Effective from the 1st of January 2026

1. Introduction and scope

1.1 This IT & Data Security Appendix (the “Security Appendix”) describes the technical and organisational measures, data lifecycle and operational practices applied by Culturequest when processing Customer Personal Data under the DPA.

1.2 The Security Appendix applies to all processing of Customer Personal Data carried out by Culturequest and its Sub-processors in the context of providing the Services.

1.3 Culturequest reviews this Security Appendix regularly and may update it to reflect developments in risk, technology, best practice or legal requirements. If Culturequest makes material changes that significantly reduce the level of protection, it will notify affected Controllers in advance.

2. Security governance and policies

2.1 Culturequest maintains an information security and data protection governance structure anchored in its management. Responsibilities for security, privacy and compliance are clearly assigned to specific roles.

2.2 Culturequest maintains internal policies and procedures that address, at a minimum:

• information security and acceptable use of systems;
• access control and identity management;
• data classification, handling and storage;
• incident management, including detection, escalation and notification;
• backup, disaster recovery and business continuity;
• secure software development, testing and change management;
• Sub-processor and vendor management;
• remote work, device security and physical safeguards for equipment.