party’s control

Business Continuity, Disaster Recovery, and Capacity Management plans to ensure continued delivery of services

Secure transmission, including use of encryption, of information or data; information or data at rest must be secured.

?

SECTION II - SOFTWARE OR PRODUCT DEVELOPMENT SECURITY CONTROLS

In addition to any applicable Minimum Security Requirements (listed in Section 2 above), a Third Party that develops Products for, or provide Products to, Wabtec shall do or implement the following:?

Software or Product Development Security Controls

Secure software development lifecycle policy, detailing “security by design” and “privacy by design” concepts

Security testing processes to ensure that all developed Products undergo predefined security testing and formal acceptance to meet Wabtec’s needs

Security training provided to Product developers on how to incorporate “security by design” and “privacy by design” into Products, including how to identify and address security vulnerabilities and flaws

Secure development tollgates must be documented and followed to ensure appropriate reviews and approvals throughout the entire software development lifecycle processes

All source code and 3rd party libraries must be periodically scanned for vulnerabilities; Systems or services used for these scans must be disclosed to Wabtec prior to code development

All vulnerabilities deemed “Critical”, “High” or “Medium”, per the Common?Vulnerability Scoring System,must be remediated before delivery to Wabtec. All remaining vulnerabilities must be reported to Wabtec upon delivery of any software code or 3rd party libraries

Third Party represents, warrants and covenants that (i) it has disclosed all Open Source Software and Third Party Materials utilized with the Products, and no Open Source Software or Third Party Materials have been or will be provided to Wabtec or used as a component of or in relation to any Products provided under the Contract Document, except with the prior written authorization of Wabtec; and (ii) all Open Source Software contained within the or Products are and shall be in material compliance with the terms and conditions of the applicable licenses governing their use, and the Products or the use thereof by Wabtec shall not cause Wabtec or Wabtec’s? intellectual property rights to be subject to the terms or conditions of a Copyleft License, or require Wabtec to fulfil any open source license obligations for any Open Source Software contained within the Products.

A threat model is required for all software systems that are developed for Wabtec

Third party will not engage other third parties that have access or will create software for Wabtec without prior approval

Systems used in the development of software or Product must be free of vulnerabilities; Third Party must not use obsolete or unsupported software or systems in the development of Product

Cybersecurity guidance in the documentation provided to Wabtec regarding use of Product. This documentation shall include guidance on how to configure Products and/or the surrounding environment to best ensure security

If any cryptographic systems are contained in the Product, Third Party shall only use cryptographic algorithms and key lengths that meet or exceed the most current version of the National Institute of Standards and Technology (NIST) Special Publication 800-131A, and Third Party shall provide an automated remote key-establishment (update) method that protects the confidentiality and integrity

Third Party must develop and maintain an up-to-date Cybersecurity Vulnerability management plan designed to promptly identify, prevent, investigate, and mitigate any Cybersecurity Vulnerabilities and perform any required recovery actions to remedy the impact with respect to Products provided to Wabtec.

Third Party shall notify Wabtec within a reasonable period, in no event to exceed three (3) business days after discovery, or shorter if required by applicable law or regulation, of any potential Cybersecurity Vulnerability impacting a Product provided to Wabtec. Third Party shall report all critical Cybersecurity Vulnerability that would have a significant adverse effect on Wabtec and any Cybersecurity Vulnerability with a fix to Wabtec at security [at] wabtec [dot] com with “Vulnerability Notice” in the subject line, or at such contact information communicated to Third Party from time to time. Within a reasonable time thereafter, Third Party shall provide Wabtec, free of charge, with any upgrades, updates, releases, maintenance releases and error or bug fixes necessary to remediate any Cybersecurity Vulnerability. Third Party shall reasonably cooperate with Wabtec in its investigation of a Cybersecurity Vulnerability, whether discovered by Third Party, Wabtec, or another third party, which shall include providing Wabtec a detailed description of the Cybersecurity Vulnerability, the remediation plan, and any other information Wabtec reasonably may request concerning the Cybersecurity Vulnerability, as soon as such information can be collected or otherwise becomes available. Wabtec or Wabtec’s agent shall have the right to conduct a cybersecurity assessment of the applicable Software or Products, and the development lifecycle, which includes tests intended to identify potential cybersecurity vulnerabilities. Third Part shall designate an individual responsible for management of the Cybersecurity Vulnerability and shall identify such individual to Wabtec promptly.

Third Party represents, warrants, and covenants that the Products: (a) do not contain any restrictive devices such as any key, node lock, time-out, time bomb, or other function, whether implemented by electronic, mechanical, or other means, which may restrict or otherwise impair the operation or use of the Products or any material embodying or comprising Software or Products; and (b) shall be free of viruses, malware, and other harmful code (including, without limitation, time-out features) which may interfere with the use of the Software or Products regardless of whether Third Party or its personnel purposefully placed such code in the Products. In addition to exercising any of Wabtec’s other rights and remedies under this Agreement or otherwise at law or in equity, Third Party shall provide Wabtec, free of charge, with any and all new versions, upgrades, updates, releases, maintenance releases, and error or bug fixes of the Software or Products which prevents a breach of any of the warranties provided under this Agreement or corrects a breach of such warranties.

When a data storage device is decommissioned the device must be data sanitized using documented industry standard procedures

SECTION III - DATA CENTER SECURITY CONTROLS

In addition to any applicable Minimum Security Requirements (listed in Section 2 above) a Third Party that provides data center facility services to, or on behalf of, Wabtec shall do or implement the following:

Data Center Security Controls

Periodic third-party attestation of documented, effective and complete controls covering physical security, access management, environmental security, utility resilience, segregation of tenants’ assets, ongoing monitoring, and maintenance of all appropriate systems

A documented process for delivery or handling of equipment or media

Data centers that have a disaster recovery plan for the facility and environment that at least identifies and mitigates risks to Wabtec services in the event of a disaster. The plan shall provide for contingencies to restore facility service if a disaster occurs, such as identified alternate data center sites. The plan shall be shared with Wabtec to ensure Wabtec can coordinate with its own data recovery plan

?

SECTION IV - DIRECT NETWORK CONNECTIVITY TO WABTEC NETWORK CONTROLS

In addition to any applicable Minimum Security Requirements (listed in Section 2 above), a Third Party that has a persistent or routable connection to a Wabtec network shall do or implement the following:

Direct Network Connectivity to Wabtec Network Controls

Third party shall use only Wabtec managed network devices to connect to the Wabtec Network. Wabtec requires out of band connectivity to the remote device for administration. Wabtec must approve all methods of connectivity before connections are established

Third party shall ensure that no employees will circumvent or disable any security measures put in place by Wabtec

If Wabtec notifies the Third Party of any confirmed “High” or “Critical” vulnerabilities relating to Third Party’s connection to Wabtec networks, the Third Party shall remediate the confirmed vulnerability within 30 days

DEFINITIONS

Contract Document means the relevant agreement, contract, statement of work, task order, purchase order or other document governing the provision of Products, services and/or deliverables by Third Party to Wabtec.

Controlled Data is technical or government information with distribution and/or handling requirements proscribed by law, including but not limited to controlled unclassified information and license required export-controlled data, which is provided by Wabtec to the Third Party in connection with performance of the Contract Document.

Copyleft License means the GNU General Public Licenses version 2.0 (GPLv2) or version 3.0 (GPLv3), Affero General Public License version 3 (AGPLv3), or any other license that requires, as a condition of use, modification and/or distribution of or making available over a network any materials licensed under such a license to be: (a) licensed under its original license; (b) disclosed or distributed in source code form; distributed at no charge; or (d) subject to restrictions on assertions of a licensor’s or distributor’s patents.

Cybersecurity Vulnerability (ies) means any bug, software defect, design flaw, or other issue with software associated with a Product that could adversely impact the confidentiality, integrity or availability of information or processes associated with the Product.

Direct Network Connection is inclusive of all manners to connect to the Wabtec network through any persistent connection including site-to-site VPN solutions.

Wabtec Confidential Information is information created, collected, or modified by Wabtec that would pose a risk of causing harm to Wabtec if disclosed or used improperly, and is provided to the Third Party under the Contract Document. Wabtec Confidential Information includes, but is not limited to, information pertaining to business operations and strategies, trade secrets, Personal Data, Controlled Data, or Sensitive Personal Data.

Wabtec ?means the Westinghouse Air Brake Technologies? Corporation? or a Wabtec Affiliate party to the Contract Document with Third Party.

Wabtec Affiliatemeans any entity that is directly or indirectly in control of, controlled by, or under common control with Wabtec, whether now existing, or subsequently created or acquired during the term of the Contract Document.

Wabtec Data includes all data provided to Third Party by Wabtec or on behalf of Wabtec as a result of a Contract Document or services being provided to Wabtec by Third Party. Wabtec Data includes Confidential, Personal, Controlled, or Sensitive Personal Data.

Wabtec Information System(s) means any systems and/or computers managed by Wabtec, which includes laptops and network devices.

Highly Privileged Accounts (Users), or HPAs, are accounts with system level administrative or super-user access to devices, applications or databases, administration of accounts and passwords on a system, or ability to override system, security, or application controls.

Mobile Devices means tablets, smartphones and similar devices running mobile operating systems. Laptops are not considered Mobile Devices.

Open Source Software means any material that is distributed as “open source software” or “freeware” or is otherwise distributed publicly or made generally available in source code form under terms that permit modification and redistribution of the material on one or more of the following conditions: (a) that if the material, whether or not modified, is redistributed, that it shall be: (i) disclosed or distributed in source code form; (ii) licensed for the purpose of making derivative works; and/or (iii) distributed at no charge; (b) that redistribution must be licensed or distributed under any Copyleft License, or any of the following license agreements or distribution models: (1) GNU’s General Public License (GPL), Lesser/Library GPL (LGPL), or Affero General Public License (AGPL), (2) the Artistic License (e.g., PERL), (3) the Mozilla Public License, (4) Common Public License, (5) the Sun Community Source License (SCSL), (6) the BSD License, (7) the Apache License and/or (8) other Open Source Software licenses; and/or (c) which is subject to any restrictions on assertions of patents.

Personal Data means any information related to an identified or identifiable natural person (Data Subject), as defined under applicable law Processed in connection with the Contract Document. Legal entities are Data Subjects where required by law.

Product(s) mean any goods, systems, components, products, software and deliverables supplied under the Contract Document.

Process(ing) means to perform any operation or set of operations upon Wabtec data, whether or not by automatic means, including but not limited to, collecting, recording, organizing, storing, adapting or altering, retrieving, accessing, consulting, using, disclosing by transmission, disseminating, or otherwise making available, aligning or combining, blocking, erasing, or destroying.

Sensitive Personal Data is a category of Personal Data considered to be especially sensitive and includes medical records and other personal health information, including protected health information (PHI), as defined in and subject to the U.S. Health Insurance and Portability Act of 1996; personal bank account and payment card information and other financial account information; customer bank account and payment card information; national identifiers; and special categories of data under applicable law (such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, home life and sexual orientation).

Significant Change or Enhancement (to software) means:

  • Any code change that impacts application interfaces (modifies data stream inputs/outputs).
  • Any code change to the application that modifies access to or use of external components (database, files, DLLs, etc.).
  • Any code change that impacts access control.
  • A complete or partial rewrite of an application into a different language (ex. C++ to Java) or different framework (ex. Struts and Spring).
  • A change in the application that results in internet exposure where previously it was not.
  • A change in the application that results in the Risk Level increasing (ex. reclassification from Level 4 to Level 3).
  • Transferal of development responsibilities from one Third Party to another, from a Third Party to Wabtec, or from Wabtec to a Third Party. The correction of any existing critical or high vulnerabilities must be conducted prior to transfer or included in the work order for the new Third Party to correct within the applicable remediation timeframe.

Third Party or Supplier is the entity that is providing goods or services to Wabtec pursuant to the Contract Document. It also refers to Wabtec joint ventures.

Third Party Information System(s) means any Third Party system(s) and/or computer(s) used to Process, Store, Transmit and/or Access Wabtec Confidential Information pursuant to the Contract Document, which includes laptops and network devices.

Third Party Materials means materials which are incorporated by Third Party in any Products provided to Wabtec, the proprietary rights to which are owned by one or more third party individuals or entities.

Third Party Personnel ?means all persons or entities providing services and/or deliverables under the Contract Document, including Supplier’s employees, permitted affiliates and third parties (for example, suppliers, contractors, subcontractors, and agents), as well as anyone directly or indirectly employed, engaged or retained by any of them.

Trusted Third Party Network Connection is a physically isolated segment of the Third Party network connected to Wabtec internal network in a manner identical to a standard Wabtec office.

?