5. Security 5.1 Controls for the Protection of Customer Data. RELAYTO LIMITED shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the Processing. RELAYTO LIMITED’s measures will include those set forth in the Security Documentation attached as Annex II to the SCC applicable to the DPA. RELAYTO LIMITED regularly monitors compliance with these measures. RELAYTO LIMITED will not materially decrease the overall security of the Services during a subscription term. 5.2 Third-Party Certifications and Audits. RELAYTO LIMITED has obtained the third-party certifications and audits set forth in the Security Documentation. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, RELAYTO LIMITED shall make available to Customer that is not a competitor of RELAYTO LIMITED (or Customer’s independent, third-party auditor that is not a competitor of RELAYTO LIMITED) a copy of RELAYTO LIMITED’s then most recent third-party audits or certifications, as applicable. 6. Customer data incident management and notification RELAYTO LIMITED maintains security incident management policies and procedures specified in the Security Documentation and shall, notify Customer without undue delay, but in no event in less than 48 hours, after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by RELAYTO LIMITED or its Sub-processors of which RELAYTO LIMITED (a “Customer Data Incident”). RELAYTO LIMITED shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as RELAYTO LIMITED deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within RELAYTO LIMITED’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users. 7. Return and deletion of customer data RELAYTO LIMITED shall return Customer Data to Customer or, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Security Documentation, or as requested by Customer. 8. GDPR and Onward Transfer 8.1 Assistance. As required by the GDPR, RELAYTO LIMITED shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR. 20 of 52