5.2 Third-Party Certifications and Audits. RELAYTO LIMITED has obtained the third-party certifications and audits set forth in the Security Documentation. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, RELAYTO LIMITED shall make available to Customer that is not a competitor of RELAYTO LIMITED (or Customer’s independent, third-party auditor that is not a competitor of RELAYTO LIMITED) a copy of RELAYTO LIMITED’s then most recent third-party audits or certifications, as applicable. 6. Customer data incident management and notification RELAYTO LIMITED maintains security incident management policies and procedures specified in the Security Documentation and shall, notify Customer without undue delay, but in no event in less than 48 hours, after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by RELAYTO LIMITED or its Sub-processors of which RELAYTO LIMITED (a “Customer Data Incident”). RELAYTO LIMITED shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as RELAYTO LIMITED deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within RELAYTO LIMITED’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users. 7. Return and deletion of customer data RELAYTO LIMITED shall return Customer Data to Customer or, to the extent allowed by applicable law, delete Customer Data in accordance with the procedures and timeframes specified in the Security Documentation, or as requested by Customer. 8. GDPR and Onward Transfer 8.1 Assistance. As required by the GDPR, RELAYTO LIMITED shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR. 8.2 Standard Contractual Clauses. The Standard Contractual Clauses apply to any transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to RELAYTO LIMITED’s facilities in countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations, to the extent such transfers are subject to such Data Protection Laws and Regulations. ” (a) Instructions. For the purposes of Section 2 of the DPA, the following acts are deemed an instruction by the Customer to process Personal Data: (a) Customer’s entering into the Agreement and applicable Order Form(s) are deemed instructions to Process Personal Data as is necessary to perform services under the Agreement; 20 of 54