Last Updated February 3, 2021
This Data Processing Addendum (“Addendum” or “DPA”) is made effective by and between Abnormal Security Corporation (“Company”) and the “Customer” that is identified in the applicable Company Trial Agreement and/or Master Service Agreement (either, the “Agreement”), or alternatively in the applicable Company Order Form, as of the Effective Date of the Agreement and is incorporated by reference therein. All capitalized terms used but not otherwise defined herein have the respective meanings ascribed to them in the Agreement.
Customer has purchased a subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
This Addendum, together with the Agreement, serves as the binding contract referred to in Article 28 (3) of the GDPR that sets out the subject matter, duration, nature, and purpose of the Processing, the type of Personal Data and categories of data subjects as well as the obligations and rights of the Controller.
In the provision of the Service by Company to Customer pursuant to the Agreement, Customer acts as Controller and Company acts as Processor with respect to the Personal Data or as the case maybe, Customer acts as a Processor for its end user customers (as ultimate Controllers), and Company will act as a Sub-Processor acting on the instruction of the Customer on behalf of its end user customers.
The parties agree as follows:
1. Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this Addendum will have the meanings given to them herein.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer, including when acting on behalf of its own end user customer.
“Data Protection Laws” means: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); and (ii) to the extent applicable to the Service, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement.
“Data Subject” has the meaning given to it in the Data Protection Laws.
“EEA” means the European Economic Area.
“Personal Data” has the meaning given to it in the Data Protection Laws and for the purpose of this Addendum relates to the personal data Processed by Company on behalf of Customer as described in Section 4.
“Personal Data Breach” has the meaning given to it in the Data Protection Laws and for the purpose of this Addendum relates to the personal data Processed by Company on behalf of Customer.
“Processing” has the meaning given to it in the Data Protection Laws and “process”, “processes” and “processed” will be construed accordingly.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Company.
“Standard Contractual Clauses” means the terms attached to this Addendum as Exhibit 1 and promulgated pursuant to the European Commission’s decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of data protection.
2. Compliance with Laws. Each party will comply with the Data Protection Laws as applicable to it. In particular, Customer will comply with its obligations as Controller (or on behalf of Controller) and Company will comply with its obligations as Processor.
3. Customer Obligations. Customer as Controller (or on behalf of the ultimate Controller) undertakes that all instructions for the Processing of Personal Data under the Agreement or this Addendum or as otherwise agreed will comply with the Data Protection Laws, and such instructions will not in any way cause Company to be in breach of any Data Protection Laws. Customer is solely responsible for ensuring the accuracy, quality, and legality of Personal Data Processed by Company including the means by which Customer acquired Personal Data.
4. Data Processing. Company will Process the Personal Data for the sole purpose of providing the Service to Customer. Company will Process the Personal Data in accordance with Customer’s instructions as documented in the Agreement and this Addendum for the term of the Agreement. Company will not access, use or otherwise Process such Personal Data, except as necessary to provide the Service. Unless prohibited by applicable law, Company will notify Customer if in its opinion, an instruction infringes any EU Member State law to which it is subject, in which case Company will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under EU Member State law. Any additional instructions regarding the manner in which Company Processes the Personal Data will require prior written agreement between Company and Customer. Company will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Company receives a binding order from a law enforcement agency for Personal Data, Company will notify Customer of the request it has received so long as Company is not legally prohibited from doing so. Company will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
5. Transfers of Personal Data Outside of EEA. Company may process Personal Data in connection with its provision of the Service in countries that have different data protection regulations than the Data Protection Laws (“Third Countries”). In such event, subject to the terms of this Addendum, the Standard Contractual Clauses in the form provided in Exhibit 1 will govern the transfer of Personal Data to such Third Countries, including to Subprocessors in such Third Countries, unless the transfer of Personal Data occurs via an alternative means permitted by the Data Protection Laws, such as the EU-US and Swiss-US Privacy Shield Frameworks.
6. Technical and organizational measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will in relation to the Personal Data implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risk as further described on Exhibit 2 of the Addendum. In assessing the appropriate level of security, Company will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
7. Data Subjects rights. Company will assist Customer in responding to Data Subjects’ requests exercising their rights under the Data Protection Laws. To that effect, Company will (i) to the extent permitted by applicable law, promptly notify Customer of any request received directly from Data Subjects to access, correct or delete its Personal Data without responding to that request, and (ii) upon written request from Customer, provide Customer with information that Company has available to reasonably assist Customer in fulfilling its obligations to respond to Data Subjects exercising their rights under the Data Protection Laws.
8. Data Protection Impact Assessments. If Customer is required under the Data Protection Laws to conduct a Data Protection Impact Assessment, then upon written request from Customer, Company will assist where reasonably possible in the fulfilment of the Customer’s obligation as related to its use of the Service, to the extent Customer does not otherwise have access to the relevant information. If required under Data Protection Laws Company will provide reasonable assistance to Customer in the cooperation or prior consultation with the Data Protection Authorities in relation to any applicable Data Protection Impact Assessment.
9. Audit of Technical and Organizational Measures. Company will make available all information necessary to demonstrate its compliance with data protection policies and procedures implemented as part of the Service. To this end, upon written request (not more than once annually) Customer may, at its sole cost and expense, verify Company’s compliance with its data protection obligations as specified in this Addendum by: (i) submitting a security assessment questionnaire to Company; and (ii) if Customer is not satisfied with Company’s responses to the questionnaire, then Customer may conduct an audit in the form of meetings with Company’s information security experts on a mutually agreeable date. Such interviews will be conducted with a minimum of disruption to Company’s normal business operations and subject to Company’s agreement on scope and timing. The Customer may perform the verification described above either itself or by a mutually agreed upon third party auditor, provided that Customer or its authorized auditor executes a mutually agreed upon Non-Disclosure Agreement (“NDA”). Customer will be responsible for any actions taken by its authorized auditor. All information disclosed by Company under this Section 9 will be deemed Company Confidential Information, and Customer will not disclose any audit report to any third party except as obligated by law, court order or administrative order by a government agency. Company will remediate any mutually agreed, material deficiencies in its technical and organizational measures identified by the audit procedures described in this Section 9 within a mutually agreeable timeframe.
10. Breach notification. If Company becomes aware of a Personal Data Breach that results in unlawful or unauthorized access to, or loss, disclosure, or alteration of the Personal Data, which is likely to cause a risk to the fundamental rights and freedoms of the Data Subjects’, then Company will notify the Customer without undue delay after becoming aware of such Personal Data Breach and will cooperate with the Customer and take such reasonable commercial steps as agreed with the Customer to assist in the investigation, mitigation and remediation of such Personal Data Breach. Company will provide all reasonably required support and cooperation necessary to enable Customer to comply with its legal obligations in case of a Personal Data Breach pursuant to Articles 33 and 34 of the GDPR.
11. Subprocessing. Customer agrees that Company may engage either Company affiliated companies or third parties providers as sub-Processors under the Agreement and this Addendum (“Subprocessors”) and hereby authorizes Company to engage such Subprocessors in the provision of the Service. Company will restrict the Processing activities performed by Subprocessors to only what is strictly necessary to provide the Service to Customer pursuant to the Agreement and this Addendum. Company will impose appropriate contractual obligations in writing upon the Subprocessors that are no less protective than this Addendum, and Company will remain responsible for the Subprocessors’ compliance with the obligations under this Addendum.
Company maintains a list of all Subprocessors used by Company in the provision of Service which is set forth on Exhibit 3 to this Addendum. Company may amend the list of Subprocessors by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Company in writing the reasons of its objection. Company will work in good faith to address Customer’s objections. If Company is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with Section 4.2 of the Agreement (Termination for Cause).
12. Return or Deletion of Personal Data. Company will delete or return, in Customer’s discretion and upon Customer’s written request, Personal Data within a reasonable period of time following the termination or expiration of the Agreement.
13. Entire Agreement; Conflict. Except as amended by this Addendum, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will control.
EXHIBIT 1 Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organisation: …………………………………………………………………………………………………..
Address:………………………………………………………………………………………………………………………………………
Tel.: ……………………………………………….. ; fax: …………………………………. ; e-mail: ……………………………………
Other information needed to identify the organisation:
………………………………………………………… (the data exporter)
And
Name of the data importing organisation: Abnormal Security Corporation
Address: 797 Bryant Street, San Francisco, CA 94107
Tel.:…………………………………………………………..; fax: ………………………………….;
e-mail: legal@abnormalsecurity.com
Other information needed to identify the organisation:
……………………………………………………… (the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
Clause 6
Liability
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
Clause 7
Mediation and jurisdiction
Clause 8
Cooperation with supervisory authorities
Clause 9
Governing Law
The Clauses will be governed by the law of the Member State in which the data exporter is established
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
Clause 12
Obligation after the termination of personal data processing services
On behalf of the data exporter:
Name (written out in full):
Position:
Address:
Other information necessary in order for the contract to be binding (if any):
Signature……………………………………….
(stamp of organisation)
On behalf of the data importer:
Name (written out in full): Vito Brandle
Position: Head of Operations and Finance
Address: 797 Bryant Street, San Francisco, CA 94107
Other information necessary in order for the contract to be binding (if any):
Signature……………………………………….
(stamp of organisation)
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer): As specified in the Addendum.
Data importer
The data importer is (please specify briefly activities relevant to the transfer):
Abnormal Security Corporation provides a cloud-based email fraud detection solution.
Data subjects
The personal data transferred concern the following categories of data subjects (please specify):
Individual users of Data Controller’s email system, as well as individuals sending messages to or receiving messages from such user accounts.
Categories of data
The personal data transferred concern the following categories of data (please specify):
First and Last Name
Email address
IP address
Personal Data contained in email message body or attachments
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
N/A
Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):
Scanning of email contents and metadata for malicious signatures
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
As specified on Exhibit 2 of the Addendum to which these Standard Contractual Clauses are attached.
Exhibit 2
Technical and Organizational Measures
Company has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Company.
Policy Controls:
Collection of Data:
Backup Copies
Computers and Access Terminals
Access Controls
Security while transferring and processing
Abnormal is the email security company that stands for trust.
© 2021 Abnormal Security Corporation.
All rights reserved.