The review will not be conducted more than once during a 12-month period, during normal business hours, in accordance with Oracle`s field guidelines and regulations, and must not interfere unduly with business activities. If you wish to use a third party to perform the audit, the legal auditor will be agreed by the parties and the legal auditor will have to execute a written confidentiality agreement acceptable to Oracle. Once the review is complete, you provide Oracle with a copy of the audit report, which is classified as confidential information under the terms of your agreement with Oracle. Oracle will contribute to this type of audit by providing you with the information and assistance needed to conduct the audit, including all relevant records of processing activities applicable to the services. If the scope of the requested audit is addressed in an AUDIT report SOC 1 or SOC 2, ISO, NIST, PCI DSS, HIPAA or a similar audit report issued by a qualified external reviewer in the previous 12 months and if Oracle provides you with a report of this type that confirms that no significant changes are known in the audited controls , you accept the findings set out in the third-party supplier`s audit report. instead of requiring a review of the same controls that were carried out. Additional review conditions may be included in your service order. Personal service data is personal data that you provide, located on Oracle, Customer or third-party systems and environments and processed by Oracle on your behalf to run the services. Personal service data may include information about family, lifestyle and social circumstances, depending on the services; Employment details Financial details Online identifiers such as mobile device identifiers and IP addresses, as well as online behavior and third-party interest data.

Human services can be linked to your representatives and end-users, for example.B. Your employees, candidates, contractors, employees, partners, suppliers, customers and customers. For more details on specific security measures applicable to services, see the security practices of these services, including the retention and deletion of available data for verification. To the extent that Oracle entrusts third-party subprocessers with access to the Services` personal data to facilitate the provision of services, these subprocessors are subject to the same level of protection and security as Oracle under the terms of your order for services. Oracle is responsible for meeting the terms of your service order by subprocessors. Unless there is any other obligation in a service order, Oracle will delete your production customer data on Oracle computers at the end of services or at your request, so that it cannot reasonably access or be read, unless Oracle has a legal obligation that prevents Oracle from completely or partially deleting the data. You can contact your Oracle service contact before the end of the service to get more information about data deletion. If the service agreement between you and Oracle refers to oracle Data Processing Agreement for Oracle Services («DPA»), more details about the data transfer mechanism applicable to your Oracle service order are available within the Data Protection Authority. In particular, for human services provided from the European Economic Area (EEA), Switzerland or the United Kingdom («UK»), these transfers are subject to Oracle`s mandatory enterprise rules for processors (BCR-P) or EU standard clauses.