This Appendix 2 forms part of the Data Processing Agreement and, if they are applicable, the Standard Contractual Clauses.

Description of the technical and organisational security measures implemented by the Stryker in accordance with Clauses 4(d) and 5(c).


1. Stryker's security measures:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposesof processing as well as the risk of varying likelihood and severity for the rights and freedoms of naturalpersons, Stryker shall implement appropriate technical and organisational measures to provide a level of securityappropriate to the risk, as appropriate based on the applicable Product. Examples of our standard protocols mayinclude:

(a) the pseudonymisation and encryption of personal data in accordance with standard industry practices;

(b) the ability to undertake maintenance of the ongoing confidentiality, integrity, availability and resilience ofprocessing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physicalor technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisationalmeasures of the security. 


2. Evaluation and update of technical and organizational security measures

Stryker will evaluate technical and organizational security measures over time, considering costs for implementation, nature, scope, context and purposes of processing, and the risk of varying likelihood and severity for the rights and freedoms of natural persons. Stryker may update or modify these security standards from time to time provided such updates and modifications will not result in a material degradation in the security of the Services during the term of the Agreement.

In assessing the appropriate level of security, account will be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.