Annex 2

1. Technical and organizational measures

The Processor will process the data in the European Union only.

The Processor and the Client agree that the technical and organizational measures of the data center operator are an integral and an effective part of this DPA. This applies subject to the provision that these technical and organizational measures may be adopted to the newest developments from time to time. The Processor will inform without any further delay the Client about any changes of the security guidelines of the data center operator.

Multiple authorization levels are used when granting access to sensitive systems, including those storing and processing Personal Data. Processes are in place to ensure that authorized users have the appropriate authorization to add, delete, or modify users.

All users access Processor’s systems with a unique identifier (user ID).

1.2. Technical and organizational measures of the data center:

The implemented technical and organizational measures of the data center operator are listed in the Online Services Terms, SLA and other agreement related documents, which are available at http://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=46 and incorporated hereto by reference.