Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood andseverity for the rights and freedoms of Data Subjects, Intrro shall in relation to Customer Personal Data implement appropriate technical and organizational measuresto ensure a level of security appropriate to that risk (including those outlined in Annex 2of this DPA, (“Security Measures”). In assessing the appropriate level of security, Intrro shall take into account the risks that are presented by Processing Customer Personal Data including, in particular, the risks presented by a Customer Personal DataBreach (as defined in Section 6). Intrro may make such changes to the Security Measures as Intrro deems necessary or appropriate from time to time, including without limitation to comply with applicable law, but no such changes will materially reduce the overall level of protection for Customer Personal Data. Intrro will take appropriate stepsto ensure compliance with the Security Measures by its employees, agents, contract or sand Sub-Processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Personal Data have agreedto appropriate obligations of confidentiality.