BETMAKERS INFORMATION

MANAGEMENT POLICY

SUPPLIER INFORMATION SECURITY

INTERNAL
Relevant to Australia and Sri Lanka only

Supplier Information Security Policy

1
 INTERNAL

Name Position Signature

Document owner Alex Teseo Cyber Security Manager

Reviewed By Alex Teseo Cyber Security Manager

Revision History

Version Approval Date Author Signature

0.1 22/02/2022 Allister Jackson-Knaggs

1.0 27/05/2022 Allister Jackson-Knaggs

2.0 31/07/2023 Alex Teseo

Policy Review Frequency Annually

Supplier Information Security Policy

2
 INTERNAL

Contents
1. Context 4

2. Applicability 4

3. Security Controls 4

4. What do I need to do? 5

4.1 Management of exceptions, changes and contractual agreement 6
4.2 Assurance 6
4.3 End of service 7

5. Monitoring and Reporting 7

5.1 Consequences of breach 7

Appendix I. RACI Matrix 8

Appendix II. Standard control sets 9

Supplier Information Security Policy

3
 INTERNAL

1. Context
Suppliers play a big part in supporting BetMakers business objectives by helping do more and
reach further. Suppliers' activities may involve handling and processing our information
resources. Therefore it is important to:

● understand and manage the inherent risks of external suppliers performing those
activities

● identify where an information security incident would lead to a business impact

● ensure we are adequately protected and prepared for it

As we continue to depend on suppliers, we need to ensure that they handle our information as
securely as we would ourselves, with the appropriate security controls in place and
guaranteeing the protection of personal data. This policy establishes specific requirements for
the protection of BetMakers information resources while being handled by a supplier.

2. Applicability
This policy applies to BetMakers unless any aspect is not permitted by local law or regulation.
This policy also applies to any service provided by third party organisations to BetMakers (from
now on, suppliers) that involves storing, accessing or modifying BetMakers information and
using information systems that are not under the complete control of BetMakers (from now on,
services). It will be applicable no matter the type of service, or how it is procured (whether via
corporate credit card, via purchase order, whether single-sourced or via a competitive tender,
etc.).

The business unit in BetMakers procuring the external service (from now on, the request
originator) must ensure that the appropriate security controls are implemented and adhered to
by the supplier. BetMakers Security Team will provide expert advice to understand the risks,
controls required and evaluate any proposal for deviations or exceptions to the controls required
and may monitor and/or audit the activities of the supplier to detect security breaches and test
the implementation of some or all the required security controls.

The supply chain team will facilitate the process and provide the supplier with the required
security controls to supplement BetMakers standard terms and conditions. The Legal team will
be consulted to provide advice on the drafting of any new or amended clauses. A statement of
the roles and responsibilities covered within this policy can be found in Appendix I.

3. Security Controls
BetMakers will assess the risk and criticality of each service provided by suppliers to identify the
appropriate security controls to protect the information involved.

Such controls must ensure that:

● Information is protected and handled appropriately, in line with the classification

assigned as per the BetMakers Information Security Policy.
● The supplier has security incident management procedures that guarantee timely
notification of security incidents to BetMakers and full collaboration in their investigation
and resolution.

Supplier Information Security Policy

4
 INTERNAL

● Transfer of information between any supplier and BetMakers is done in a secure manner
in accordance with industry best practice (both network and physical transfer).
● The supplier is granted direct access to BetMakers information on a strict need-to-know
basis. All granted access is registered on a security log, and access rights are revoked
as soon as they are no longer required.

All suppliers must comply with all the security controls required by BetMakers, and any
exceptions to these security requirements must be justified and alternative risk mitigations
proposed. Then, residual risks will be assessed jointly by the request originator and BetMakers
before being accepted, and the validity of that assessment should be reconsidered periodically.
Likewise, any changes required that may impact information security within the lifecycle of the
service must be treated as any other requirement for exception: communicated in advance,
assessed by the request originator and BetMakers, and agreed prior to change.

BetMakers should identify all the services that require monitoring for security purposes because
of their risk, and periodically audit their compliance to BetMakers security requirements. Upon
the end of the service, BetMakers will decide which information held by the supplier must be
recovered and how, and once BetMakers recovers that information the suppliers must securely
delete any BetMakers data obtained as a consequence of the service provision and formally
confirm that no data remains in their systems.

4. What do I need to do?

As part of contracting services with suppliers, the request originator will be accountable for
ensuring that the supplier's security controls are appropriate for the value to BetMakers of the
information or services they provide and handle. The request originator must identify:

● The classification of the information exposed to the supplier to provide the service, as
per the BetMakers Information Security Policy.

● The type of service that will be provided by the supplier, as indicated in Appendix Il.

● Whether the services involve the supplier processing personal data, in which case the
Data Protection team must also be involved in the procurement activity to ensure that it
complies with all necessary data privacy legislation such as the EU General Data
Protection Regulation (GDPR).

The answers will be used to identify the security controls to require the supplier:

● In any other case, a set of fixed controls will be assigned using the table in Appendix Il.

For the acquisition of services related to application systems or that involve personal data, the
suitability of the service and the supplier should be evaluated by the BetMakers Security team
by asking the supplier to complete a self-assessment questionnaire (SAQ) and discussing with
the supplier all the controls required and the detail of their implementation. For other services,
this dialogue may not start until the contract negotiation stage.

In any case, the supply chain will be responsible for communicating the list of security controls
required to the supplier along with any other requirements BetMakers may have and any
request for exceptions will be dealt with as described in the following section, such as any
arising from the SAQ and subsequent discussions.

Supplier Information Security Policy

5
 INTERNAL

4.1 Management of exceptions, changes and contractual agreement

There may be cases where suppliers find some of the security requirements either as not
applicable or as not viable and make a proposal for compensatory controls for the latter.

These will be considered as exceptions and should be reviewed by to identify:

● for those not applicable, whether that is a valid claim or not.

● for those not viable, whether the proposed controls are appropriate to mitigate the risk or
whether a residual risk should be accepted.

Acceptance must be provided by the appropriate level of seniority (from now on, the approver) -
see Appendix IlI.

● If the request for exception is not accepted and the supplier is not able/willing to comply
with the initial requirement, then the agreement with the supplier will be dismissed.

● If accepted the validity of that assessment should be reconsidered periodically.

Likewise, any changes required that may impact information security within the lifecycle of the
service must be treated as follows:

● If required by the supplier (E.g. Changes to the security controls required), they must be
communicated in advance, assessed and agreed prior to change.

● If required by BetMakers (E.g. Changes to the security controls required. Changes to the
nature of services required, changes to the classification of the information involved), a
new set of security requirements must be created as per Appendix, and those will be
submitted to the supplier for acceptance. Any requests for exceptions from the supplier
must be managed as explained above.

All the agreed changes must be updated in the contract. Any residual risks must be logged and
should have a remediation plan and a due date for remediation. These risks must be reviewed
periodically. These controls must form part of the contract and must be extended by the supplier
to any other third parties (or subcontractors) the supplier may depend on to provide the service.

Should the supplier require further changes to the agreed security requirements during the
lifecycle of the service, those will have to be communicated to the request originator including
the justification and proposed compensatory controls. These requests will have to be assessed
following the exception acceptance process described above, and the exception will not be
allowed to be implemented until formal acceptance of the compensatory controls or the residual
risk is provided.

4.2 Assurance
Upon request BetMakers may decide to obtain assurance on the implementation of the required
security controls. This assurance can be achieved via:

● An audit conducted by BetMakers,

● An audit conducted by a third party, on behalf of BetMakers, or

Supplier Information Security Policy

6
 INTERNAL

● An audit report provided by the supplier, prepared by an independent, market-leading

third-party audit firm and not older than 3 months.

Moreover, it will have to be decided whether that assurance is required:

● Before the commencement of the contracted service, and/or

● Periodically during the lifecycle of the service.

BetMakers will agree on the best way to obtain that assurance for the service and its conditions
within the contract with the supplier.

4.3 End of service

Upon the end of the service, the request originator and Betmakers must decide:

● What information must be recovered from the supplier, and

● The most adequate format to recover it, in agreement with BetMakers and the supplier.

Once that information is received, the request originator and BetMakers must confirm the
dataset received is readable, usable, and contains what was required of the supplier. Only after
that confirmation, the supplier must delete any BetMakers data obtained throughout the life of
the service/contract and provide the request originator with a formal confirmation that no data
remains in their systems.

If a legal obligation on the supplier to retain the data exists, the supplier must notify the request
originator what the retention period is and agree to notify the request originator of any access to
BetMakers data after the end of the service agreement. The data must be deleted once the
retention period expires and a formal confirmation that no data remains in their systems must be
provided to BetMakers.

5. Monitoring and Reporting

BetMakers may monitor the activities of the supplier on BetMakers systems, networks and
premises to ensure the level of security agreed is maintained and BetMakers security policies
and standards are observed. Any external activities will be covered as described in the
"Assurance" section.

5.1 Consequences of breach

In case of any deviations from the agreed requirements are detected via monitoring, a security
audit, or any other means, BetMakers will work with the supplier to understand the reasons for
the deviation and will decide whether:

1. A plan is agreed with the supplier to remediate the deficiencies to BetMakers satisfaction
in an agreed timeframe.

● Additionally, compensation may be demanded to the supplier as per the

conditions set in the contract

● It may be necessary to register a risk on the Betmakers Security risk register.

Supplier Information Security Policy

7
 INTERNAL

2. It is deemed a material breach of the agreement, and therefore BetMakers will consider
early termination of services and may demand compensation or initiate legal actions.

Any decision will be made by the request originator (or company representative), provided the
required approval level is obtained as per Appendix Ill in case a risk needs to be accepted, and
with the support of BetMakers, supply chain and Legal.

Appendix I. RACI Matrix

Task

Classify supplier and identify controls A, R R C C C, I

Communicate requirements to supplier A R

Review exception requests A R C C C

Risk acceptance R I C C C A I

Audit supplier compliance A, R C I I

Breach management A, R C C C C I

End of service A, R C C C I

Supplier Information Security Policy

8
 INTERNAL

Appendix II. Standard control sets

The highest information classification.

Type of service.
● Consulting: The supplier will advise BetMakers to achieve its goals, or operate BetMakers business applications on
BetMakers behalf. They may need access to structured and/or unstructured BetMakers information in BetMakers controlled
systems and applications. That information will not be processed or stored on any suppliers or other third party systems other
than end-user devices (laptop/desktop PC)
● Development / Application: The supplier will develop an application for BetMakers and will deliver a software package to be
deployed. The supplier does not require access to BetMakers information in production environments
● System Administration: The supplier requires direct access to BetMakers IT infrastructure to provide services, which may
include changes to system configurations, application configurations, deployment of software, performance tests and/or
security tests. This level of access may imply access to BetMakers information.
● Hosting / Cloud (laaS/PaaS): BetMakers uses IT infrastructure under the control of the supplier to store BetMakers
information or to deploy BetMakers applications. The supplier may perform some system-level configuration for BetMakers,
but should not require to have access to BetMakers information at all.
● SaaS: BetMakers information is processed by BetMakers through a cloud-based application owned by the supplier. The
supplier controls the code and IT infrastructure of the application, and BetMakers can only Change certain functional
configurations. The supplier may need to have direct access to BetMakers information to troubleshoot application incidents.
● Other services: BetMakers information is sent to the supplier for the provision of non-IT services which require certain
processing of A information through applications under the control of the supplier.

Supplier Information Security Policy

9
 INTERNAL

Type of Service Highest Information Classification*

Confidential Internal Public

Organization of x x x x x x The supplier must have a dedicated Information The Supplier must have a dedicated Information The Supplier should have an Information
Information Security Security team, with governance in place Security team, with the appropriate expertise for Security team with the appropriate expertise for
through an information Governance Board led the function. the function.
by C-Level Executives.

x x x x x x An Information Security Management System An Information Security Management System

must be established to evaluate risks to the
security of BetMakers information and content,
to manage the assessment and treatment of
these risks and to continually improve the
Supplier’s information security.
should be established to evaluate risks to the
security of BetMakers information and content,
to manage the assessment and treatment of
these risks and to continually improve the
Supplier’s information security.

Human Resource x x x x x x The Supplier’s personnel that are relevant to The supplier’s personnel that are relevant to the service are subject to a standard screening
Security the service are subject to a standard screening process for new employees.
process for new employees, including extensive
background verification of previous employment
and educational certificates.

x x x x x x The Supplier’s personnel that are relevant to the service must have received formal Information Security and Data Protection Training.

Third-Parties x x x x x x The Supplier must ensure that no third party (that is not authorised in writing by BetMakers) will obtain access to any BetMakers information.

Data Security and x x x x x x The Supplier must in no circumstance use The Supplier should not use BetMakers
Access Control BetMakers information for testing purposes. information for testing purposes.

x x x The Supplier must keep BetMakers information separate from the data of its other customers.

Supplier Information Security Policy

10
 INTERNAL

Type of Service Highest Information Classification

Confidential Internal Public

Data Security and x x x x The Supplier must apply security procedures The Supplier must apply security procedures
Access Control and encryption measures to data in transit and and encryption measures to data in transit in
(Continued) at rest in accordance with the best industry accordance with the best industry practice to
practice to guard against the loss, destruction, guard against the corruption or alteration of
corruption or alteration of BetMakers BetMakers information in the possession or
Information in the possession or control of, or control over the supplier.
accessed by the supplier.

x x x x x x The Supplier must ensure that all transfer of All transfer of BetMakers information between BetMakers, The Supplier and any other authorised
BetMakers information between BetMakers, the third party must be done over secure channels where possible.
supplier and any other authorised third-party
must only be communicated over secure
channels. Unencrypted Email Attachments,
FTP** are prohibited from use and BetMakers
must be informed of any instance found by the
supplier.

x x x The Supplier will obtain the approval of BetMakers before the commencement of the provision of the services to and from any data centre, shared
environment or location.

x x x x x Usernames and passwords supplied by BetMakers to the Supplier to access any BetMakers systems, application or any part of its network are
provided for the sole use of one specific individual and must not be shared or divulged to any other person.

x x x x There should be no sharing of BetMaker’s usernames and passwords between the Supplier’s users in any case.

Passwords used to protect access to BetMakers systems or information must be strong in line with industry best practices and regularly changed (at
least every 90 days) and maintained in such a manner that they are kept confidential and not easily predicted.

The Supplier must not copy, download or store BetMakers information onto any desktop, laptop,
server or other devices at the Supplier’s premises or in the supplier’s possession other than those
approved by BetMakers for the provision of the service.

** File-Transfer Protocol, a standard network protocol used for the transfer of digital files between a client and server on a computer network.

Supplier Information Security Policy

11
 INTERNAL

Type of Service Highest Information Classification

Confidential Internal Public

Data Security and x x x x x x Equipment and data storage media disposal Equipment and data storage media used to
Access Control used to store / process BetMakers information store / process BetMakers information must be
(Continued) must be conducted securely in accordance with securely deleted before disposal.
industry best practice.

Physical Environment x x x x x Buildings and rooms that house systems and networks supporting BetMakers information must be protected with physical security measures that
prevent unauthorised persons from gaining access.

x x x Buildings and rooms that house systems and networks supporting BetMakers information must be protected against weather risks, fire threats, pest
infestation, earthquakes and flooding

Communications and x x x x x x The Supplier must in accordance with best industry practice, maintain appropriate physical and logical security over the network and through its
Operations infrastructure

x x x x The Supplier must ensure that it and its personnel do not corrupt or erase BetMakers information on BetMakers systems or network

x x The supplier must ensure the systems and network infrastructure used to provide services to BetMakers are properly protected from external threats
using industry-standard firewalls which the supplier must regularly test for efficacy. The Supplier policy concerning the firewall must be to deny traffic as
default

x x x x x x The supplier must install and maintain industry-standard Anti-Virus software and maintain up to date virus definition files in the Anti-Virus software. The
supplier must ensure that it and its personnel:
● Do not knowingly introduce or allow the introduction of any malware, virus, worm, trojan, zombie, keylogger or other malicious code into any
information systems or networks providing service to or controlled by BetMakers
● Take all responsible precautions to stop any malware, virus, worm, trojan, zombie, keylogger or other forms of malicious code from being
introduced into any information systems or networks providing service to or controlled by BetMakers

Supplier Information Security Policy

12
 INTERNAL

Type of Service Highest Information Classification

Confidential Internal Public

Communications and x x x x x x All BetMakers information classified as

Operations confidential or higher in the supplier’s (including
(Continued) its subcontractors) possession including
backups, laptop devices, desktop systems and
data transferred over the internet or any other
network infrastructure must be encrypted using
industry-standard encryption algorithms. The
Supplier must keep encryption keys confidential
and secure and only available to personnel
requiring them for the purpose of providing the
services.

x x x All laptop and desktop systems that are used for BetMakers business must be encrypted using full disk encryption. This requirement must be fulfilled
before the supplier handles any BetMakers information.

x x x x x x The Supplier must not store BetMakers
information on any portable device, Storage or
any portable media type except explicitly
permitted by BetMakers, in which case data
must be encrypted using industry-standard
encryption algorithms.
The Supplier must not store BetMakers
information on any other portable device,
storage or any portable media type except
explicitly permitted by BetMakers.

x x x x x Any wireless network used by the Supplier in connection with the Agreement must be secured to industry standards and at least to a WPA2***
encryption standard and kept secure from unauthorised access. Any wireless network must be logically separate from the network containing
BetMakers Information. “Wireless technology” includes the IEEE standard 802.11 and all additions and amendments to that standard as may arise over
the term of this agreement.

x x x x x The Supplier must properly create or obtain from the appropriate third-party any necessary security patches and promptly apply such patches to the
relevant applications. The supplier must keep a record of any patches applied. For the avoidance of doubt, any software patch that is classified as
critical must be applied within 72 hours of release with all other patches being applied within 14 calendar days of release.

***Wi-Fi protected Access 2, is a security method added to WPA to provide stronger data protection and network access control.

Supplier Information Security Policy

13
 INTERNAL

Type of Service Highest Information Classification

Confidential Internal Public

Systems x BetMakers must have complete control over access to any application developed for BetMakers and to all data within.
Development
x x The development of an application or system software must be kept separate (logical separation at the minimum) from the production environment.
Production systems shall not depend on a development infrastructure.

x x All input data from client systems must be tested for validity before any action or evaluation is actioned by the application. All development work
undertaken and code changes made must be application security tested by the supplier using well-known Application and Vulnerability testing tools
before release to ensure it is not susceptible to the following common exploits (but not limited to):
a. Injection
b. Cross-Site Scripting (XSS)
c. Broken Authentication and Session Management
d. Insecure Direct Object References
e. Cross-Site Request Forgery
f. Security Misconfiguration
g. Insecure Cryptographic Storage
h. Failure to restrict URL access
i. Insufficient Transport Layer Protection
j. Unvalidated Redirects and Forwards

x x The application will make use of BetMakers Active Directory services as the master repository of user accounts and to authenticate user access.

x x Passwords must be stored and transmitted in an encrypted format at all times. It will be considered a serious breach of security by BetMakers if this
requirement has been found to not have been followed by the supplier.

x x All authentications between the user and the application must be over HTTPS using strong cryptographic measures. Any publication of BetMakers
information through web pages of the site must be similarly secured using HTTPS and SSL certificates.

x x Any HTTP request must be automatically redirected to the HTTPS version of the content.

x x SSL certificates must be from a trusted authority, have the right hostname and must be configured to mitigate denial of service attacks. Anonymous or
weak SSL ciphers or hash and SSL protocols with weaknesses must not be used.

x x Usernames and passwords must not be hard-coded in an application or stored in cookies or temporary files.

Supplier Information Security Policy

14
 INTERNAL

Type of Service Highest Information Classification

Confidential Internal Public

Systems x x x All backup files and temporary files must not be available over web servers. Files that should remain secure must be placed outside the realm of
Development publicly exposed directories. Only the required system services should be running on the servers providing the service.
(Continued)
x x Any session tokens must be user-unique, non-predictable, resistant to reverse-engineering, or be tied to a specific HTTP client instance to prevent
hijacking and replay attacks. Session tokens must also expire at session termination or session idle timeout of 30 minutes. Session token algorithms
must never be based on, or use any variables of users personal information.

x x x All system error messages must be changed from system defaults, all system information banners in headers must be disabled. Operating system,
hardware and software versions, IP Addresses, Software Stack traces must not be displayed in any information or error message.

x x x x Any remote access to the system for administration/support purposes must be via a secure means.

x x All system default usernames and passwords in production environments must be changed to strong passwords.

x x Unused services, ports and development kits/ tools must be disabled from all internet-facing servers.

x x x Admin interfaces must not be available to the entire internet address range. All admin interfaces for the application must be limited to a range of
addresses and changed from the default directory and file names must be renamed to names different to the default values to limit the opportunity for
opportunistic attempts to gain administrative access.

x x All databases irrespective of whether production, staging or development that contain any BetMakers information must be encrypted to industry
standards. All backups of these databases and any backup containing BetMakers information must also be encrypted.

x x All communications between any database, application and web server must be encrypted using strong encryption.

x x Permissions must be correctly assigned, users must not be able to traverse directories or access default directories that they do not need access to
utilise the application.

x Regular audits and processes must be put in place by the supplier to ensure that users who no longer need access or no longer work for the Supplier
have their permissions to BetMakers data removed immediately.

x The Supplier must deploy sufficient security controls to protect the infrastructure using certified hardware and software. Web-facing systems must be
separated from the internet in a DMZ. Firewalls must restrict both inbound and outbound connections to and from DMZ

x Database servers must not be located in the same network segment as Web Servers and must never be internet facing. There must be separation
between Web Servers and Database Servers

Supplier Information Security Policy

15
 INTERNAL

Type of Service Highest Information Classification*

Confidential Internal Public

Systems x x The Supplier must not use BetMakers The supplier should not use BetMakers
Development production or live data for testing or production or love data for testing or
(Continued) development purposes. Test data must be development programs
created specifically for these purposes.

x x Testing must not take place on production servers.

x x x The Supplier must ensure that systems and all applications in use, patch levels are maintained current on live systems and that patches are deployed
in line with the manufacturer’s recommendations and within 14 days for all standard patches and within 72 hours for all patches that are deemed either
by the manufacturer or BetMakers as being critical.

x x BetMakers applications must have the capability to limit and validate the inputs by a user before it’s processed by the application. Also, any file/object
uploads into the application must be scanned for malware before being processed by the application

x x Service accounts must not be assigned a working login shell.

System x x The supplier must comply with all relevant BetMakers security standards and procedures.
Administration

Vulnerability Testing x x x x x The Supplier must perform vulnerability
scanning and penetration testing of the service
delivery environment regularly, by a
market-leading external organisation, no less
frequently than annually and appropriately
address the issues raised by the tests. The
result of these tests and subsequent action plan
must be communicated to BetMakers
The Supplier must perform vulnerability
scanning and penetration testing of the service
delivery environment regularly, by a reputable
external organisation, no less frequently than
annually and appropriately address the issues
raised by the tests. The results of these tests
and subsequent action plan must be
communicated to BetMakers
The Supplier must perform vulnerability
scanning and penetration testing of the service
delivery environment regularly, by a reputable
external organisation, no less frequently than
annually and appropriately address the issues
raised by the tests. The results of these tests
and subsequent action plan must be
communicated to BetMakers

x The Supplier must perform regular and periodic security tests against all applications and code to ensure that they are secure from any new exploits
and vulnerabilities (Supplier must have a Vulnerability Management Program). Results of these security tests done by the supplier must be available to
BetMakers

Supplier Information Security Policy

16
 INTERNAL

Type of Service Highest Information Classification*

Confidential Internal Public

Information Security x x x x x x The Supplier must establish with BetMakers, a procedure for reporting Security Breaches
Incident Management
x x x x x x In the event, all security breaches that may affect the operation of BetMakers or affect the confidentiality, availability or integrity of the BetMakers
information must be reported to BetMakers within 24 hours from discovery.

x x x x x x Immediately following the Suppliers notification to the customer of a security breach, the Supplier and BetMakers must coordinate with each other to
investigate the security breach. The Supplier must cooperate with BetMakers in its handling of the matter, including to:
● Assist with any investigation
● Facilitate interviews with the Suppliers employees and others involved in the matter
● Make available all relevant records, logs, files, data and reporting and other materials required by BetMakers

x x BetMakers must have a right to require a penetration test to be conducted by an insured, competent, independent third-party testing firm approved by
BetMakers Security Department at no additional cost to BetMakers. Penetration testing is to be scheduled within 10 days of the Suppliers receipt of
written notice from BetMakers after a security incident.

Right to audit and x x x x x x Upon request from BetMakers, the supplier must provide relevant information on its data processing facilities, procedures and personnel used for the
monitor provision of the services.

x x x x x BetMakers must be entitled to audit and inspect the Suppliers working premises during normal business hours and without creating a business
interruption, to satisfy itself that adequate measures are being taken to meet the technical and organisational security requirements.

End of Service x x x x x x Upon the end of service, BetMakers will agree with the supplier:
● What information must be recovered from the supplier
● The format the supplier should use to return the information

x x x x x x The Supplier must return the information to BetMakers as agreed and must securely delete (in accordance with industry best practice) any BetMakers
data obtained throughout the life of the service/contract upon confirmation from BetMakers that the data received is usable and complete. The Supplier
must provide BetMakers with a formal confirmation that no data remains in their systems.

x x x x x x In case of a legal obligation to retain the data exists, the supplier must notify BetMakers what the retention period is and agree to notify BetMakers of
any access to BetMakers data after the end of the service agreement. The data must be deleted once the retention period expires and a formal
confirmation that no data remains in their systems must be provided to BetMakers

Supplier Information Security Policy

17