• Risk Assessment.
  - A risk assessment must be performed annually to verify the implementation of controls that protect business operations and 10x Data.

• Security Policies and Exception Process.
  - Security policies must be documented, reviewed, and approved, with management oversight, on a periodic basis, following industry best practices.
  - A risk based exception management process must be in place for prioritisation, approval, and remediation or risk acceptance of controls that have not been adopted or implemented.
• Awareness and Education Program.
  - Security policies and responsibilities must be communicated and socialised within the organisation to Supplier Personnel (e.g., both employees and contractors). Supplier Personnel must be trained to identify and report suspected security weaknesses and incidents.

• Organisation.
  - Training and job competence of Supplier Personnel providing services to 10x must be monitored using a formal performance and appraisal process and be supervised by competent staff to ensure compliance with the agreement and have all relevant training necessary to do so.Current organisational charts representing key management responsibilities for services provided, including services provided by dependent suppliers, regardless of tier, must be maintained.You shall have an adequate number Supplier Personnel to provide the Services properly.

• Supplier Personnel Security Policy.
  - Background checks (including criminal) must be performed on applicable Supplier Personnel.
• Agreements.
  - Supplier Personnel must be subject to written non-disclosure or confidentiality obligations before being assigned to 10x services and granted access to 10x systems and information.

• General.
  - You will make sure that people who are performing the Services are suitably qualified, adequately trained and comply with all applicable laws.
  - You will ensure that Supplier Personnel are:
  - diligent, careful, honest, skilled, competent and experienced in the work that they are performing;
  - informed about the Services and their duties in the performance of the Services, any relevant service levels or material terms of the Agreement that they need to know, any rules and regulations and statutory requirements that are relevant including health and safety and that they need to observe all relevant standards of integrity, courtesy and consideration in performing their roles.
  - You will use reasonable endeavours to ensure that there is continuity of personnel to avoid degradation in the service provision to 10x or a 10x client
  - You will ensure that no Supplier Personnel is discouraged from making a protected disclosure under Part 4A of the Employment Rights Act 1996, including to any regulator.

• Training / Screening.
  - 10x's Clients may also require your personnel to attend specific additional training or undergo their additional security screening to satisfy their compliance requirements. Where such personnel are identified, you shall ensure that they attend such training as is required by 10x's Clients. You acknowledge that, if your personnel do not attend required training or comply with and pass the required security screening, your personnel may not be able to provide services to 10x or its clients.

• Removal of Personnel
  - If any of your personnel are working directly with 10x's Clients, you acknowledge that 10x's Clients have a right to direct who provides services to them, and that they may direct that your personnel should be removed from working directly with them and return any of the 10x client information they may have access to. You agree to co-operate with any such requests from 10x's clients and ensure replacements of any removed personnel and comply with any requests for the smooth transition to the new personnel.
  ‍
• On Site Security, Safety Requirements
  - If any of your personnel provide Subcontracted Services at a Client site, you will ensure that your personnel will comply with safety, security and other on-site requirements at those sites.
  ‍
• Living Wage
  - Any of your personnel providing services to 10x's Clients must be paid the London Living Wage or UK Living Wage (as applicable).
  ‍
• Prohibited Employees
  - You will not use personnel to provide the Subcontracted Services who have been convicted or pled guilty to crimes of dishonesty or breach of trust or who have not passed the relevant screening obligations.
  ‍
• Identity Confirmation and Background Checks
  - For personnel assigned to the Subcontracted Services, you must ensure that: (i) you have confirmed the identity (including photographic identification) and residential address of such personnel, (ii) the qualifications and employment history of the person over the five years prior to personnel (who has provided a minimum of two employment references), (iii) any outside business interests or activities of a person do not conflict with their performance of the Subcontracted Services, (iv) where it is permissible to check under applicable law, a criminal history check of the person undertaken by you (to be not less than 3 months old) does not show any crime indicating fraud, dishonesty, or any other crime that could give rise to risks if that person was to perform Subcontracted Services, (v) a credit reference check not more than three (3) months old from a reputable credit referencing agency confirming no County Court Judgements, bankruptcies, voluntary arrangements, decrees, administration orders or other adverse financial matters, (vi) right to work checks sufficient to demonstrate the continuing right to work in the UK and to establish the statutory excuse under the Immigration, Asylum and Nationality Act 2006 (or other equivalent checks where 10x Personnel are working outside of the UK) and (vii) checks to ensure there are no financial sanctions imposed against them by the UK (HM Treasury), the European Union, the US (Office of Foreign Asset Control), or the United Nations.
  ‍
• Personnel Records
  - You will maintain all necessary records relating to the Supplier Personnel and make that available on request and ensure that you have all the necessary rights including under data protection legislation to provide those records to 10x and/or a 10x client.
  

‍

• Accountability.
  - A process for maintaining an inventory of hardware and software assets and other information resources, such as databases and file structures, must be documented.
  - Process for periodic asset recertification must be documented. Identification of unauthorised or unsupported hardware/ software must be performed.
• Disposal or Reuse.
  - Procedures for disposal or reuse of equipment used for logical and physical storage must accomplish sufficient destruction of 10x Data. Procedures must be documented for sanitisation, consistent with the requirements of NIST Standard 800-88 Revision 1, Appendix A (“Guidelines for Media Sanitisation”).
• Personal Asset Controls.
  - Security policies and controls must be documented, reviewed, and approved, with management oversight, on a periodic basis, if personal devices are used to perform business transactions or to access systems where 10x Data or transactions are stored or processed.
  - Procedures must be in place to remove 10x Data and access rights to systems on which 10x Data are stored, processed, or transmitted.

• Physical and Environmental Security Policy.
  - Physical and environmental security plans must exist for facilities and scenarios involving access or storage of 10x Data. Additional physical and environmental controls must be required and enforced for server/ data centre locations.
• Physical Control.
  - Storage of 10x Data at new facilities or locations that are not a Supplier facility must be pre approved by 10x before use.
  - Physical access, to include visitor access, to facilities must be restricted and all access periodically recertified.
  - Asset addition/ removal process from the facility must be documented. Approval from 10x must be obtained before assets with 10x Data are removed from the facility.
  - Policies must be in place to ensure that information is accessed on a need-to-know basis.
• Environmental Control.
  - Facilities, including data and processing centres, must maintain appropriate environmental controls, including fire detection and suppression, climate control and monitoring, power and back-up power solutions, and water damage detection. Environmental control components must be monitored and periodically tested.

• Network Identification.
  - A network diagram, to include all devices, must be kept current to facilitate analysis and incident response.
  - A current data flow diagram must depict 10x Data from origination to end point (including data shared with dependent suppliers).
• Data Storage.
  - All 10x Data, including 10x Data shared with dependent suppliers, must be stored and maintained in a manner that allows for its return or secure destruction upon request from 10x.
• Firewalls.
  - Firewalls must be used for the isolation of all environments, to include physical, virtual, network devices, production and non-production, and application/ presentation layers. Firewall management must follow a process that includes restriction of administrative access and that is documented, reviewed, and approved, with management oversight, on a periodic basis.
  - The production network must be either firewalled or physically isolated from the development and test environments. Multi-tier security architectures that segment application tiers (e.g., presentation layer, application and data) must be used.
  - Periodic network vulnerability scans must be performed and any critical vulnerabilities identified must be remediated within a defined and reasonable timeframe (e.g., within three months).
• Clock Synchronisation.
  - Network devices must have internal clocks synchronised to reliable time sources.
• Remote Access.
  - The data flow in the remote connection must be encrypted and multi-factor authentication must be utilised during the login process.
  - Remote connection settings must limit the ability of remote users to access both initiating network and remote network simultaneously (i.e., no split tunnelling).
  - Dependent suppliers’ remote access must adhere to the same controls and any subcontractor remote access must have a valid business justification.
• Wireless Access.
  - When used to provide services for 10x, wireless access to the Supplier corporate network must be configured to require authentication and be encrypted.
• Data Loss Prevention.
  - Data Loss Prevention (DLP) solutions should be deployed to protect 10x Data, including all points of egress, except to the extent prohibited by legal or regulatory restrictions.

• Operational Procedures and Responsibilities.
  - Operational procedures must be documented and, include monitoring of capacity, performance, service level agreement and key performance indicators.
• Problem Management.
  - Documented problem management processes and procedures must include systematic tracking of problems from discovery to resolution.

• Change Policy and Procedure.
  - Change management policy, including application, operating system, network infrastructure and firewall changes must be documented, reviewed and approved, with management oversight, on a periodic basis. An emergency change management procedure must be specified, including factors leading to emergency change.
  - The change management policy must include clearly identified roles and responsibilities to support separation of duties (e.g., request, approve, implement). The approval process must include pre- and post-evaluation of change. Changes materially affecting 10x services must be communicated to 10x prior to implementation.
  ‍
• Emergency Change Procedures.
  - Emergency change procedures must be in place. Changes materially affecting 10x services must be communicated to 10x.
  

• Logical Access Control Policy.
  - Documented logical access policies and procedures must support role-based, “need-to-know” access (e.g., interdepartmental transfers, terminations) and ensure separation of duties during the approval and provisioning process. Each account provisioned must be uniquely identified. All accounts must be recertified on a periodic basis.
• Privileged Access.
  - Management of privileged user accounts (e.g., those accounts that have the ability to override system controls), to include service accounts, must follow a documented processes and be restricted.
  - A periodic review and governance process must be maintained to ensure appropriate provisioning of privileged access.
• Authentication and Authorisation.
  - A documented authentication and authorisation policy must cover all applicable systems. That policy must include password provisioning requirements, password complexity requirements, password resets, thresholds for lockout attempts, thresholds for inactivity, and assurance that no shared accounts are utilised. Authentication credentials must be encrypted, including in transit to and from dependent suppliers’ environments or when stored by dependent suppliers.

• Data Transmission Controls.
  - Processes, procedures and controls must be documented, reviewed, and approved, with management oversight, on a periodic basis, to ensure data integrity during transmission and to validate that the data transmitted is the same as data received.
• Data Transaction Controls.
  - Controls must be in place to protect the integrity of data transactions at rest and in transit.

• Encryption Policy.
  - Data protection policy must cover data classifications, encryption use, key and certificate lifecycle management, cryptographic algorithms and associated key lengths. Policy must be documented, reviewed, and approved with management oversight, on a periodic basis.
• Encryption Uses.
  - 10X Data must be protected, and should be encrypted, while in transit and at rest across the following types of assets:
  ‍
  - Public shared networks
  - Non-wired networks
  - Cloud services
  - Desktop and portable computing devices
  - Mobile devices
  - Portable media
  - Back-ups
  - ‘Plug & play’ storage devices‍
• Highly Confidential Information must be protected, and should be encrypted, when stored on the types of assets listed above and while in transit over any network; authentication credentials must be encrypted at all times, in transit or in storage.

• Incident Response Process.
  - The information security incident management program must be documented, tested, updated as needed, reviewed, and approved, with management oversight, on a periodic basis. The incident management policy and procedures must include prioritisation, roles and responsibilities, procedures for escalation (internal) and notification (to 10X), tracking and reporting, containment and remediation, and preservation of data to maintain forensic integrity.

• Business Recovery Plans.
  - Comprehensive business resiliency plans addressing business interruptions of key resources supporting all 10X services, including those provided by dependent suppliers, must be documented, tested, reviewed, and approved, with management oversight, on a periodic basis. The business resiliency plan must have an acceptable alternative work location in place to ensure service level commitments are met.
• Technology Recovery.
  - Technology recovery plans to minimise service interruptions and ensure recovery of systems, infrastructure, databases, applications, etc., must be documented, tested, reviewed, and approved with management oversight, on a periodic basis.

• Authorised E-mail Systems and Instant Messaging.
  - Access to non-corporate/ personal email and instant messaging solutions must be restricted. Controls must be in place to prevent Confidential Information from being sent externally through email or instant messaging without encryption. Preventive controls must block malicious messages and attachments. Controls must be in place to prevent auto-forwarding of emails.

• Back-up and Redundancy Processes.
  - Processes enabling full restoration of all systems, applications, and data must be documented, reviewed, and approved, with management oversight, on a periodic basis.
• Back-up Media Destruction.
  - Back-up media must be rendered unreadable when no longer required.
• Offsite Storage.
  - Physical security policy for the offsite facility must be documented, reviewed, and approved, with management oversight, on a periodic basis. Back-up storage devices must be encrypted. Secure transportation procedures of media to and from offsite locations must be defined.

• Handling and Storage.
  - Electronic media and paper records storage and movement procedures must be documented, reviewed, and approved, with management oversight, on a periodic basis, both by Supplier and dependent suppliers.
• Record Control.
  - Electronic media and paper records must be stored in secure bins. Retention procedures for all paper and electronic records must be in accordance with 10X record retention requirements. Document destruction or shredding must be performed in a secure manner.
• Transportation Logistics.
  - The company utilised for transportation of media must be licensed and bonded to provide the services. The transportation company drivers must undergo background checks and receive training to safeguard information during transport. Controls must be in place to safeguard electronic media and paper records during transportation.

• Selection and Oversight.
  - Supplier must have a process to identify all dependent suppliers providing services to Supplier; these dependent suppliers must be disclosed to 10X and approved to the extent required by the Master Agreement. Risk assessments of each dependent supplier’s control environment must be performed.
• Lifecycle Management.
  - Supplier must establish contracts with dependent suppliers providing material services; these contracts must incorporate security control requirements, including data protection controls and notification of security and privacy breaches must be included.
  - Performance review processes must be in place to ensure dependent suppliers’ fulfilment of contract terms and conditions.

• Secure Configuration Availability.
  - Standard security configurations must be established and security hardening demonstrated. Process documentation must be developed, maintained, and under revision control, with management oversight, on a periodic basis. Configurations must include security patches, vulnerability management, default passwords, registry settings, file directory rights and permissions.
• System Patches.
  - Security patch process and procedures, to include requirements for timely patch application, must be documented.
• Operating System.
  - All versions of operating systems in use must be supported and respective security baselines documented.
• Desktop Controls.
  - Systems must be configured to provide only essential capabilities. Policy must prohibit storing of Confidential Information on desktops. The ability to write to electronic media must be limited to documented exceptions.

• Functional Requirements.
  - Applications must implement controls that protect against known vulnerabilities and threats, including Open Web Application Security Project (OWASP) Top 10 Risks, risks outlined in NIST, FFIEC, and PCI (PCI-DSS, PA-DSS, PCI Pin Security), and denial of service (DDOS) attacks.
  - Application layer controls must provide the ability to filter the source of malicious traffic.
  - Restrictions must also be placed on or in front of web server resources to limit denial of service (DoS) attacks.
  - Supplier must monitor uptime on a hosted web or mobile application.
  - The application must perform verification checks for completeness, balancing and reconciliation to data-file balances after transaction updates.
  - Applications must have the ability to determine that operating environments are at acceptable levels, including root/ jailbreak checks, software/ operating system/ patch level checks, and to prevent launch on devices that have been compromised or are insufficiently up-to-date.
  - Procedures around consent (for the users) and procedures to re-validate on a recurring basis any Personal Information gathered, stored, sent, received, or accessed by applications must be defined.
  - Where requirements or risk factors indicate that single-factor authentication is inadequate, including all instances of external connections to 10X networks as well as corporate/ non-customer authentication to Internet-facing applications that involve high-risk transactions such as the ability to transfer funds or to access Confidential Information the application must implement multi-factor authentication.
  - An additional, network-level restriction must be in place to secure 10X/ corporate access to dependent supplier hosted applications that handle Confidential Information.
• Software Development Life Cycle.
  - A Software Development Life Cycle (SDLC) methodology, including release management procedures, must be documented, reviewed, approved, and version controlled, with management oversight, on a periodic basis. These must include activities that foster development of secure software, for example:
  ‍
  - Security requirements in requirements phase,
  - Secure architecture design,
  - Static code analysis during development,
  - Dynamic scanning or penetration testing of code during QA phase, and
  - Remediation of vulnerabilities rated High and above before moving to the next phase.
  - Validation of security requirements (e.g., Information Security (IS) sign-offs, periodic IS reviews, static/ dynamic scanning) must follow a documented methodology.
  - SDLC methodology must include requirements for documentation and be managed by appropriate access controls. Developer access to production environments must be restricted by policy and in implementation.
  - Code certification, including security review of code developed by third parties (e.g., open source, contracted developers), must be performed. Third party and open source code used in applications must be appropriately licensed, inventoried, supported, patches applied timely, tested prior to use in production, and evaluated for security defects on an on-going basis, with any identified gaps remediated in a timely manner.
• Testing and Remediation.
  - Software executables related to client/ server architecture that are involved in handling 10X Data must be undergo vulnerability assessments and penetration tests (both the client and server components) prior to release and on an on-going basis, either internally or using external experts, and any gaps identified must be remediated in a timely manner.
  - Testing must be based on, at a minimum, the OWASP Top 10 risks (or the OWASP Mobile Top 10 risks, where applicable) and the SysAdmin, Audit, Networking, and Security Institute (SANS) Top 25 software security risks, or comparable replacement.
  - Where 10X production data is used in a test environment, the level of control must be consistent with production controls. Production data must be sanitised (e.g., masking of all Personal Information) before use in non-production environments.

• Customer Contact Operations.
  - Prior to working on 10X related calls, customer contact agents must receive training regarding the proper provision of Services and other Deliverables and privacy training, which must cover:
  ‍
  - privacy information classification,
  - legal, regulatory and contract responsibilities for privacy,
  - consequences (including penalties) for violations of privacy Law,
  - contract obligations,
  - email and internet usage guidelines regarding privacy and monitoring, and
  - information on Supplier Personnel and Supplier equipment monitoring policies.
  - Protocols used by the agents to authenticate the identity of the customer must be defined.

• Vulnerability Scanning and Issue Resolution.
  - Vulnerability scans (authenticated and unauthenticated) and penetration tests must be performed against internal and external networks and applications periodically and prior to system provisioning for all systems that process, store or transmit 10X Data. Remediation plans and timelines must be communicated to 10X.

• Malware.
  - All devices must be kept up-to-date with latest anti-virus definitions to mitigate known threats. Anti-virus tools must be configured to run periodic scans to detect, log and disposition malware. Intrusion Detection/ Prevention.
  - Network and host-based intrusion detection and intrusion prevention systems (IDS and IPS) must be deployed with events generated fed into centralised systems for analysis. These systems must accommodate routine updates and real-time alerting. IDS/ IPS signatures must be kept up-to-date to respond to threats.

• Logging and Event Correlation.
  - Monitoring and logging must support centralisation of all security events for analysis and correlation. Organisational responsibility for responding to events must be defined. Retention schedule for various logs must be defined and followed.

• Regulatory Compliance.
  - Supplier must comply with and have processes for researching, evaluating, and complying with, all Laws relevant to the business, process, or activity being undertaken in the particular jurisdiction(s) and shall ensure that it maintains all necessary consents, licences and authorisations needed to provide the services to 10x. Any alleged non-compliance with Laws, regulatory inquiries, and actual or threatened legal claims, must be escalated to 10x.
  - You agree to comply with and ensure that your personnel comply with all anti-bribery and corruption laws, and anti-slavery laws, applicable to you and upon request by 10x certify your compliance with the same. You will keep transparent, up to date records on the supply chain involved in providing the Subcontracted Services and provide it to 10x on our request.
  - You will ensure that any of your personnel involved in providing the Subcontracted Services are legally entitled to work in the country(ies) in which the services are being provided and hold all necessary visas, permits, approvals etc.
  

If you are in breach of any Laws, at your own cost you shall take all actions as 10x or a 10x client may require and are reasonably necessary to comply with such laws.

• Confidential Information.
  - Supplier must ensure that all 10X Minimum Control Requirements that apply to Confidential Information are also implemented with respect to Personal Information.

• Logical Access Control.
  - Social Security Numbers or other national or identifiers must not be utilised as User IDs for logon to applications.

• Website.
  - Procedures around cookie activity must be compliant with the applicable Laws.

• System Development.
  - Privacy impact assessment must be conducted during the requirements phase of system development to evaluate the impact to Personal Information.

• Monitoring.
  - Privacy impact assessment must be performed to review the scope of monitoring. The assessment must not conflict with any applicable local and other Laws.

• Regulatory Compliance.
  - Procedures around consent, as applicable, for the users must be defined. A privacy notice or information banner exists and must be acknowledged by the end user whenever Personal Information is collected, transmitted, processed or stored. Procedures around collecting Personal Information as required by the Law must be defined and restrictions on disclosing that Information must be documented. A process to allow users to access correct, opt-out, delete, restrict, make portable, or object to the processing of, Personal Information must be documented, reviewed, and approved, with management oversight, on a periodic basis.

• Audit Assurance and Compliance.
  - The cloud environment in which data is stored, processed or transmitted must be compliant with relevant industry standards and regulatory restrictions.

• Application and Interface Security.
  - Threat modelling must be conducted throughout the software development lifecycle, including vulnerability assessments, including Static/ Dynamic scanning and code review, to identify defects and complete remediations before hosting in cloud environments.

• Business Continuity Management and Operational Resiliency.
  - Business continuity plans to meet 10X recovery objectives must be in place.

• Data Security and Information Lifecycle Management.
  - Proper segmentation of data environments and segregation between customers must be employed; segmentation/ segregation must enable proper sanitisation, per industry requirements.

• Encryption and Key Management.
  - All communications must be encrypted in-transit between environments.

• Governance and Risk Management.
  - Comprehensive risk assessment processes and centralised monitoring that enables incident response and forensic investigation must be used to ensure proper governance and oversight.

• Identity and Access Management.
  - Management of accounts, including accounts with privileged access, must prevent unauthorised access and mitigate the impacts thereof.

• Interoperability and Portability.
  - 10X Data must be available upon request, in an industry standard format, so as to ensure portability and interoperability.

• Infrastructure and Virtualisation Security.
  - Controls defending against cyberattacks, including principle of least privilege, baseline management, intrusion detection/ prevention systems, host/ network-based firewalls, segmentation, isolation, perimeter security, access management, detailed data flow information, network time, and a SIEM solution must be implemented.

• Security Incident Management, E-Discovery and Cloud Forensics.
  - Technology and associated processes must support the ability to isolate all 10X Data and systems, maintain the system state, and preserve artefacts required for incident response and forensics investigations.

• Supply Chain Management, Transparency and Accountability.
  - Supplier must be accountable for the confidentiality, availability and integrity of all data, to include data processed in cloud environments by dependent suppliers.

• Threat and Vulnerability Management.
  - Vulnerability scans (authenticated and non-authenticated) must be performed, both internally and externally, for all systems. Processes must be in place to ensure tracking and remediation.

• Business Practices.
  - Policies and procedures addressing Supplier business operations, processes for responding to customer complaints, handling of non-public information, signing authority, code of conduct, and change control must be documented, reviewed, and approved, with management oversight, on a periodic basis, and made available to Supplier Personnel.

• Fraud.
  - A fraud detection, prevention and mitigation program, processes and procedures for monitoring and reporting actual and suspected instances of fraud, and specific notification and communication, internally and to 10X, must be documented, reviewed, and approved, with management oversight, on a periodic basis.
  

• Insurance.
  - You agree to provide to us, prior to commencing services for our Clients, evidence of appropriate insurance to cover your liabilities under the Agreement.
  

• Data Use.
  - Policies and processes covering data use and restrictions, including for 10X Data shared with dependent suppliers, must be documented and reviewed, with management oversight, on a periodic basis.
  - Uses and restrictions must include transformation, aggregation, de-identification, creation of derivatives, or alteration of 10X Data.

Records - A record is any type of information created, received, or transmitted in the course of your engagement with 10x's business, regardless of physical format. Examples of where the various types of information are located include: Appointment books and calendars; Audio and video recordings; Computer programs; Contracts; Electronic files; Emails; Handwritten notes; Invoices; Letters and other correspondence; Magnetic tape; Memory in cell phones and PDAs; Online postings, such as on Facebook, Twitter, Instagram, Snapchat, Slack, Reddit, Vine, and other social media platforms and websites; Performance reviews; Test samples; Voicemails.

Disposable Information - Disposable information consists of data that may be discarded or deleted at the discretion of the user once it has served its temporary useful purpose and/or data that may be safely destroyed because it is not a record as defined by this policy. Examples may include: Duplicates of originals that have not been annotated; Preliminary drafts of letters, memoranda, reports, worksheets, and informal notes that do not represent significant steps or decisions in the preparation of an official record; Books, periodicals, manuals, training binders, and other printed materials obtained from sources outside of 10x and retained primarily for reference purposes; Spam and junk mail.

You and Your permitted Subcontractor shall:

• during the period of the Engagement with 10x and for a period of seven (7) years from their creation, or for the period of time required by applicable law, whichever is longer keep, maintain and undertake regular backups of all information, documentation and any and all Records related to the Engagement (whether financial, managerial, personnel-based, operational or otherwise, including all steps taken to comply with any applicable policy or procedures relevant to the Engagement with 10x (including health and safety information and all Records set out above) (the “Documentation”). The Documentation shall include all documents, information and records related to the Subcontractor’s engagement of subcontractors or third parties related to its delivery of the Subcontracted Services, including copies of any relevant agreements. Subcontractor shall provide any and all Documentation to 10x and the Client if requested at any time and shall ensure that it has a right or is not prevented from doing so (whether under the Data Protection Legislation or otherwise);
  ‍
• during the Term and for a period of seven (7) years thereafter provide access to duly authorised staff and agents of 10x and the Client, including any Regulatory Authority, to inspect and take copies of the above Documentation and interview its employees and agents to obtain information and oral explanations of the Documentation;
  ‍
• during the Term and for a period of three (3) years thereafter permit 10x, the Client, any Regulatory Authority and their respective Representatives to access on demand during normal business hours the Subcontractor’s premises, Subcontractor Personnel, systems, relevant records and all Documentation as may be required in order to complete any audit (be it an audit of the Subcontractor, 10x or the Client); co-operate and respond to any request from a Regulatory Authority in all matters related to or relevant to the Agreement (whether directed at 10x, the Client or the Subcontractor); and/ or to investigate suspected fraud.