10x Minimum Control Obligations
on Third Parties

These 10x Minimum Control Requirements (“Minimum Control Requirements”) recognise that there may be multiple approaches to accomplish a particular Minimum Control Requirement. The Supplier must document in reasonable detail how a particular control, including those pertaining to dependent suppliers (subcontractors) who collect, transmit, share, store, control, process, manage or access 10x Data, meets the stated Minimum Control Requirement. All Minimum Control Requirements apply to dependent suppliers, even if dependent suppliers are not specifically mentioned in the particular control requirement.

10x may revise the Minimum Control Requirements from time to time, and such revisions will become effective upon publication to the Supplier portal. The Supplier will comply with and implement the revised 10x Minimum Control Requirements as soon as commercially reasonable or otherwise agreed in writing by 10x.

The term “should” in these Minimum Control Requirements means that Supplier will use commercially reasonable efforts to accomplish the stated Minimum Control Requirement, and will document those efforts in reasonable detail, including the rationale, if any, for deviation. This documentation may be reviewed by Auditors to assess the control and the merit of the rationale for deviation. Not all the stated Minimum Control Requirements will apply to all Services or other Deliverables, but Supplier must be able to reasonably show how the Minimum Control Requirement does not apply. These Minimum Control Requirements do not limit Supplier’s obligations under the Agreement or applicable Law, and do not limit the scope of an audit by 10x.

10x may instruct an external Auditor to facilitate and conduct Audits. The Supplier will cooperate with any such external Auditor as reasonably requested by 10x (or any such external Auditor), including entering into agreements any of them may request from time to time, fully and promptly answering questionnaires that 10x or any of them may submit (including submitting information using electronic or other portals or facilities), meeting with any of them to facilitate the Audit, and not requesting any of them to execute a separate non-disclosure agreement.

As used in these Minimum Control Requirements, (i) “including” and its derivatives mean “including but not limited to”; and, (iii) “Confidential Information” is understood to include “Highly Confidential Information”, “Personal Information”, “10x Data” and “10x Client Data”.