The following requirements regulate general information technology requirements of HUGO BOSS. These requirements are part of the information technology (IT) services or IT-related services contract between a partner and HUGO BOSS. 

1. General requirements for all HUGO BOSS service providers:
   
   1.1 The Partners shall inform HUGO BOSS of all incidents relating to information security from their sphere, including their subcontractors and other vicarious agents, which may have an impact on the IT infrastructure of HUGO BOSS. The notification shall be sent by e-mail to information-security@hugoboss.com.
   
   1.2 The Partners shall disclose to HUGO BOSS their own security concept for the protection of their own IT infrastructure and shall present to HUGO BOSS the technical and organizational measures (TOMs) created for this purpose. The security measures correspond to the state of the art.
   
   1.3 Partners who come into contact with confidential data of HUGO BOSS in the course of their activities shall ensure a level of protection that corresponds to the state of the art. Confidential data is all data that is of particularly high value to HUGO BOSS, such as personal data, financial data or business secrets. If there are any questions regarding the classification concept, HUGO BOSS will be happy to provide information at any time.
   
   1.4 HUGO BOSS data will not be passed on to third parties without consultation. The confidentiality declaration issued by the Partner shall apply accordingly.
   
   1.5 The service provider shall ensure that only authorized employees have access to the log-in data for access to HUGO BOSS data.
   
    
2. Supplement for partners working on the HUGO BOSS premises and on HUGO BOSS systems
   
   2.1 If a partner works with a software or hardware from HUGO BOSS, files with a HUGO BOSS reference must only be processed and stored on the systems owned by HUGO BOSS.
   
   2.2 HUGO BOSS software or hardware will only be removed from the HUGO BOSS Campus with the explicit consent of HUGO BOSS.
   
   2.3 HUGO BOSS’s IT systems shall not be used for private purposes.
   
   2.4 All work equipment that allows access to HUGO BOSS's IT systems must always be locked if they are unattended.
   
   2.5 E-mails concerning the business operations of HUGO BOSS will not be forwarded to unauthorized third parties.
   
   2.6 All company assets that allow access to the IT systems of HUGO BOSS or are the property of HUGO BOSS, such as company ID cards, keys or data carriers, shall be returned to HUGO BOSS after termination of the business relationship.
   
    
3. Supplement for service providers who provide IT equipment or have access to IT systems
   
   3.1 If the partner operates IT systems which have access to the IT systems, networks and infrastructures of HUGO BOSS, he adheres to the following security standards:
   • Appropriate data backup is ensured
   • A state-of-the-art anti-virus program is used at all times.
   • The necessary system and software updates are carried out regularly. The systems are updated according to the specifications of the operating system provider. 
   
   If you have any questions about the security measures, HUGO BOSS will be happy to provide you with information.
   
   3.2 After termination of services and/or in the case of hardware replacement, the systems used for the operation of the contract shall be deleted and all HUGO BOSS data must be irreversible erased.
   
    
4. Supplement for partners who have a network connection with HUGO BOSS
   
   4.1 Partners who maintain a network connection with HUGO BOSS (e.g. Lan2Lan or Remote Support via VPN) only access the servers and systems defined in the contract.
   
   4.2 No software previously provided or approved by HUGO BOSS is installed or used.

Version 1.1, Date: 01.05.2024