Contracts
- Abnormal Security Cloud Terms of Service
- Abnormal Security Support and Service Level Agreement Policy
- Abnormal Security Information Security Policy
- Abnormal Security Data Processing Addendum
- Abnormal Security Acceptable Use Policy
- Abnormal Security Master Service Agreement - Transactions Entered into Prior to April 5, 2022
- Abnormal Security Data Processing Addendum - Transactions April 6, 2023 and Prior
- Abnormal Security Reseller Terms
- Abnormal Security API Terms of Service
Abnormal Security Cloud Terms of Service
Effective July 1st 2024
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
“Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either Party’s obligations in or breach of Section 2.3 (DPA). “General Cap” means the total amounts paid and payable by Customer for: (a) use of the Service or (b) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to a claim of liability. Any Technical Services that are provided on a no-charge basis will be valued at ten thousand dollars for purposes of this definition. “Uncapped Claims” means: (a) the indemnifying Party’s obligations under Section 13 (Indemnification); (b) either Party’s infringement or misappropriation of the other Party’s intellectual property rights; (c) Customer’s breach of Section 3.2 (Restrictions); (d) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data; (e) Customer's payment obligations; and (f) liabilities that cannot be limited by Law. |
“Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States, United Kingdom, or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than US$1,000,000 per occurrence and US$2,000,000 general aggregate for bodily injury and property damage;
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Acceptable Use Policy” or "AUP" means the Acceptable Use Policy available at legal.abnormalsecurity.com. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (a) the voting power to elect directors of the company, or (b) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one Party (as discloser) to the other Party (as recipient) under this Agreement, in any form, which: (a) the discloser identifies to recipient as “confidential” or “proprietary”; or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes the Service, any technical, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Abnormal in connection with Technical Services. “Data Processing Addendum” or “DPA” means the Data Processing Addendum available at legal.abnormalsecurity.com. “Documentation” means the Abnormal standard technical guides, policies, and documentation for the Service, including all additions and modifications made by Abnormal from time to time, that are made available from the dedicated ‘Documentation’ pages within the Service or on the dedicated ‘Customer Support’ of the Abnormal managed website. “Force Majeure” means an unforeseen event beyond a Party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected Party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Information Security Policy” or "ISP" means the Information Security Policy available at legal.abnormalsecurity.com. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (a) either executed by the Parties and references this Agreement or entered into by Customer via self-service; or (b) entered into by Abnormal and a Channel Partner on behalf of Customer. “Product Specific Terms” means any terms and conditions specific to an applicable Service that supplement, but do not replace, this Agreement and are available at legal.abnormalsecurity.com. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. "Service Level Agreement" or “SLA” means the Support and Service Level Policy available at legal.abnormalsecurity.com. “Service Operations Data” means Abnormal’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term for Customer's use of the Service as set forth on the applicable Order. “Support” means the customer support services set out on: (a) the dedicated ‘Customer Support’ page of the Abnormal website, and (b) the SLA; but excludes any Technical Services. “Technical Services” means training, migration, enablement or other technical services that Abnormal furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective September 21st 2022 to July 1st 2024
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
“Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either Party’s obligations in or breach of Section 2.3 (DPA). “General Cap” means the total amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to a claim of liability. Any Technical Services that are provided on a no-charge basis will be valued at ten thousand dollars for purposes of this definition. “Uncapped Claims” means (a) the indemnifying Party’s obligations under Section 13 (Indemnification), (b) either Party’s infringement or misappropriation of the other Party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
“Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one Party (as discloser) to the other Party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes the Service, any technical, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Abnormal in connection with Technical Services. “Documentation” means the Abnormal standard technical guides, policies, and documentation for the Service that are made available from the dedicated ‘Documentation’ pages within the Service or on the dedicated ‘Customer Support’ or ‘Abnormal Legal Center’ pages (legal.abnormalsecurity.com) of the Abnormal managed website. “Force Majeure” means an unforeseen event beyond a Party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected Party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Abnormal and a Channel Partner on behalf of Customer. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Abnormal’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term for Customer's use of the Service as set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Customer Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration, enablement or other technical services that Abnormal furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective May 19th 2022 to September 21st 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
“Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either Party’s breach of Section 2.3 (DPA). “General Cap” means the total amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to a claim of liability. Any Technical Services that are provided on a no-charge basis will be valued at ten thousand dollars for purposes of this definition. “Uncapped Claims” means (a) the indemnifying Party’s obligations under Section 13 (Indemnification), (b) either Party’s infringement or misappropriation of the other Party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
“Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one Party (as discloser) to the other Party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes the Service, any technical, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Abnormal in connection with Technical Services. “Documentation” means the Abnormal standard technical guides, policies, and documentation for the Service that are made available from the dedicated ‘Documentation’ pages within the Service or on the dedicated ‘Customer Support’ or ‘Abnormal Legal Center’ pages of the Abnormal managed website. “Force Majeure” means an unforeseen event beyond a Party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected Party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Abnormal and a Channel Partner on behalf of Customer. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Abnormal’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term for Customer's use of the Service as set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Customer Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration, enablement or other technical services that Abnormal furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective March 30th 2022 to May 19th 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
“Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either Party’s breach of Section 2.3 (DPA). “General Cap” means the total amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to a claim of liability. Any Technical Services that are provided on a no-charge basis will be valued at ten thousand dollars for purposes of this definition. “Uncapped Claims” means (a) the indemnifying Party’s obligations under Section 13 (Indemnification), (b) either Party’s infringement or misappropriation of the other Party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
“Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one Party (as discloser) to the other Party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes the Service, any technical, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Abnormal in connection with Technical Services. “Documentation” means the Abnormal standard technical guides, policies, and documentation for the Service that are made available from the dedicated ‘Documentation’ pages within the Service or on the dedicated "Customer Support' page of the Abnormal website. “Force Majeure” means an unforeseen event beyond a Party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected Party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Abnormal and a Channel Partner on behalf of Customer. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Abnormal’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term for Customer's use of the Service as set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Customer Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration, enablement or other technical services that Abnormal furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective March 24th 2022 to March 30th 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
“Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either party’s breach of Section 2.3 (DPA). “General Cap” means amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to liability. Any Technical Services that are provided on a no-charge basis will be capped at ten thousand dollars. “Uncapped Claims” means (a) the indemnifying party’s obligations under Section 13 (Indemnification), (b) either party’s infringement or misappropriation of the other party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
“Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one party (as discloser) to the other party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes technical, the Service, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Company in connection with Technical Services. “Documentation” means the Abnormal’s standard technical guides and documentation for the Service that is made available from the dedicated ‘Documentation’ pages within the Service or the other Abnormal managed website. “Force Majeure” means an unforeseen event beyond a party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Customer and a Channel Partner. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Company’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration, enablement or other technical services that Company furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective March 23rd 2022 to March 24th 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
“Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either party’s breach of Section 2.3 (DPA). “General Cap” means amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to liability. Any Technical Services that are provided on a no-charge basis will be capped at ten thousand dollars. “Uncapped Claims” means (a) the indemnifying party’s obligations under Section 13 (Indemnification), (b) either party’s infringement or misappropriation of the other party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
“Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one party (as discloser) to the other party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes technical, the Service, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Company in connection with Technical Services. “Documentation” means the Abnormal’s standard technical guides and documentation for the Service that is made available from the dedicated ‘Documentation’ pages within the Service or the other Abnormal managed website. “Force Majeure” means an unforeseen event beyond a party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Customer and a Channel Partner. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Company’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration or other professional services that Company furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Effective March 21st 2022 to March 23rd 2022
DownloadTable of Contents
ABNORMAL SECURITY
CLOUD TERMS OF SERVICE
“Enhanced Cap” means three times (3x) the General Cap. “Enhanced Claims” means Abnormal’s breach of Section 2.2 (Security) or either party’s breach of Section 2.3 (DPA). “General Cap” means amounts paid or payable by Customer for: (i) use of the Service or (ii) performance of the Technical Services, as applicable, to Abnormal under this Agreement in the 12 months immediately preceding the first incident giving rise to liability. Any Technical Services that are provided on a no-charge basis will be capped at ten thousand dollars. “Uncapped Claims” means (a) the indemnifying party’s obligations under Section 13 (Indemnification), (b) either party’s infringement or misappropriation of the other party’s intellectual property rights or Customer’s breach of Section 3.2 (Restrictions), (c) any breach of Section 10 (Confidentiality), excluding breaches related to Customer Data, and (d) liabilities that cannot be limited by Law or Customer’s payment obligations. |
“Abnormal-Covered Claim” means a third-party claim that the Service, when used by Customer as authorized in this Agreement, infringes or misappropriates a third party’s United States or European Union intellectual property rights. “Customer-Covered Claim” means a third-party claim arising from Customer Materials or Customer’s breach or alleged breach of Section 3 (Use of the Service). |
(a) Commercial general liability insurance on an occurrence basis for bodily injury, death, property damage, and personal injury, with coverage limits of not less than $1,000,000 per occurrence and $2,000,000 general aggregate for bodily injury and property damage;
18. GLOSSARY. The definitions of certain capitalized terms used in this Agreement are set forth below. Others are defined in the body of this Agreement. “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where “control” means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Confidential Information” means information disclosed by or on behalf of one party (as discloser) to the other party (as recipient) under this Agreement, in any form, which (a) the discloser identifies to recipient as “confidential” or “proprietary” or (b) should be reasonably understood as confidential or proprietary due to its nature and the circumstances of its disclosure. Abnormal’s Confidential Information includes technical, the Service, pricing or performance information about the Service, and any information conveyed to Customer in connection with Support. Customer’s Confidential Information includes Customer Data and Customer Materials. “Customer Data” means information, including Personal Data (as defined in the DPA), processed by Abnormal via the Service and while providing Support. “Customer Materials” means materials and resources that Customer makes available to Company in connection with Technical Services. “Documentation” means the Abnormal’s standard technical guides and documentation for the Service that is made available from the dedicated ‘Documentation’ pages within the Service or the other Abnormal managed website. “Force Majeure” means an unforeseen event beyond a party’s reasonable control, such as a strike, blockade, war, pandemic, act of terrorism, riot, third-party Internet, telecommunications or utility failure, acts or orders of government, refusal of government license or natural disaster, where the affected party takes reasonable and customary measures to avoid or mitigate such event’s effects. “Order” means an order for Customer’s access to the Service, Support, or Technical Services or related services that is: (1) is either executed by the Parties and references this Agreement or entered into by Customer via self-service, or (2) is entered into by Customer and a Channel Partner. “Service” means Abnormal’s proprietary software-as-a-service products, as identified in the relevant Order, including any modifications, updates, upgrades, and enhancements thereto that Abnormal makes generally available to its customer base. The Service includes the Documentation but not Technical Services or Third-Party Platforms. “Service Operations Data” means Company’s technical logs, analytics or other data and learnings related to Customer’s use of the Service, but excluding Customer Data. “Subscription Term” means the term set forth on the applicable Order. “Support” means the customer support services set out on the dedicated ‘Support’ page of the Abnormal website, and the Documentation, but excludes any Technical Services. “Technical Services” means training, migration or other professional services that Company furnishes to Customer related to the Service. “Threat Intelligence Data” means information collected, generated, derived, and/or analyzed by the Service that is related to malicious activities, fraud, loss, threat or other harm detection and analysis identified by the Service such as a third-party malicious actor’s IP address, email address, name, and hashes of malware. “Third-Party Platform” means any product, add-on or platform not provided by Abnormal that Customer uses with the Service. “Trials and Betas” mean access to the Service (or Service features) on a free, trial, beta or early access basis. “Users” means individuals or entities that are authorized by Customer to use the Service under its account and on its behalf. |
Abnormal Security Support and Service Level Agreement Policy
Effective May 22nd 2024
DownloadTable of Contents
ABNORMAL SECURITY CORPORATION SUPPORT AND SERVICE LEVEL AVAILABILITY POLICY
This Support and Service Level Availability Policy (“Policy”) describes Abnormal Security Corporation’s (“Abnormal”) support offering (“Support”) in connection with Customer-reported bugs, defects, or errors in the Service (“Error(s)”). Support shall be provided in accordance with the written subscription agreement under which Abnormal provides its Service as entered into by and between you (“Customer”) and Abnormal (“Agreement”). Customer shall receive the level of Support set forth in this Policy or as designated in the applicable Order (“Support Level”). Abnormal may update this Policy from time to time, provided that any such update does not modify any provision of the Agreement except for this Policy. Any such updates will be posted to https://legal.abnormalsecurity.com/ or otherwise made available as set forth in the Agreement. Capitalized terms not defined in this Policy shall have the meanings given to them in the Agreement.
I. Support
- General Support Offering. Abnormal shall provide English-speaking remote assistance to Customer Contacts (as defined below) for questions or issues arising from any Error, as further described in this Policy, including troubleshooting, diagnosis, and recommendations for potential workarounds for the duration of Customer’s subscription to the applicable Service.
- Customer Contacts. Customer shall inform Abnormal as to its approved contacts for Support, one of which must be designated as an account administrator (each, a “Customer Contact”). Customer is solely responsible for maintaining an accurate list of Customer Contacts with Abnormal, including names and contact information. Abnormal assumes no responsibility for Support Cases that cannot be addressed due to a lack of updated Customer Contact information.
- Submitting Support Cases. Customer Contacts must use reasonable diligence to ensure a perceived Error is not an issue with Customer’s own equipment, software, or internet connectivity prior to requesting Support. Customer Contacts may contact Support by submitting a Support request (each, a “Support Case”) to: (a) the support portal located at https://support.abnormalsecurity.com (or such successor URL as may be designated by Abnormal) (such website, the “Support Portal”) or (b) the web interface as described in the Documentation. If Customer Contacts cannot access the Support Portal they may open a Support Case by emailing support@abnormalsecurity.com or, in the event Customer Contacts cannot access the Support Portal or email, they may contact Abnormal Support by phone solely for purposes of having the Support Case submitted on their behalf. All Customer Contacts must be familiar with the Documentation and be reasonably trained in the use and functionality of the Service. Customer Contacts will assist Abnormal to resolve Support Cases by complying with the Customer obligations set forth in Table 1.
- Support Cases. Each Support Case shall: (a) designate the Severity Level of the Error in accordance with the definitions in Table 1; (b) identify the Customer account that experienced the error; (c) include information sufficiently detailed to allow Abnormal to attempt to duplicate the Error (including any relevant error messages, but not export-controlled data, personal data (other than as required herein), sensitive data, other regulated data, or Customer Data); and (d) identify the Customer Contact most familiar with the issue. The Customer Contact shall also give Abnormal any other important Support Case information requested by Abnormal in a timely manner. Unless Customer expressly designates the Severity Level, the Support Case will default to Severity Level 4. If Customer Contacts submit Support Cases related to enhancement or feature requests, Abnormal shall treat those tickets as closed once the request has been forwarded internally.
Table 1: Error Severity Level Definitions and Initial Response Times | |||||||
---|---|---|---|---|---|---|---|
Error Severity Level | Description | Initial Response Time Target | Customer Responsibility | ||||
Severity Level 1 (Urgent) | An Error that causes a (a) service disruption or (b) degraded condition that renders the Service inoperable. | One (1) Hour | Commit appropriate resources to provide additional information as needed. Make reasonable efforts to apply solutions quickly. | ||||
Severity Level 2 (High) | An Error that (a) causes the Service to operate in a degraded condition with a high impact to key portions of the Service or (b) seriously impairs Customer’s use of material function(s) of the Service and Customer cannot reasonably circumvent or avoid the Error without the expenditure of significant time or effort. | Two (2) Business Hours | Commit appropriate resources to be available to provide additional information as needed. Make reasonable efforts to apply solutions upon receipt. | ||||
Severity Level 3 (Normal) | An Error that has a medium-to-low impact on the Service. The Service is (a) running with limited functionality in one or more areas or (b) experiencing intermittent issues. Customer can access and use the material functionality of the Service. | Eight (8) Business Hours | Monitor and respond as necessary. | ||||
Severity Level 4 (Low) | How-to questions and Service issues with no Service degradation. | One (1) Business Day | Monitor and respond as necessary. | ||||
RFE | Requests for enhancements to the Service. | Two (2) Business Days | N/A |
Table 2: Support Hours | |||
---|---|---|---|
Region | North America | EMEA | Asia Pacific |
Severity 1 | 24 x 7 x 365 | 24 x 7 x 365 | 24 x 7 x 365 |
Severity 2-4 | 6AM-6PM PT Mon-Fri | 8AM-5PM GMT Mon-Fri | 8AM-5PM AEDT Mon-Fri |
Exclusions | U.S. Federal Holidays | United Kingdom Public and Bank Holidays | Australian National and Public Holidays |
II. Service Level Agreement
The Monthly Availability Percentage for the Service is ninety-nine and nine-tenths percent (99.9%) (“Service Level”). If the Service does not meet the Service Level in a given month (“Service Level Failure”), then as Customer’s sole and exclusive remedy, Customer shall be eligible to receive the applicable number of Service level credits set forth in Table 3 below (“Service Level Credits”), credited towards extending Customer’s Subscription Term at no charge, provided that Customer requests Service Level Credits within thirty (30) days from the time Customer becomes eligible to receive Service Level Credits under this Policy by filing a Support Case. Failure to comply with this notification requirement will forfeit Customer’s right to receive Service Level Credits. The aggregate maximum amount of Service Level Credits for a Service Level Failure will not exceed 15 days per month. Service Level Credits may not be exchanged for, or converted to, monetary amounts. Customer may request the Service Level attainment for the previous month by filing a Support Case.
Table 3: Service Level Credits | |
---|---|
Monthly Availability Percentage | Service Level Credit |
< 99.9% - ≥ 98.0% | 3 Days |
< 98.0% - ≥ 95.0% | 7 Days |
< 95.0% | 15 Days |
Policy Exclusions
Abnormal will have no liability for any failure to meet the Service Level to the extent arising from: (a) Planned Maintenance or Emergency Maintenance; (b) third-party platforms and networks, Customer or User application, equipment, software or other third-party technology; (c) Customer or its User's use of the Service in violation of the Agreement or not in accordance with the Documentation; (d) force majeure events — i.e., any cause beyond such party’s reasonable control, including but not limited to acts of God, labor disputes or other industrial disturbances, systemic electrical, telecommunications, or other utility failures, earthquake, storms or other elements of nature, blockages, embargoes, riots, public health emergencies (including pandemics and epidemics), acts or orders of government, acts of terrorism, or war; or (e) any access to the Service (or Service features) on a free, trial, beta or early access basis, or due to suspension, limitation, and/or termination of Customer’s access or use of the Service in accordance with its Agreement.
Definitions:
“Calendar Minutes” is defined as the total number of minutes in a given calendar month.
“Emergency Maintenance” means circumstances where maintenance is necessary to prevent imminent harm to the Service, including critical security patching.
“Monthly Availability Percentage” is defined as the difference between Calendar Minutes and the Unavailable Minutes, divided by Calendar Minutes, and multiplied by one hundred (100).
“Planned Maintenance” means routine maintenance periods that continue for no more than four hours in any one instance, so long as Abnormal provides at least 48 hours prior notice (including by email) to Customer.
“Unavailable” means if Customer is unable to access the Service by means of a web browser and/or API as a result of failure(s) in the Service, as confirmed by Abnormal.
“Unavailable Minutes” is defined as the total accumulated minutes when the Service is Unavailable.
Effective May 2nd 2024 to May 22nd 2024
DownloadTable of Contents
ABNORMAL SECURITY CORPORATION SUPPORT AND SERVICE LEVEL AVAILABILITY POLICY
This Support and Service Level Availability Policy (“Policy”) describes Abnormal Security Corporation’s (“Abnormal”) support offering (“Support”) in connection with Customer-reported bugs, defects, or errors in the Service (“Error(s)”). Support shall be provided in accordance with the written subscription agreement under which Abnormal provides its Service as entered into by and between you (“Customer”) and Abnormal (“Agreement”). Customer shall receive the level of Support set forth in this Policy or as designated in the applicable Order (“Support Level”). Abnormal may update this Policy from time to time, provided that any such update does not modify any provision of the Agreement except for this Policy. Any such updates will be posted to https://legal.abnormalsecurity.com/ or otherwise made available as set forth in the Agreement. Capitalized terms not defined in this Policy shall have the meanings given to them in the Agreement.
I. Support
- General Support Offering. Abnormal shall provide English-speaking remote assistance to Customer Contacts (as defined below) for questions or issues arising from any Error, as further described in this Policy, including troubleshooting, diagnosis, and recommendations for potential workarounds for the duration of Customer’s subscription to the applicable Service.
- Customer Contacts. Customer shall inform Abnormal as to its approved contacts for Support, one of which must be designated as an account administrator (each, a “Customer Contact”). Customer is solely responsible for maintaining an accurate list of Customer Contacts with Abnormal, including names and contact information. Abnormal assumes no responsibility for Support Cases that cannot be addressed due to a lack of updated Customer Contact information.
- Submitting Support Cases. Customer Contacts must use reasonable diligence to ensure a perceived Error is not an issue with Customer’s own equipment, software, or internet connectivity prior to requesting Support. Customer Contacts may contact Support by submitting a Support request (each, a “Support Case”) to: (a) the support portal located at https://support.abnormalsecurity.com (or such successor URL as may be designated by Abnormal) (such website, the “Support Portal”) or (b) the web interface as described in the Documentation. If Customer Contacts cannot access the Support Portal they may open a Support Case by emailing support@abnormalsecurity.com or, in the event Customer Contacts cannot access the Support Portal or email, they may contact Abnormal Support by phone solely for purposes of having the Support Case submitted on their behalf. All Customer Contacts must be familiar with the Documentation and be reasonably trained in the use and functionality of the Service. Customer Contacts will assist Abnormal to resolve Support Cases by complying with the Customer obligations set forth in Table 1.
- Support Cases. Each Support Case shall: (a) designate the Severity Level of the Error in accordance with the definitions in Table 1; (b) identify the Customer account that experienced the error; (c) include information sufficiently detailed to allow Abnormal to attempt to duplicate the Error (including any relevant error messages, but not export-controlled data, personal data (other than as required herein), sensitive data, other regulated data, or Customer Data); and (d) identify the Customer Contact most familiar with the issue. The Customer Contact shall also give Abnormal any other important Support Case information requested by Abnormal in a timely manner. Unless Customer expressly designates the Severity Level, the Support Case will default to Severity Level 4. If Customer Contacts submit Support Cases related to enhancement or feature requests, Abnormal shall treat those tickets as closed once the request has been forwarded internally.
Table 1: Error Severity Level Definitions and Initial Response Times | |||||||
---|---|---|---|---|---|---|---|
Error Severity Level | Description | Initial Response Time Target | Customer Responsibility | ||||
Severity Level 1 (Urgent) | An Error that causes a (a) service disruption or (b) degraded condition that renders the Service inoperable. | One (1) Hour | Commit appropriate resources to provide additional information as needed. Make reasonable efforts to apply solutions quickly. | ||||
Severity Level 2 (High) | An Error that (a) causes the Service to operate in a degraded condition with a high impact to key portions of the Service or (b) seriously impairs Customer’s use of material function(s) of the Service and Customer cannot reasonably circumvent or avoid the Error without the expenditure of significant time or effort. | Two (2) Business Hours | Commit appropriate resources to be available to provide additional information as needed. Make reasonable efforts to apply solutions upon receipt. | ||||
Severity Level 3 (Normal) | An Error that has a medium-to-low impact on the Service. The Service is (a) running with limited functionality in one or more areas or (b) experiencing intermittent issues. Customer can access and use the material functionality of the Service. | Eight (8) Business Hours | Monitor and respond as necessary. | ||||
Severity Level 4 (Low) | How-to questions and Service issues with no Service degradation. | One (1) Business Day | Monitor and respond as necessary. | ||||
RFE | Requests for enhancements to the Service. | Two (2) Business Days | N/A |
Table 2: Support Hours | |||
---|---|---|---|
Region | North America | EMEA | Asia Pacific |
Severity 1 | 24 x 7 x 365 | 24 x 7 x 365 | 24 x 7 x 365 |
Severity 2-4 | 6AM-6PM PT Mon-Fri | 8AM-5PM GMT Mon-Fri | 8AM-5PM ADET Mon-Fri |
Exclusions | U.S. Federal Holidays | United Kingdom Public and Bank Holidays | Australian National and Public Holidays |
II. Service Level Agreement
The Monthly Availability Percentage for the Service is ninety-nine and nine-tenths percent (99.9%) (“Service Level”). If the Service does not meet the Service Level in a given month (“Service Level Failure”), then as Customer’s sole and exclusive remedy, Customer shall be eligible to receive the applicable number of Service level credits set forth in Table 3 below (“Service Level Credits”), credited towards extending Customer’s Subscription Term at no charge, provided that Customer requests Service Level Credits within thirty (30) days from the time Customer becomes eligible to receive Service Level Credits under this Policy by filing a Support Case. Failure to comply with this notification requirement will forfeit Customer’s right to receive Service Level Credits. The aggregate maximum amount of Service Level Credits for a Service Level Failure will not exceed 15 days per month. Service Level Credits may not be exchanged for, or converted to, monetary amounts. Customer may request the Service Level attainment for the previous month by filing a Support Case.
Table 3: Service Level Credits | |
---|---|
Monthly Availability Percentage | Service Level Credit |
< 99.9% - ≥ 98.0% | 3 Days |
< 98.0% - ≥ 95.0% | 7 Days |
< 95.0% | 15 Days |
Policy Exclusions
Abnormal will have no liability for any failure to meet the Service Level to the extent arising from: (a) Planned Maintenance or Emergency Maintenance; (b) third-party platforms and networks, Customer or User application, equipment, software or other third-party technology; (c) Customer or its User's use of the Service in violation of the Agreement or not in accordance with the Documentation; (d) force majeure events — i.e., any cause beyond such party’s reasonable control, including but not limited to acts of God, labor disputes or other industrial disturbances, systemic electrical, telecommunications, or other utility failures, earthquake, storms or other elements of nature, blockages, embargoes, riots, public health emergencies (including pandemics and epidemics), acts or orders of government, acts of terrorism, or war; or (e) any access to the Service (or Service features) on a free, trial, beta or early access basis, or due to suspension, limitation, and/or termination of Customer’s access or use of the Service in accordance with its Agreement.
Definitions:
“Calendar Minutes” is defined as the total number of minutes in a given calendar month.
“Emergency Maintenance” means circumstances where maintenance is necessary to prevent imminent harm to the Service, including critical security patching.
“Monthly Availability Percentage” is defined as the difference between Calendar Minutes and the Unavailable Minutes, divided by Calendar Minutes, and multiplied by one hundred (100).
“Planned Maintenance” means routine maintenance periods that continue for no more than four hours in any one instance, so long as Abnormal provides at least 48 hours prior notice (including by email) to Customer.
“Unavailable” means if Customer is unable to access the Service by means of a web browser and/or API as a result of failure(s) in the Service, as confirmed by Abnormal.
“Unavailable Minutes” is defined as the total accumulated minutes when the Service is Unavailable.
Effective June 24th 2022 to May 2nd 2024
DownloadTable of Contents
ABNORMAL SECURITY SUPPORT AND SERVICE LEVEL AVAILABILITY POLICY
This Abnormal Security Support and Service Level Availability Policy (“Policy”) describes Abnormal Security Corporation’s (“Abnormal”) support offering (“Support”) in connection with Customer-reported bugs, defects, or errors in the Service (“Error(s)”). Support shall be provided in accordance with the written subscription agreement under which Abnormal provides its Service as entered into by and between you (“Customer”) and Abnormal (“Agreement”). Customer shall receive the level of Support set forth in this Policy or as designated in the applicable Order (“Support Level”). Abnormal may update this Policy from time to time. Capitalized terms not defined in this Policy shall have the meaning given to them in the Agreement.
I. Support
- Support Services. As part of providing the Service and as further described in the Documentation, Abnormal implements processes designed to perform robust testing and validation to minimize Errors.
- General Support Offering. Customer shall designate one primary contact who will have administrator privileges and may designate additional contacts (“Customer Contacts”). Abnormal shall provide English-speaking remote assistance to Customer Contacts for questions or issues arising from any Error, as further described in this Policy, including troubleshooting, diagnosis, and recommendations for potential workarounds for the duration of Customer’s subscription to the applicable Service.
- Contacting Abnormal Support. Customer Contacts may contact Abnormal Support by: (a) submitting a Support request to the Abnormal webpage hosting the support portal located at https://support.abnormalsecurity.com (or such successor URL as may be designated by Abnormal) (such website, the “Abnormal Community”) and designating the appropriate severity level according to Table 1 below, (b) submitting a Support request in the web interface as described in the Documentation, (c) submitting the Support request to support@abnormalsecurity.com if Customer Contacts cannot access the Abnormal Community, or (d) in the event Customer Contacts cannot access Abnormal Community or email, they may contact Abnormal Support by phone at the intake phone number identified in the Abnormal Community solely for purposes of having the Support request submitted on their behalf (each a “Support Case”). All Customer Contacts must be reasonably trained in the use and functionality of the Service and the Abnormal Documentation and shall use reasonable diligence to ensure a perceived Error is not an issue with Customer’s own equipment, software, or internet connectivity. Customer Contacts will assist Abnormal to resolve its Support Case by complying with the Customer obligations set forth in Table 1.
- Submission of Support Cases. Each Support Case shall; (a) designate the Severity Level of the Error in accordance with the definitions in Table 1; (b) identify the Customer Account that experienced the error; (c) include information sufficiently detailed to allow Abnormal Support to attempt to duplicate the Error (including any relevant error messages, but not export-controlled data, personal data (other than as required herein), sensitive data, other regulated data, or Customer Data); and (d) provide contact information for the Customer Contact most familiar with the issue. The Customer Contact shall also give Abnormal any other important Support Case information requested by Abnormal in a timely manner. Unless Customer expressly designates the Severity Level, the Support Case will default to Severity Level 4. If Customer Contacts submit Support Cases related to enhancement or feature requests, Abnormal shall treat those tickets as closed once the request has been forwarded internally.
- Other Support and Training. Abnormal also offers various support and training resources such as documentation, FAQs and user guides available on the Abnormal Community.
Table 1: Error Severity Level Definitions and Response Times | |||||||
---|---|---|---|---|---|---|---|
Error Severity Level | Description | Initial Response Time Target | Customer Responsibility | ||||
Severity Level 1 (Urgent Severity) | An Error that causes a (a) service disruption or (b) degraded condition that renders the Service inoperable. | One (1) Hour | Commit appropriate resources to be available to provide additional info if needed. Make reasonable efforts to apply solutions quickly. | ||||
Severity Level 2 (High Severity) | An Error that (a) causes the Service to operate in a degraded condition with a high impact to key portions of the Service or (b) seriously impairs Customer’s use of material function(s) of the Service and Customer cannot reasonably circumvent or avoid the Error on a temporary basis without the expenditure of significant time or effort. | Two (2) Business Hours | Commit appropriate resources to be available to provide additional info if needed. Make reasonable efforts to apply solutions upon receipt. | ||||
Severity Level 3 (Normal Severity) | An Error that has a medium-to-low impact on the Service. The Service is (a) running with limited functionality in one or more areas, or (b) experiencing intermittent issues. The Customer can still access and use the material functionality of the Service. | Eight (8) Business Hours | Monitor and respond as necessary. | ||||
Severity Level 4 (Low Severity) | How-to Questions and Service issues with no Service degradation. | Twenty-Four (24) Business Hours | Monitor and respond as necessary. | ||||
RFE | Requests for enhancements to the Service. | 2 Business Days | N/A |
- Error Response. Upon receipt of a Support Case, Abnormal Support will attempt to determine the Error and assign the applicable Severity Level based on descriptions in Table 1. If Abnormal’s Severity Level designation is different from that assigned by Customer, Abnormal will promptly notify Customer in advance of such designation. If Customer notifies Abnormal of a reasonable basis for disagreeing with Abnormal’s designated Severity Level, the parties each will make a good faith effort to discuss, escalate internally, and mutually agree on the appropriate Severity Level. Abnormal shall use commercially reasonable efforts to meet the Initial Response Time Target for the applicable Severity Level, as measured during in-region Abnormal Support hours set forth in Table 2 below (such hour(s), “Business Hour(s)” with the total Business Hours in an in-region support day being “Business Day(s)”).
Table 2: Abnormal Support Hours | ||
---|---|---|
Global Support Business Hours | ||
Sev 1 | Sev 2-4 | Excluded Holidays Sev 2-4 |
24 x 7 x 365 | 6AM-6PM PT Mon-Fri | Recognized U.S. Federal Holidays |
II. Service Level Agreement
The Monthly Availability Percentage for the Service is ninety-nine and nine-tenths percent (99.9%) (“Service Level”). If the Service does not meet the Service Level in a given month (“Service Level Failure”), then as Customer’s sole and exclusive remedy, Customer shall be eligible to receive the applicable number of Service level credits set forth in Table 3 below (“Service Level Credits”), credited towards extending Customer’s Subscription Term at no charge, provided that Customer requests Service Level Credits within thirty (30) days from the time Customer becomes eligible to receive Service Level Credits under this Policy by filing a Support Case. Failure to comply with this notification requirement will forfeit Customer’s right to receive Service Level Credits. The aggregate maximum amount of Service Level Credits for a Service Level Failure will not exceed 15 days. Service Level Credits may not be exchanged for, or converted to, monetary amounts. Customer may request the Service Level attainment for the previous month by filing a Support Case.
Table 3: Service Level Credit Calculation | |
---|---|
Monthly Availability Percentage | Service Level Credit |
< 99.9% - ≥ 98.0% | 3 Days |
< 98.0% - ≥ 95.0% | 7 Days |
< 95.0% | 15 Days |
Policy Exclusions
Abnormal will have no liability for any failure to meet the Service Level to the extent arising from: (a) Planned Maintenance or Emergency Maintenance; (b) third-party platforms and networks, Customer or User application, equipment, software or other third-party technology; (c) Customer or its User's use of the Service in violation of the Agreement or not in accordance with the Documentation; (d) force majeure events — i.e., any cause beyond such party’s reasonable control, including but not limited to acts of God, labor disputes or other industrial disturbances, systemic electrical, telecommunications, or other utility failures, earthquake, storms or other elements of nature, blockages, embargoes, riots, public health emergencies (including pandemics and epidemics), acts or orders of government, acts of terrorism, or war; or (e) any access to the Service (or Service features) on a free, trial, beta or early access basis, or due to suspension, limitation, and/or termination of Customer’s access or use of the Service in accordance with its Agreement.
Definitions:
“Calendar Minutes” is defined as the total number of minutes in a given calendar month.
“Emergency Maintenance” means circumstances where maintenance is necessary to prevent imminent harm to the Service, including critical security patching.
“Monthly Availability Percentage” is defined as the difference between Calendar Minutes and the Unavailable Minutes, divided by Calendar Minutes, and multiplied by one hundred (100).
“Planned Maintenance” means routine maintenance periods that continue for no more than four hours in any one instance, so long as Abnormal provides at least 48 hours prior notice (including by email) to Customer.
“Unavailable” means if Customer is unable to access the Service by means of a web browser and/or API as a result of failure(s) in the Service, as confirmed by Abnormal.
“Unavailable Minutes” is defined as the total accumulated minutes when the Service is Unavailable.
Effective April 4th 2022 to June 24th 2022
DownloadTable of Contents
ABNORMAL SECURITY SUPPORT AND SERVICE LEVEL AVAILABILITY POLICY
This Abnormal Security Support and Service Level Availability Policy (“Policy”) describes Abnormal Security Corporation’s (“Abnormal”) support offering (“Support”) in connection with Customer-reported bugs, defects, or errors in the Service (“Error(s)”). Support shall be provided in accordance with the written subscription agreement under which Abnormal provides its Service as entered into by and between you (“Customer”) and Abnormal (“Agreement”). Customer shall receive the level of Support set forth in this Policy or as designated in the applicable Order (“Support Level”). Abnormal may update this Policy from time to time. Capitalized terms not defined in this Policy shall have the meaning given to them in the Agreement.
I. Support
- Support Services. As part of providing the Service and as further described in the Documentation, Abnormal implements processes designed to perform robust testing and validation to minimize Errors.
- General Support Offering. Customer shall designate one primary contact who will have administrator privileges and may designate additional contacts (“Customer Contacts”). Abnormal shall provide English-speaking remote assistance to Customer Contacts for questions or issues arising from any Error, as further described in this Policy, including troubleshooting, diagnosis, and recommendations for potential workarounds for the duration of Customer’s subscription to the applicable Service.
- Contacting Abnormal Support. Customer Contacts may contact Abnormal Support by: (a) submitting a Support request to the Abnormal webpage hosting the support portal located at https://support.abnormalsecurity.com (or such successor URL as may be designated by Abnormal) (such website, the “Abnormal Community”) and designating the appropriate severity level according to Table 1 below, (b) submitting a Support request in the web interface as described in the Documentation, (c) submitting the Support request to support@abnormalsecurity.com if Customer Contacts cannot access the Abnormal Community, or (d) in the event Customer Contacts cannot access Abnormal Community or email, they may contact Abnormal Support by phone at the intake phone number identified in the Abnormal Community solely for purposes of having the Support request submitted on their behalf (each a “Support Case”). All Customer Contacts must be reasonably trained in the use and functionality of the Service and the Abnormal Documentation and shall use reasonable diligence to ensure a perceived Error is not an issue with Customer’s own equipment, software, or internet connectivity. Customer Contacts will assist Abnormal to resolve its Support Case by complying with the Customer obligations set forth in Table 1.
- Submission of Support Cases. Each Support Case shall; (a) designate the Severity Level of the Error in accordance with the definitions in Table 1; (b) identify the Customer Account that experienced the error; (c) include information sufficiently detailed to allow Abnormal Support to attempt to duplicate the Error (including any relevant error messages, but not export-controlled data, personal data (other than as required herein), sensitive data, other regulated data, or Customer Data); and (d) provide contact information for the Customer Contact most familiar with the issue. The Customer Contact shall also give Abnormal any other important Support Case information requested by Abnormal in a timely manner. Unless Customer expressly designates the Severity Level, the Support Case will default to Severity Level 4. If Customer Contacts submit Support Cases related to enhancement or feature requests, Abnormal shall treat those tickets as closed once the request has been forwarded internally.
- Other Support and Training. Abnormal also offers various support and training resources such as documentation, FAQs and user guides available on the Abnormal Community.
Table 1: Error Severity Level Definitions and Response Times | ||||
---|---|---|---|---|
Error Severity Level | Description | Initial Response Time Target | Customer Responsibility | |
Severity Level 1 (Urgent Severity) | An Error that causes a (a) service disruption or (b) degraded condition that renders the Service inoperable. | One (1) Hour | Commit appropriate resources to be available to provide additional info if needed. Make reasonable efforts to apply solutions quickly. | |
Severity Level 2 (High Severity) | An Error that (a) causes the Service to operate in a degraded condition with a high impact to key portions of the Service or (b) seriously impairs Customer’s use of material function(s) of the Service and Customer cannot reasonably circumvent or avoid the Error on a temporary basis without the expenditure of significant time or effort. | Two (2) Business Hours | Commit appropriate resources to be available to provide additional info if needed. Make reasonable efforts to apply solutions upon receipt. | |
Severity Level 3 (Normal Severity) | An Error that has a medium-to-low impact on the Service. The Service is (a) running with limited functionality in one or more areas, or (b) experiencing intermittent issues. The Customer can still access and use the material functionality of the Service. | Eight (8) Business Hours | Monitor and respond as necessary. | |
Severity Level 4 (Low Severity) | How-to Questions and Service issues with no Service degradation. | Twenty-Four (24) Business Hours | Monitor and respond as necessary. | |
RFE | Requests for enhancements to the Service. | 2 Business Days | N/A |
- Error Response. Upon receipt of a Support Case, Abnormal Support will attempt to determine the Error and assign the applicable Severity Level based on descriptions in Table 1. If Abnormal’s Severity Level designation is different from that assigned by Customer, Abnormal will promptly notify Customer in advance of such designation. If Customer notifies Abnormal of a reasonable basis for disagreeing with Abnormal’s designated Severity Level, the parties each will make a good faith effort to discuss, escalate internally, and mutually agree on the appropriate Severity Level. Abnormal shall use commercially reasonable efforts to meet the Initial Response Time Target for the applicable Severity Level, as measured during in-region Abnormal Support hours set forth in Table 2 below (such hour(s), “Business Hour(s)” with the total Business Hours in an in-region support day being “Business Day(s)”).
Table 2: Abnormal Support Hours | ||
---|---|---|
Global Support Business Hours | ||
Sev 1 | Sev 2-4 | Excluded Holidays Sev 2-4 |
24 x 7 x 365 | 6AM-6PM PT Mon-Fri | Recognized U.S. Federal Holidays |
II. Service Level Agreement
The Monthly Availability Percentage for the Service is ninety-nine and nine-tenths percent (99.9%) (“Service Level”). If the Service does not meet the Service Level in a given month (“Service Level Failure”), then as Customer’s sole and exclusive remedy, Customer shall be eligible to receive the applicable number of Service level credits set forth in Table 3 below (“Service Level Credits”), credited towards extending Customer’s Subscription Term at no charge, provided that Customer requests Service Level Credits within thirty (30) days from the time Customer becomes eligible to receive Service Level Credits under this Policy by filing a Support Case. Failure to comply with this notification requirement will forfeit Customer’s right to receive Service Level Credits. The aggregate maximum amount of Service Level Credits for a Service Level Failure will not exceed 15 days. Service Level Credits may not be exchanged for, or converted to, monetary amounts. Customer may request the Service Level attainment for the previous month by filing a Support Case.
Table 3: Service Level Credit Calculation | |
---|---|
Monthly Availability Percentage | Service Level Credit |
< 99.9% - ≥ 98.0% | 3 Days |
< 98.0% - ≥ 95.0% | 7 Days |
< 95.0% | 15 Days |
Policy Exclusions
Abnormal will have no liability for any failure to meet the Service Level to the extent arising from: (a) Planned Maintenance or Emergency Maintenance; (b) third-party platforms and networks, Customer or User application, equipment, software or other third-party technology; (c) Customer or its User's use of the Service in violation of the Agreement or not in accordance with the Documentation; (d) force majeure events — i.e., any cause beyond such party’s reasonable control, including but not limited to acts of God, labor disputes or other industrial disturbances, systemic electrical, telecommunications, or other utility failures, earthquake, storms or other elements of nature, blockages, embargoes, riots, public health emergencies (including pandemics and epidemics), acts or orders of government, acts of terrorism, or war; or (e) any access to the Service (or Service features) on a free, trial, beta or early access basis, or due to suspension, limitation, and/or termination of Customer’s access or use of the Service in accordance with its Agreement.
Definitions:
“Calendar Minutes” is defined as the total number of minutes in a given calendar month.
“Emergency Maintenance” means circumstances where maintenance is necessary to prevent imminent harm to the Service, including critical security patching.
“Monthly Availability Percentage” is defined as the difference between Calendar Minutes and the Unavailable Minutes, divided by Calendar Minutes, and multiplied by one hundred (100).
“Planned Maintenance” means routine maintenance periods that continue for no more than four hours in any one instance, so long as Abnormal provides at least 48 hours prior notice (including by email) to Customer.
“Unavailable” means if Customer is unable to access the Service by means of a web browser and/or API as a result of failure(s) in the Service, as confirmed by Abnormal.
“Unavailable Minutes” is defined as the total accumulated minutes when the Service is Unavailable.
Abnormal Security Information Security Policy
Effective May 2nd 2024
DownloadTable of Contents
ABNORMAL SECURITY CORPORATION INFORMATION SECURITY POLICY
- Policies and Procedures. Abnormal has implemented and will maintain security, privacy, confidentiality, availability, and code of conduct policies and procedures designed to ensure that the Service and Abnormal’s employees and contractors (“Personnel”) process Customer Data in accordance with this Policy and the Agreement. Abnormal has implemented and will enforce disciplinary measures against Personnel for failure to abide by the aforementioned policies and procedures.
- Logical Access Controls. Abnormal will take reasonable measures that are designed to ensure appropriate user authentication for Personnel with access to Customer Data, including without limitation, by assigning each Personnel unique authentication credentials for accessing any system on which Customer Data is processed and prohibiting Personnel from sharing their authentication credentials. Abnormal will restrict access to Customer Data solely to those Personnel who need access to Customer Data to perform Abnormal’s obligations under the Agreement.
Further, Abnormal will take reasonable measures to implement and maintain logging and monitoring technologies designed to help detect and prevent unauthorized access to its networks, servers, and applications, including but not limited to those that process Customer Data. Abnormal will conduct periodic reviews of systems that process Customer Data to verify the identities of individuals who access and have privileged access to systems to help detect and prevent unauthorized access to its network, servers, and applications and verify that all changes to its authentication systems were authorized and correct. Abnormal has implemented and will maintain procedures and policies that are designed to ensure that, upon termination of any Personnel the terminated user access to any Customer Data on Abnormal systems will be promptly revoked, and in all cases, revocation will occur no later than twenty-four (24) hours following such termination. - Intrusion Prevention. Abnormal utilizes reasonable measures designed to ensure that its infrastructure protections are consistent with industry standards in preventing unauthorized access to Abnormal networks, servers, and applications. Such measures include but are not limited to the implementation of intrusion prevention technologies, anti-malware services, and firewall rules.
- Physical Access. Abnormal limits physical access to its office facilities using physical controls (e.g., coded badge access). Abnormal regularly assesses the cloud hosting provider’s ability to provide reasonable assurance that access to their data centers and other areas where Customer Data is stored is limited to authorized individuals. Cloud hosting provider data centers and Abnormal office facilities leverage camera or video surveillance systems at critical internal and external entry points and are monitored by security Personnel.
- Environmental Protection. Abnormal regularly assesses the cloud hosting provider’s ability to provide reasonable assurance that cloud hosting provider data centers implement and maintain appropriate and reasonable environmental controls for its data centers and other areas where Customer Data is stored, such as air temperature and humidity controls, and protections against power failures.
- Backup, Disaster Recovery, and Business Continuity. Abnormal will: (a) back up its production file systems and databases according to a defined schedule and conduct regular testing of backups; and (b) maintain a disaster recovery plan for the production data center and maintain business continuity plans designed to manage and minimize the effects of disaster events or unplanned operational disruptions with a stated goal of resuming routine service within forty-eight (48) hours; and (c) conduct regular testing of the effectiveness of such plans.
- Security Incident Response. For purposes of this Policy, any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data is a “Security Incident”. Abnormal will: (a) take reasonable measures to implement and maintain logging and monitoring technologies designed to identify, alert, and analyze security events; and (b) maintain plans and procedures to be followed in the event of an actual or suspected Security Incident (“Incident Response Plans”). The Incident Response Plans require Abnormal to undertake a root cause analysis of any actual or suspected Security Incident and to document remediation measures.
- Security Incident Notification. Abnormal will implement and follow procedures that are designed to detect and respond to Security Incidents and will notify Customer of any Security Incident affecting its Customer Data within forty-eight (48) hours of Abnormal becoming aware of the Security Incident, regardless of whether the Security Incident triggers any applicable breach notification law. Such notification will be executed using the contact information provided by Customer under the Records and Validation section of the Agreement.
Notice to a Customer will include: (a) a description of the nature of the Security Incident, including the categories and approximate number of Customer’s data subjects and personal data records concerned; (b) the name of Abnormal’s contact where more information can be obtained; (c) a description of the likely consequences of the Security Incident; (d) a description of the measures taken or proposed to address or mitigate the adverse effects of the Security Incident, to the extent within Abnormal’s reasonable control. - Storage and Transmission Security. Abnormal will logically segregate Customer Data from all other Abnormal or third-party data. Abnormal will: (a) securely store Customer Data; (b) encrypt Customer Data during transmission using, at a minimum, Transport Layer Security (TLS) protocol version 1.2 or above; and (c) encrypt Customer Data at rest using, at a minimum, the Advanced Encryption Standard (AES) 256-bit encryption protocol. Abnormal will establish encryption key management processes that are designed to ensure the secure generation, storage, distribution, and destruction of encryption keys. Abnormal will not store Customer Data on any removable storage devices or other similar portable electronic media.
- Data Retention and Secure Disposal. Abnormal will retain and securely dispose of Customer Data in accordance with the Agreement. During the Subscription Term, Customer may through the features of the Service access, return to itself or delete Customer Data. Following termination or expiration of the Agreement, Abnormal will delete all Customer Data from Abnormal’s systems. Deletion will be in accordance with industry-standard secure deletion practices. Abnormal will issue a certificate of deletion upon Customer’s written request. Notwithstanding the foregoing, Abnormal may retain Customer Data: (a) as required by applicable laws, or (b) in accordance with its standard backup or record retention policies, as governed by the Agreement.
- Risk Identification and Assessment. Abnormal will implement and maintain a risk assessment program to help identify foreseeable internal and external risks to Abnormal’s information resources and to Customer Data, and determine if existing controls, policies, and procedures are adequate.
- Subprocessors. Abnormal will authorize third-party service providers to access or process Customer Data (“Subprocessors”) only in accordance with the requirements and procedures specified in the Agreement, and specifically in the DPA. Prior to authorizing Subprocessors, Abnormal security Personnel will conduct a risk assessment of each Subprocessor to seek assurances of its data security practices (e.g., in the form of an independent third-party audit report such as the SOC 2 Type 2, ISO 27001, or a vendor security and risk evaluation). Abnormal enters into written agreements with its Subprocessors with security and data processing obligations substantially the same as those contained in this Policy.
- Change and Configuration Management. Abnormal has implemented and will maintain processes for managing changes and updates to production systems, applications, and databases, including without limitation, processes for documenting, testing, and approval of changes into production, security patching, and authentication.
- Release Management. Abnormal follows a continuous release process versus a standard release schedule and does not require a maintenance downtime window for the Service when pushing a new release. No Customer interaction is required to upgrade to the new version; the release is automatically applied to all Customers. Releases follow Abnormal’s change management procedures that are designed to ensure that releases are tested and approved prior to push to production. Abnormal communicates release information using the notification functionality within the Service.
- Training. Abnormal will undertake the following measures that are designed to ensure that Personnel who will have access to Customer Data are appropriately qualified and trained to handle Customer Data:
15.1. Information Security and Privacy Awareness Training. Upon hire and at minimum annually thereafter, Abnormal will require security and privacy awareness training to all Personnel who will process or have access to Customer Data. Abnormal security and privacy awareness training is designed to meet industry standards and will include, at a minimum, education on safeguarding against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and social engineering mechanisms.
15.2. Secure Code Training. Abnormal will require annual training on secure coding principles and their application at minimum annually to all Personnel who develop or handle any Abnormal source code. Abnormal secure code training will cover topics such as: (a) the Open Web Application Security Project list of the 10 most critical security risks to web-based applications (OWASP Top 10); and (b) appropriate techniques for the remediation of the listed security vulnerabilities. - Background Checks. Abnormal Personnel will undergo a civil and criminal background check, to the extent permitted by applicable law.
- Audit and Assessments. Abnormal has implemented and will maintain a Compliance Audit Program including assessments performed by an independent third-party (“Auditor”) and defined Customer audit rights in accordance with the Agreement.
17.1 Independent Security Audit. Abnormal will engage an Auditor to certify compliance with the ISO 27001 standard, and conduct a SOC 2 Type 2 audit with a scoped audit period of a maximum 12 months to demonstrate its compliance with the security requirements of the Security Program. Abnormal’s SOC 2 Type 2 audit covers the Trust Services Criteria of Security, Availability, Confidentiality, and Privacy. Abnormal will make available to Customer publicly available certificates and summary copies of its SOC 2 Type 2 audit report (each, an “Audit Report”) on the Security Hub.
17.2 Customer Audits. Abnormal will make available the information necessary to demonstrate its compliance with the Security Program to support Customer in obtaining the information necessary to complete Customer’s audits, reviews, risk assessments, and security-related questions of Abnormal as Customer’s vendor. Please see the Security Hub for this information. For further details on Customer audit rights, please see your Data Processing Addendum (DPA).
17.3 Penetration Tests. At least once per twelve (12) month period, Abnormal will undertake a network penetration test by an independent third-party. Abnormal will make available to Customer an executive summary section of the penetration test report that pertains to the systems and operations that process, store, or transmit Customer Data. Abnormal will remediate all vulnerabilities that the penetration test identifies in accordance with the following remediation timelines:
Level | Timeline |
Critical | 15 days |
High | 30 days |
Medium | 60 days |
Low | Reasonable timeframe based on nature and probability of exploitation |
Effective May 2nd 2024 to May 2nd 2024
DownloadTable of Contents
ABNORMAL SECURITY CORPORATION INFORMATION SECURITY POLICY
- Policies and Procedures. Abnormal has implemented and will maintain security, privacy, confidentiality, availability, and code of conduct policies and procedures designed to ensure that the Service and Abnormal’s employees and contractors (“Personnel”) process Customer Data in accordance with this Policy and the Agreement. Abnormal has implemented and will enforce disciplinary measures against Personnel for failure to abide by the aforementioned policies and procedures.
- Logical Access Controls. Abnormal will take reasonable measures that are designed to ensure appropriate user authentication for Personnel with access to Customer Data, including without limitation, by assigning each Personnel unique authentication credentials for accessing any system on which Customer Data is processed and prohibiting Personnel from sharing their authentication credentials. Abnormal will restrict access to Customer Data solely to those Personnel who need access to Customer Data to perform Abnormal’s obligations under the Agreement.
Further, Abnormal will take reasonable measures to implement and maintain logging and monitoring technologies designed to help detect and prevent unauthorized access to its networks, servers, and applications, including but not limited to those that process Customer Data. Abnormal will conduct periodic reviews of systems that process Customer Data to verify the identities of individuals who access and have privileged access to systems to help detect and prevent unauthorized access to its network, servers, and applications and verify that all changes to its authentication systems were authorized and correct. Abnormal has implemented and will maintain procedures and policies that are designed to ensure that, upon termination of any Personnel the terminated user access to any Customer Data on Abnormal systems will be promptly revoked, and in all cases, revocation will occur no later than twenty-four (24) hours following such termination. - Intrusion Prevention. Abnormal utilizes reasonable measures designed to ensure that its infrastructure protections are consistent with industry standards in preventing unauthorized access to Abnormal networks, servers, and applications. Such measures include but are not limited to the implementation of intrusion prevention technologies, anti-malware services, and firewall rules.
- Physical Access. Abnormal limits physical access to its office facilities using physical controls (e.g., coded badge access). Abnormal regularly assesses the cloud hosting provider’s ability to provide reasonable assurance that access to their data centers and other areas where Customer Data is stored is limited to authorized individuals. Cloud hosting provider data centers and Abnormal office facilities leverage camera or video surveillance systems at critical internal and external entry points and are monitored by security Personnel.
- Environmental Protection. Abnormal regularly assesses the cloud hosting provider’s ability to provide reasonable assurance that cloud hosting provider data centers implement and maintain appropriate and reasonable environmental controls for its data centers and other areas where Customer Data is stored, such as air temperature and humidity controls, and protections against power failures.
- Backup, Disaster Recovery, and Business Continuity. Abnormal will: (a) back up its production file systems and databases according to a defined schedule and conduct regular testing of backups; and (b) maintain a disaster recovery plan for the production data center and maintain business continuity plans designed to manage and minimize the effects of disaster events or unplanned operational disruptions with a stated goal of resuming routine service within forty-eight (48) hours; and (c) conduct regular testing of the effectiveness of such plans.
- Security Incident Response. For purposes of this Policy, any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data is a “Security Incident”. Abnormal will: (a) take reasonable measures to implement and maintain logging and monitoring technologies designed to identify, alert, and analyze security events; and (b) maintain plans and procedures to be followed in the event of an actual or suspected Security Incident (“Incident Response Plans”). The Incident Response Plans require Abnormal to undertake a root cause analysis of any actual or suspected Security Incident and to document remediation measures.
- Security Incident Notification. Abnormal will implement and follow procedures that are designed to detect and respond to Security Incidents and will notify Customer of any Security Incident affecting its Customer Data within forty-eight (48) hours of Abnormal becoming aware of the Security Incident, regardless of whether the Security Incident triggers any applicable breach notification law. Such notification will be executed using the contact information provided by Customer under the Records and Validation section of the Agreement.
Notice to a Customer will include: (a) a description of the nature of the Security Incident, including the categories and approximate number of Customer’s data subjects and personal data records concerned; (b) the name of Abnormal’s contact where more information can be obtained; (c) a description of the likely consequences of the Security Incident; (d) a description of the measures taken or proposed to address or mitigate the adverse effects of the Security Incident, to the extent within Abnormal’s reasonable control. - Storage and Transmission Security. Abnormal will logically segregate Customer Data from all other Abnormal or third-party data. Abnormal will: (a) securely store Customer Data; (b) encrypt Customer Data during transmission using, at a minimum, Transport Layer Security (TLS) protocol version 1.2 or above; and (c) encrypt Customer Data at rest using, at a minimum, the Advanced Encryption Standard (AES) 256-bit encryption protocol. Abnormal will establish encryption key management processes that are designed to ensure the secure generation, storage, distribution, and destruction of encryption keys. Abnormal will not store Customer Data on any removable storage devices or other similar portable electronic media.
- Data Retention and Secure Disposal. Abnormal will retain and securely dispose of Customer Data in accordance with the Agreement. During the Subscription Term, Customer may through the features of the Service access, return to itself or delete Customer Data. Following termination or expiration of the Agreement, Abnormal will delete all Customer Data from Abnormal’s systems. Deletion will be in accordance with industry-standard secure deletion practices. Abnormal will issue a certificate of deletion upon Customer’s written request. Notwithstanding the foregoing, Abnormal may retain Customer Data: (a) as required by applicable laws, or (b) in accordance with its standard backup or record retention policies, as governed by the Agreement.
- Risk Identification and Assessment. Abnormal will implement and maintain a risk assessment program to help identify foreseeable internal and external risks to Abnormal’s information resources and to Customer Data, and determine if existing controls, policies, and procedures are adequate.
- Subprocessors. Abnormal will authorize third-party service providers to access or process Customer Data (“Subprocessors”) only in accordance with the requirements and procedures specified in the Agreement, and specifically in the DPA. Prior to authorizing Subprocessors, Abnormal security Personnel will conduct a risk assessment of each Subprocessor to seek assurances of its data security practices (e.g., in the form of an independent third-party audit report such as the SOC 2 Type 2, ISO 27001, or a vendor security and risk evaluation). Abnormal enters into written agreements with its Subprocessors with security and data processing obligations substantially the same as those contained in this Policy.
- Change and Configuration Management. Abnormal has implemented and will maintain processes for managing changes and updates to production systems, applications, and databases, including without limitation, processes for documenting, testing, and approval of changes into production, security patching, and authentication.
- Release Management. Abnormal follows a continuous release process versus a standard release schedule and does not require a maintenance downtime window for the Service when pushing a new release. No Customer interaction is required to upgrade to the new version; the release is automatically applied to all Customers. Releases follow Abnormal’s change management procedures that are designed to ensure that releases are tested and approved prior to push to production. Abnormal communicates release information using the notification functionality within the Service.
- Training. Abnormal will undertake the following measures that are designed to ensure that Personnel who will have access to Customer Data are appropriately qualified and trained to handle Customer Data:
15.1. Information Security and Privacy Awareness Training. Upon hire and at minimum annually thereafter, Abnormal will require security and privacy awareness training to all Personnel who will process or have access to Customer Data. Abnormal security and privacy awareness training is designed to meet industry standards and will include, at a minimum, education on safeguarding against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and social engineering mechanisms.
15.2. Secure Code Training. Abnormal will require annual training on secure coding principles and their application at minimum annually to all Personnel who develop or handle any Abnormal source code. Abnormal secure code training will cover topics such as: (a) the Open Web Application Security Project list of the 10 most critical security risks to web-based applications (OWASP Top 10); and (b) appropriate techniques for the remediation of the listed security vulnerabilities. - Background Checks. Abnormal Personnel will undergo a civil and criminal background check, to the extent permitted by applicable law.
- Audit and Assessments. Abnormal has implemented and will maintain a Compliance Audit Program including assessments performed by an independent third-party (“Auditor”) and defined Customer audit rights in accordance with the Agreement.
17.1 Independent Security Audit. Abnormal will engage an Auditor to certify compliance with the ISO 27001 standard, and conduct a SOC 2 Type 2 audit with a scoped audit period of a maximum 12 months to demonstrate its compliance with the security requirements of the Security Program. Abnormal’s SOC 2 Type 2 audit covers the Trust Services Criteria of Security, Availability, Confidentiality, and Privacy. Abnormal will make available to Customer publicly available certificates and summary copies of its SOC 2 Type 2 audit report (each, an “Audit Report”) on the Security Hub.
17.2 Customer Audits. Abnormal will make available the information necessary to demonstrate its compliance with the Security Program to support Customer in obtaining the information necessary to complete Customer’s audits, reviews, risk assessments, and security-related questions of Abnormal as Customer’s vendor. Please see the Security Hub for this information. For further details on Customer audit rights, please see your Data Processing Addendum (DPA).
17.3 Penetration Tests. At least once per twelve (12) month period, Abnormal will undertake a network penetration test by an independent third-party. Abnormal will make available to Customer an executive summary section of the penetration test report that pertains to the systems and operations that process, store, or transmit Customer Data. Abnormal will remediate all vulnerabilities that the penetration test identifies in accordance with the following remediation timelines:
Level | Timeline |
Critical | 15 days |
High | 30 days |
Medium | 60 days |
Low | Reasonable timeframe based on nature and probability of exploitation |
Effective April 12th 2022 to May 2nd 2024
DownloadTable of Contents
ABNORMAL SECURITY INFORMATION SECURITY POLICY
During the Term of the Agreement, Abnormal will maintain an Information Security Program (“Security Program”) in accordance with the requirements of this Information Security Policy (“Security Policy”). Terms not otherwise defined herein have the same meanings as set forth in the written subscription agreement under which Abnormal provides its Service as entered into by and between Customer and Abnormal ("Agreement"). In the event of a conflict between the terms of this Security Policy and the terms of the Agreement, the terms of this Security Policy will apply.
Elements of the Security Program.
Minimum Security Standards. The Security Program will use industry standard controls designed to protect the confidentiality, integrity, and availability of Customer Data against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; and accidental loss or destruction or damage. The Security Program will maintain administrative, technical, and physical safeguards appropriate to: (a) the size, scope and type of Abnormal business; (b) the type of information that Abnormal stores; and (c) the need for security and confidentiality of such information.
1. Security Policies and Procedures. Abnormal will maintain and implement security policies and procedures designed to ensure that the Service and its employees and contractors process Customer Data in accordance with this Security Policy. Abnormal will implement and enforce disciplinary measures against employees and contractors for failure to abide by its security policies and procedures.
2. Intrusion Prevention. Abnormal will take reasonable measures designed to ensure that its infrastructure protections are consistent with industry standards in preventing unauthorized access to Abnormal networks, servers and applications. Such measures include but are not limited to the implementation of intrusion prevention technologies, anti-malware services, and stringent firewall rules.
3. Physical Access Controls. Abnormal will establish limits on physical access to its information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to data centers and other areas where Customer Data is stored is limited to authorized individuals. Data centers leverage camera or video surveillance systems at critical internal and external entry points.
4. Logical Access Controls.
Abnormal will take reasonable measures that are designed to ensure appropriate user authentication for all employees or contractors with access to Customer Data, including without limitation, by assigning each employee or contractor unique authentication credentials for accessing any system on which Customer Data is accessed and prohibiting employees or contractors from sharing their authentication credentials. Abnormal will restrict access to Customer Data to those employees or contractors who need access to Customer Data to perform Abnormal obligations under the Agreement.
Abnormal will take reasonable measures to implement and maintain logging and monitoring technologies designed to help prevent unauthorized access to, and to detect unauthorized attempts to access, its networks, servers, and applications. Abnormal will conduct periodic reviews of systems that process Customer Data to verify the identities of individuals who access and have privileged access to systems to help detect and prevent unauthorized access to its network, servers and applications and verify that all changes to its authentication systems were authorized and correct. Abnormal will have policies in place that are designed to ensure that, upon termination of any employee or contractor, the terminated employee’s or contractor’s access to any Customer Data on Abnormal systems will be promptly revoked, and in all cases revocation will occur no later than twenty-four (24) hours following such termination.
5. Environmental Access Controls. If Abnormal supplies data center services, Abnormal will implement and maintain appropriate and reasonable environmental controls for its data centers and other areas where Customer Data is stored, such as air temperature and humidity controls, and protections against power failures.
6. Disaster Recovery and Backup Controls. If Abnormal supplies data center services, Abnormal will: (a) back up its production file systems and databases according to a defined schedule; and (b) maintain a formal disaster recovery plan for the production data center and conduct regular testing of the effectiveness of such plan.
7. Business Continuity and Incident Response Plans. If Abnormal processes, stores, or transmits Customer Data, then Abnormal will take reasonable measures to maintain business continuity plans and incident response plans to manage and minimize the effects of unplanned operational disruptions (cyber, physical or natural) (“Incident Response Plans”). These plans will include procedures to be followed in the event of an actual or suspected Security Breach or business interruption and have a stated goal of resumption of routine service within 48 hours of such an incident. The Incident Response Plans will require Abnormal to undertake a root cause analysis of any actual or suspected Security Breach and to document remediation measures.
8. Security Breach Notification. Abnormal will notify Customer of any unauthorized access to Customer Data in accordance with the terms and conditions of the Agreement. In the event no such terms are specified in the Agreement, the following terms will apply:
Abnormal will notify Customer of any unauthorized, unlawful or accidental access to, or disclosure, transfer, destruction, loss or alteration of, Customer Data (each, a “Security Breach”) within two business days of Abnormal’s knowledge of the Security Breach, regardless of whether the Security Breach triggers any applicable breach notification law. Abnormal will notify Customer of a Security Breach by email to Abnormal’s primary contact within the Customer organization.
Notice to Customer will include: (a) a description of the nature of the Security Breach, including the categories and approximate number of data subjects and personal data records concerned; (b) the name of Abnormal’s contact where more information can be obtained; (c) a description of the likely consequences of the Security Breach; (d) a description of the measures taken or proposed to address the Security Breach; and (e) a description of measures to mitigate the adverse effects of the Security Breach.
9. Storage and Transmission Security.
Abnormal will logically segregate Customer Data from all other Abnormal or third-party data. Abnormal will: (a) securely store Customer Data; (b) encrypt Customer Data during transmission using, at a minimum, Transport Layer Security (TLS) protocol version 1.2 or above; and (c) encrypt Customer Data at rest using, at a minimum, the Advanced Encryption Standard (AES) 256-bit encryption protocol.
Abnormal will establish encryption key management processes that are designed to ensure the secure generation, storage, distribution, and destruction of encryption keys. Abnormal will not store Customer Data on any removable storage devices.
10. Secure Disposal.
Upon expiration or termination of the Agreement, Abnormal will return or delete Customer Data in accordance with the Agreement. If deletion is required, Customer Data will be securely deleted in accordance with industry leading methods (e.g., NIST SP 800-88), except that Customer Data stored electronically in Abnormal backup or email systems may be deleted over time in accordance with Abnormal records management practices.
If Abnormal stores Customer Data in Abnormal cloud computing services, Abnormal will retain Customer Data stored in its cloud computing services for the duration of any active the Subscription Term or until the expiration or termination of this Agreement. During a Subscription Term, Customer may export Customer Data from the Service (or Abnormal will otherwise make the Customer Data available to Customer) as described in the Documentation.
11. Risk Identification and Assessment. Abnormal will implement and maintain a risk assessment program to help identify foreseeable internal and external risks to Abnormal’s information resources and determine if existing controls, policies, and procedures are adequate.
12. Subcontractors. Prior to engaging new third-party service providers or adding new technologies to its Service that will access or process Customer Data (collectively, for the purposes of this Security Policy, “Subcontractors”), Abnormal will conduct a risk assessment of each Subcontractor’s data security practices. Abnormal enters into written agreements with its Subcontractors with security obligations substantially similar to those contained in this Security Policy. Abnormal will be responsible for the acts or omissions of Subcontractors under the Agreement. This paragraph does not limit Abnormal’s obligations regarding Sub-processors as set out in the DPA.
13. Change and Configuration Management. Abnormal will implement and maintain policies and procedures for managing changes and updates to production systems, applications, and databases, including without limitation, processes for documenting, testing, and approval of changes into production, security patching, and authentication.
14. Training and Background Checks. Abnormal will undertake the following measures that are designed to ensure that personnel who will have access to Customer Data are appropriately qualified.
14.1. Background Checks. Employees and contractors of Abnormal who will have access to Customer Data or systems that process Customer Data will undergo a civil and criminal background check, where permitted by applicable law. Upon written request, not more than once per 12-month period, Abnormal will certify its compliance to Customer with this Section.
14.2. Information Security Awareness Training. Abnormal will provide new hire security awareness training, and refresher security awareness training at least once a year thereafter, to all personnel who process or may have access to Customer Data. Abnormal will make available to Customer documentation to validate compliance with this security awareness training requirement for the current year. Abnormal security awareness training is designed to meet industry standards and will include, at a minimum, education on safeguarding against data loss, misuse or breach through physical, logical and social engineering mechanisms.
14.3. Secure Code Training. Abnormal will provide annual training on secure coding principles and their application (Secure Code Training) to all personnel who develop or handle any Abnormal source code. Abnormal training will cover topics such as: (a) the Open Web Application Security Project (OWASP) list of the 10 most critical security risks to web-based applications (OWASP Top 10); and (b) appropriate techniques for the remediation of the listed security vulnerabilities.
15. Security Program Proof of Compliance.
Third Party Standards and Assessments. During the Term of the Agreement and at Abnormal’s expense, Abnormal will undertake the following third-party assessments of the networks, servers, applications and operations where Customer Data is processed, stored or transmitted.
15.1. Third-Party Security Audit.
Abnormal engages an industry-recognized third party auditor to conduct a SOC 2 Type 2 security audit on at least an annual basis in order to demonstrate its compliance with the security requirements of the Security Program.
The Abnormal’s SOC 2 Type 2 audit covers the Trust Services Criteria of Security, Availability and Confidentiality developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Abnormal will make available to Customer copies of Abnormal’s current SOC 2 report annually upon written request.
Where Abnormal is not permitted to audit the data processing facilities of its Subcontractors that store or process Customer Data (e.g., cloud data centers), Abnormal will seek assurances from such Subcontractors (e.g., in the form of an independent third party audit report such as the SOC 2 Type 2, ISO 27001, and vendor security evaluations).
15.2. Penetration Tests.
If Abnormal processes, stores, or transmits Customer Data, then at least once every year, Abnormal will undertake a network penetration test by an independent third party. Abnormal will remediate all critical and high vulnerabilities that the penetration test identifies within 30 days of the date they were first identified and will remediate all identified medium level vulnerabilities within a reasonable time period.
Abnormal will make available to Customer an executive summary section of the penetration test report that pertains to the systems and operations that process, store, or transmit Customer Data, which will be deemed Confidential Information under the Agreement.
15.3. Audit and Vendor Risk Assessment.
From time to time, during regular business hours and upon reasonable notice, Customer, its regulators and/or designated third-party auditor(s) (that are not considered competitors of Abnormal) may perform, and Abnormal will reasonably assist with, a Vendor Risk Assessment (VRA). The VRA shall consist of a review of Abnormal’s security related documentation regarding its compliance with this Security Policy. Upon review of such materials, if Customer cannot find the assurances it considers necessary by review of such security documentation, then Customer may submit reasonable requests for information security and audit questionnaires that are necessary to confirm Abnormals’s compliance with this Security Policy, provided that Customer shall not exercise this right more than once per year, and Abnormal will make its security personnel available to answer such questions related to Abnormal’s compliance with this Security Policy and applicable regulations and laws. All reasonable costs and expenses actually incurred of such an audit shall be borne by the Customer. For the avoidance of doubt, Abnormal will pay all costs and expenses incurred in connection with Abnormal’s own regulatory compliance and financial reporting requirements. In the event of a Security Breach that requires reporting a supervisory authority or other governmental authority, Customer may conduct an audit or VRA on no less than three days’ notice, at Abnormal’s expense.
In addition to Customer’s audit rights, Abnormal agrees to reasonably cooperate and respond to Customer’s annual security questionnaires. Any information exchanged with the activities described in this Section is deemed to be Abnormal Confidential Information.
In the event Abnormal is required by law, regulation, or legal process to disclose any Customer Data, Abnormal will (a) give Customer, to the extent possible, reasonable advance notice prior to disclosure so Customer may contest the disclosure or seek a protective order, and (b) reasonably limit the disclosure to the minimum amount that is legally required to be disclosed.
17. Updates.
As Abnormal releases new products, services, functionality, and features, Abnormal may update this Security Policy to account for such products, services, functionality, and features.
Effective April 4th 2022 to April 12th 2022
DownloadTable of Contents
ABNORMAL SECURITY INFORMATION SECURITY POLICY
During the Term of the Agreement, Abnormal will maintain an Information Security Program (“Security Program”) in accordance with the requirements of this Information Security Policy (“Security Policy”). Terms not otherwise defined herein have the same meanings as set forth in the written subscription agreement under which Abnormal provides its Service as entered into by and between Customer and Abnormal ("Agreement"). In the event of a conflict between the terms of this Security Policy and the terms of the Agreement, the terms of this Security Policy will apply.
Elements of the Security Program.
Minimum Security Standards. The Security Program will use industry standard controls designed to protect the confidentiality, integrity, and availability of Customer Data against anticipated or actual threats or hazards; unauthorized or unlawful access, use, disclosure, alteration, or destruction; and accidental loss or destruction or damage. The Security Program will maintain administrative, technical, and physical safeguards appropriate to: (a) the size, scope and type of Abnormal business; (b) the type of information that Abnormal stores; and (c) the need for security and confidentiality of such information.
1. Security Policies and Procedures. Abnormal will maintain and implement security policies and procedures designed to ensure that the Service and its employees and contractors process Customer Data in accordance with this Security Policy. Abnormal will implement and enforce disciplinary measures against employees and contractors for failure to abide by its security policies and procedures.
2. Intrusion Prevention. Abnormal will take reasonable measures designed to ensure that its infrastructure protections are consistent with industry standards in preventing unauthorized access to Abnormal networks, servers and applications. Such measures include but are not limited to the implementation of intrusion prevention technologies, anti-malware services, and stringent firewall rules.
3. Physical Access Controls. Abnormal will establish limits on physical access to its information systems and facilities using physical controls (e.g., coded badge access) that provide reasonable assurance that access to data centers and other areas where Customer Data is stored is limited to authorized individuals. Data centers leverage camera or video surveillance systems at critical internal and external entry points.
4. Logical Access Controls.
Abnormal will take reasonable measures that are designed to ensure appropriate user authentication for all employees or contractors with access to Customer Data, including without limitation, by assigning each employee or contractor unique authentication credentials for accessing any system on which Customer Data is accessed and prohibiting employees or contractors from sharing their authentication credentials. Abnormal will restrict access to Customer Data to those employees or contractors who need access to Customer Data to perform Abnormal obligations under the Agreement.
Abnormal will take reasonable measures to implement and maintain logging and monitoring technologies designed to help prevent unauthorized access to, and to detect unauthorized attempts to access, its networks, servers, and applications. Abnormal will conduct periodic reviews of systems that process Customer Data to verify the identities of individuals who access and have privileged access to systems to help detect and prevent unauthorized access to its network, servers and applications and verify that all changes to its authentication systems were authorized and correct. Abnormal will have policies in place that are designed to ensure that, upon termination of any employee or contractor, the terminated employee’s or contractor’s access to any Customer Data on Abnormal systems will be promptly revoked, and in all cases revocation will occur no later than twenty-four (24) hours following such termination.
5. Environmental Access Controls. If Abnormal supplies data center services, Abnormal will implement and maintain appropriate and reasonable environmental controls for its data centers and other areas where Customer Data is stored, such as air temperature and humidity controls, and protections against power failures.
6. Disaster Recovery and Backup Controls. If Abnormal supplies data center services, Abnormal will: (a) back up its production file systems and databases according to a defined schedule; and (b) maintain a formal disaster recovery plan for the production data center and conduct regular testing of the effectiveness of such plan.
7. Business Continuity and Incident Response Plans. If Abnormal processes, stores, or transmits Customer Data, then Abnormal will take reasonable measures to maintain business continuity plans and incident response plans to manage and minimize the effects of unplanned operational disruptions (cyber, physical or natural) (“Incident Response Plans”). These plans will include procedures to be followed in the event of an actual or suspected Security Breach or business interruption and have a stated goal of resumption of routine service within 48 hours of such an incident. The Incident Response Plans will require Abnormal to undertake a root cause analysis of any actual or suspected Security Breach and to document remediation measures.
8. Security Breach Notification. Abnormal will notify Customer of any unauthorized access to Customer Data in accordance with the terms and conditions of the Agreement. In the event no such terms are specified in the Agreement, the following terms will apply:
Abnormal will notify Customer of any unauthorized, unlawful or accidental access to, or disclosure, transfer, destruction, loss or alteration of, Customer Data (each, a “Security Breach”) within two business days of Abnormal’s knowledge of the Security Breach, regardless of whether the Security Breach triggers any applicable breach notification law. Abnormal will notify Customer of a Security Breach by email to Abnormal’s primary contact within the Customer organization.
Notice to Customer will include: (a) a description of the nature of the Security Breach, including the categories and approximate number of data subjects and personal data records concerned; (b) the name of Abnormal’s contact where more information can be obtained; (c) a description of the likely consequences of the Security Breach; (d) a description of the measures taken or proposed to address the Security Breach; and (e) a description of measures to mitigate the adverse effects of the Security Breach.
9. Storage and Transmission Security.
Abnormal will logically segregate Customer Data from all other Abnormal or third-party data. Abnormal will: (a) securely store Customer Data; (b) encrypt Customer Data during transmission using, at a minimum, Transport Layer Security (TLS) protocol version 1.2 or above; and (c) encrypt Customer Data at rest using, at a minimum, the Advanced Encryption Standard (AES) 256-bit encryption protocol.
Abnormal will establish encryption key management processes that are designed to ensure the secure generation, storage, distribution, and destruction of encryption keys. Abnormal will not store Customer Data on any removable storage devices.
10. Secure Disposal.
Upon expiration or termination of the Agreement, Abnormal will return or delete Customer Data in accordance with the Agreement. If deletion is required, Customer Data will be securely deleted in accordance with industry leading methods (e.g., NIST SP 800-88), except that Customer Data stored electronically in Abnormal backup or email systems may be deleted over time in accordance with Abnormal records management practices.
If Abnormal stores Customer Data in Abnormal cloud computing services, Abnormal will retain Customer Data stored in its cloud computing services for the duration of any active the Subscription Term or until the expiration or termination of this Agreement. During a Subscription Term, Customer may export Customer Data from the Service (or Abnormal will otherwise make the Customer Data available to Customer) as described in the Documentation.
11. Risk Identification and Assessment. Abnormal will implement and maintain a risk assessment program to help identify foreseeable internal and external risks to Abnormal’s information resources and determine if existing controls, policies, and procedures are adequate.
12. Subcontractors. Prior to engaging new third-party service providers or adding new technologies to its Service that will access or process Customer Data (collectively, for the purposes of this Security Policy, “Subcontractors”), Abnormal will conduct a risk assessment of each Subcontractor’s data security practices. Abnormal enters into written agreements with its Subcontractors with security obligations substantially similar to those contained in this Security Policy. Abnormal will be responsible for the acts or omissions of Subcontractors under the Agreement. This paragraph does not limit Abnormal’s obligations regarding Sub-processors as set out in the DPA.
13. Change and Configuration Management. Abnormal will implement and maintain policies and procedures for managing changes and updates to production systems, applications, and databases, including without limitation, processes for documenting, testing, and approval of changes into production, security patching, and authentication.
14. Training and Background Checks. Abnormal will undertake the following measures that are designed to ensure that personnel who will have access to Customer Data are appropriately qualified.
14.1. Background Checks. Employees and contractors of Abnormal who will have access to Customer Data or systems that process Customer Data will undergo a civil and criminal background check, where permitted by applicable law, prior to accessing Customer Data or systems. Upon written request, not more than once per 12-month period, Abnormal will certify its compliance to Customer with this Section.
14.2. Information Security Awareness Training. Abnormal will provide new hire security awareness training, and refresher security awareness training at least once a year thereafter, to all personnel who process or may have access to Customer Data. Abnormal will make available to Customer documentation to validate compliance with this security awareness training requirement for the current year. Abnormal security awareness training is designed to meet industry standards and will include, at a minimum, education on safeguarding against data loss, misuse or breach through physical, logical and social engineering mechanisms.
14.3. Secure Code Training. Abnormal will provide annual training on secure coding principles and their application (Secure Code Training) to all personnel who develop or handle any Abnormal source code. Abnormal training will cover topics such as: (a) the Open Web Application Security Project (OWASP) list of the 10 most critical security risks to web-based applications (OWASP Top 10); and (b) appropriate techniques for the remediation of the listed security vulnerabilities.
15. Security Program Proof of Compliance.
Third Party Standards and Assessments. During the Term of the Agreement and at Abnormal’s expense, Abnormal will undertake the following third-party assessments of the networks, servers, applications and operations where Customer Data is processed, stored or transmitted.
15.1. Third-Party Security Audit.
Abnormal engages an industry-recognized third party auditor to conduct a SOC 2 Type 2 security audit on at least an annual basis in order to demonstrate its compliance with the security requirements of the Security Program.
The Abnormal’s SOC 2 Type 2 audit covers the Trust Services Criteria of Security, Availability and Confidentiality developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Abnormal will make available to Customer copies of Abnormal’s current SOC 2 report annually upon written request.
Where Abnormal is not permitted to audit the data processing facilities of its Subcontractors that store or process Customer Data (e.g., cloud data centers), Abnormal will seek assurances from such Subcontractors (e.g., in the form of an independent third party audit report such as the SOC 2 Type 2, ISO 27001, and vendor security evaluations).
15.2. Penetration Tests.
If Abnormal processes, stores, or transmits Customer Data, then at least once every year, Abnormal will undertake a network penetration test by an independent third party. Abnormal will remediate all critical and high vulnerabilities that the penetration test identifies within 30 days of the date they were first identified and will remediate all identified medium level vulnerabilities within a reasonable time period.
Abnormal will make available to Customer an executive summary section of the penetration test report that pertains to the systems and operations that process, store, or transmit Customer Data, which will be deemed Confidential Information under the Agreement.
15.3. Audit and Vendor Risk Assessment.
From time to time, during regular business hours and upon reasonable notice, Customer, its regulators and/or designated third-party auditor(s) (that are not considered competitors of Abnormal) may perform, and Abnormal will reasonably assist with, a Vendor Risk Assessment (VRA). The VRA shall consist of a review of Abnormal’s security related documentation regarding its compliance with this Security Policy. Upon review of such materials, if Customer cannot find the assurances it considers necessary by review of such security documentation, then Customer may submit reasonable requests for information security and audit questionnaires that are necessary to confirm Abnormals’s compliance with this Security Policy, provided that Customer shall not exercise this right more than once per year, and Abnormal will make its security personnel available to answer such questions related to Abnormal’s compliance with this Security Policy and applicable regulations and laws. All reasonable costs and expenses actually incurred of such an audit shall be borne by the Customer. For the avoidance of doubt, Abnormal will pay all costs and expenses incurred in connection with Abnormal’s own regulatory compliance and financial reporting requirements. In the event of a Security Breach that requires reporting a supervisory authority or other governmental authority, Customer may conduct an audit or VRA on no less than three days’ notice, at Abnormal’s expense.
In addition to Customer’s audit rights, Abnormal agrees to reasonably cooperate and respond to Customer’s annual security questionnaires. Any information exchanged with the activities described in this Section is deemed to be Abnormal Confidential Information.
In the event Abnormal is required by law, regulation, or legal process to disclose any Customer Data, Abnormal will (a) give Customer, to the extent possible, reasonable advance notice prior to disclosure so Customer may contest the disclosure or seek a protective order, and (b) reasonably limit the disclosure to the minimum amount that is legally required to be disclosed.
17. Updates.
As Abnormal releases new products, services, functionality, and features, Abnormal may update this Security Policy to account for such products, services, functionality, and features.
Abnormal Security Data Processing Addendum
Effective May 10th 2024
DownloadTable of Contents
2. Scope and Duration.
3. Processing of Personal Data.
4. Subprocessors.
5. Security.
7. Data Subject Requests.
8. Data Return or Deletion.
9. Audits.
10. Cross-Border Transfers/Region-Specific Terms.
SCHEDULE 1 – Subject Matter and Details of Processing
A. LIST OF PARTIES
Name: | The named “Customer” on the signed or accepted Order or Agreement. |
Address: | The address associated with the Customer on the signed or accepted Order or Agreement. |
Contact person’s name, position and contact details: | The contact details associated with the Customer on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Controller |
Name: | Abnormal Security Corporation |
Address: | 185 Clara Street, Suite 100, San Francisco, CA 94107, United States |
Contact person’s name, position and contact details: | The contact details associated with Abnormal on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | Individual users of the cloud office applications and infrastructure that Controller has authorized Processor’s Service to connect to, including Controller’s messaging systems, as well as individuals sending messages to or receiving messages from user accounts. |
Categories of personal data transferred |
More detailed categories of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Ongoing as determined by the Controller. |
Nature of the processing | For the provision of the Service and Support under the Agreement. More details on Abnormal processing activities of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Purpose(s) of the data transfer and further processing. | Scanning of message contents, metadata, activity logs, and cloud application and infrastructure configurations for malicious activity and signatures. More detailed purposes for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. | During the Term and as set forth in the data retention policies as published in the Documentation. Additional specific retention periods for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. | During the Term and as specified under the Agreement. |
C. SUBPROCESSORS
SCHEDULE 2 – Technical and Organizational Measures
- Abnormal has established an information security policy that is reviewed and approved on a regular cadence.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on Abnormal premises.
- The Service processes Customer Data on an in-memory basis via API.
- Customer Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by a secured key management service.
- Procedures for backup and retention of data and programs have been documented and implemented.
- Backups are encrypted and access is limited based upon least privilege.
- Data and programs are backed up regularly and tested to ensure recoverability.
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- Employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the appropriate management and is based on least privilege and business need. A multi-factor secure remote access is required for all access to the production systems.
- All print services are disabled by default on all production servers
- All Abnormal employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it.
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Segmentation of network environment using logical networking controls.
- Default blocked firewall policies.
- Limited number of integration-related endpoints are accessible via public internet and protected by Web Application Firewalls (WAFs).
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key.
- HTTPS required for all web traffic.
- Encrypted connectors for databases using SSL.
SCHEDULE 3 – Cross-Border Transfer Mechanism
“Designated EU Governing Law” means: | The laws of the Republic of Ireland |
“Designated EU Member State” means: | Republic of Ireland |
Section Reference | Clause Application |
Section I, Clause 7 | The docking clause does not apply. |
Section II, Clause 9 | Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Abnormal shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA. |
Section II, Clause 11 | The optional language does not apply. |
Section II, Clause 13 | All square brackets are removed with the text remaining. |
Section IV, Clause 17 | Option 1 will apply, and the EU SCCs will be governed by the Designated EU Governing Law. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of the Designated EU Member State. |
Schedule 1 (Subject Matter and Details of Processing) | Contains the information required in Annex 1 of the EU SCCs. |
Schedule 2 (Technical and Organisational Measures) | Contains the information required in Annex 2 of the EU SCCs. |
Section Reference | Clause Application |
Section II, Clause 13 | The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner. |
Section IV, Clause 17 (Option 1) | The EU SCCs will be governed by the laws of Switzerland. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of Switzerland. |
Section IV, Clause 18 (c) | The term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). |
EU GDPR | All references to the EU GDPR in this DPA are also deemed to refer to the FADP. |
SCHEDULE 4: Region-Specific Terms
Effective September 7th 2023 to May 10th 2024
DownloadTable of Contents
2. Scope and Duration.
3. Processing of Personal Data.
4. Subprocessors.
5. Security.
7. Data Subject Requests.
8. Data Return or Deletion.
9. Audits.
10. Cross-Border Transfers/Region-Specific Terms.
SCHEDULE 1 – Subject Matter and Details of Processing
A. LIST OF PARTIES
Name: | The named “Customer” on the signed or accepted Order or Agreement. |
Address: | The address associated with the Customer on the signed or accepted Order or Agreement. |
Contact person’s name, position and contact details: | The contact details associated with the Customer on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Controller |
Name: | Abnormal Security Corporation |
Address: | 185 Clara Street, Suite 100, San Francisco, CA 94107, United States |
Contact person’s name, position and contact details: | The contact details associated with Abnormal on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | Individual users of the cloud office applications and infrastructure that Controller has authorized Processor’s Service to connect to, including Controller’s messaging systems, as well as individuals sending messages to or receiving messages from user accounts. |
Categories of personal data transferred |
More detailed categories of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Ongoing as determined by the Controller. |
Nature of the processing | For the provision of the Service and Support under the Agreement. More details on Abnormal processing activities of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Purpose(s) of the data transfer and further processing. | Scanning of message contents, metadata, activity logs, and cloud application and infrastructure configurations for malicious activity and signatures. More detailed purposes for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. | During the Term and as set forth in the data retention policies as published in the Documentation. Additional specific retention periods for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. | During the Term and as specified under the Agreement. |
C. SUBPROCESSORS
SCHEDULE 2 – Technical and Organizational Measures
- Abnormal has established an information security policy that is reviewed and approved on a regular cadence.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on Abnormal premises.
- The Service processes Customer Data on an in-memory basis via API.
- Customer Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by a secured key management service.
- Procedures for backup and retention of data and programs have been documented and implemented.
- Backups are encrypted and access is limited based upon least privilege.
- Data and programs are backed up regularly and tested to ensure recoverability.
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- Employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the appropriate management and is based on least privilege and business need. A multi-factor secure remote access is required for all access to the production systems.
- All print services are disabled by default on all production servers
- All Abnormal employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it.
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Segmentation of network environment using logical networking controls.
- Default blocked firewall policies.
- Limited number of integration-related endpoints are accessible via public internet and protected by Web Application Firewalls (WAFs).
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key.
- HTTPS required for all web traffic.
- Encrypted connectors for databases using SSL.
SCHEDULE 3 – Cross-Border Transfer Mechanism
“Designated EU Governing Law” means: | The laws of the Republic of Ireland |
“Designated EU Member State” means: | Republic of Ireland |
Section Reference | Clause Application |
Section I, Clause 7 | The docking clause does not apply. |
Section II, Clause 9 | Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA. |
Section II, Clause 11 | The optional language does not apply. |
Section II, Clause 13 | All square brackets are removed with the text remaining. |
Section IV, Clause 17 | Option 1 will apply, and the EU SCCs will be governed by the Designated EU Governing Law. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of the Designated EU Member State. |
Schedule 1 (Subject Matter and Details of Processing) | Contains the information required in Annex 1 of the EU SCCs. |
Schedule 2 (Technical and Organisational Measures) | Contains the information required in Annex 2 of the EU SCCs. |
Section Reference | Clause Application |
Section II, Clause 13 | The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner. |
Section IV, Clause 17 (Option 1) | The EU SCCs will be governed by the laws of Switzerland. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of Switzerland. |
Section IV, Clause 18 (c) | The term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). |
EU GDPR | All references to the EU GDPR in this DPA are also deemed to refer to the FADP. |
SCHEDULE 4: Region-Specific Terms
Effective April 20th 2023 to September 7th 2023
DownloadTable of Contents
2. Scope and Duration.
3. Processing of Personal Data.
4. Subprocessors.
5. Security.
7. Data Subject Requests.
8. Data Return or Deletion.
9. Audits.
10. Cross-Border Transfers/Region-Specific Terms.
SCHEDULE 1 – Subject Matter and Details of Processing
A. LIST OF PARTIES
Name: | The named “Customer” on the signed or accepted Order or Agreement. |
Address: | The address associated with the Customer on the signed or accepted Order or Agreement. |
Contact person’s name, position and contact details: | The contact details associated with the Customer on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Controller |
Name: | Abnormal Security Corporation |
Address: | 185 Clara Street, Suite 100, San Francisco, CA 94107, United States |
Contact person’s name, position and contact details: | The contact details associated with Abnormal on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | Individual users of the cloud office applications and infrastructure that Controller has authorized Processor’s Service to connect to, including Controller’s messaging systems, as well as individuals sending messages to or receiving messages from user accounts. |
Categories of personal data transferred |
More detailed categories of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Ongoing as determined by the Controller. |
Nature of the processing | For the provision of the Service and Support under the Agreement. More details on Abnormal processing activities of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Purpose(s) of the data transfer and further processing. | Scanning of message contents, metadata, activity logs, and cloud application and infrastructure configurations for malicious activity and signatures. More detailed purposes for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. | During the Term and as set forth in the data retention policies as published in the Documentation. Additional specific retention periods for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. | During the Term and as specified under the Agreement. |
C. SUBPROCESSORS
SCHEDULE 2 – Technical and Organizational Measures
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service.
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
- The Service processes Customer Data on an in-memory basis within Customer’s messaging system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it.
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
- Isolated network environment using Amazon VPC.
- Default blocked firewall policies.
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key.
- HTTPS required for all web traffic.
- Encrypted connectors for databases using SSL.
SCHEDULE 3 – Cross-Border Transfer Mechanism
“Designated EU Governing Law” means: | The laws of the Republic of Ireland |
“Designated EU Member State” means: | Republic of Ireland |
Section Reference | Clause Application |
Section I, Clause 7 | The docking clause does not apply. |
Section II, Clause 9 | Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA. |
Section II, Clause 11 | The optional language does not apply. |
Section II, Clause 13 | All square brackets are removed with the text remaining. |
Section IV, Clause 17 | Option 1 will apply, and the EU SCCs will be governed by the Designated EU Governing Law. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of the Designated EU Member State. |
Schedule 1 (Subject Matter and Details of Processing) | Contains the information required in Annex 1 of the EU SCCs. |
Schedule 2 (Technical and Organisational Measures) | Contains the information required in Annex 2 of the EU SCCs. |
Section Reference | Clause Application |
Section II, Clause 13 | The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner. |
Section IV, Clause 17 (Option 1) | The EU SCCs will be governed by the laws of Switzerland. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of Switzerland. |
Section IV, Clause 18 (c) | The term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). |
EU GDPR | All references to the EU GDPR in this DPA are also deemed to refer to the FADP. |
SCHEDULE 4: Region-Specific Terms
Effective April 7th 2023 to April 20th 2023
DownloadTable of Contents
2. Scope and Duration.
3. Processing of Personal Data.
4. Subprocessors.
5. Security.
7. Data Subject Requests.
8. Data Return or Deletion.
9. Audits.
10. Cross-Border Transfers/Region-Specific Terms.
SCHEDULE 1 – Subject Matter and Details of Processing
A. LIST OF PARTIES
Name: | The named “Customer” on the signed or accepted Order or Agreement. |
Address: | The address associated with the Customer on the signed or accepted Order or Agreement. |
Contact person’s name, position and contact details: | The contact details associated with the Customer on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Controller |
Name: | Abnormal Security Corporation |
Address: | 185 Clara Street, Suite 100, San Francisco, CA 94107, United States |
Contact person’s name, position and contact details: | The contact details associated with Abnormal on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | Individual users of the cloud office applications and infrastructure that Controller has authorized Processor’s Service to connect to, including Controller’s messaging systems, as well as individuals sending messages to or receiving messages from user accounts. |
Categories of personal data transferred |
More detailed categories of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Ongoing as determined by the Controller. |
Nature of the processing | For the provision of the Service and Support under the Agreement. More details on Abnormal processing activities of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Purpose(s) of the data transfer and further processing. | Scanning of message contents, metadata, activity logs, and cloud application and infrastructure configurations for malicious activity and signatures. More detailed purposes for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. | During the Term and as set forth in the data retention policies as published in the Documentation. Additional specific retention periods for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. | During the Term and as specified under the Agreement. |
C. SUBPROCESSORS
SCHEDULE 2 – Technical and Organizational Measures
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service.
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
- The Service processes Customer Data on an in-memory basis within Customer’s messaging system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it.
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
- Isolated network environment using Amazon VPC.
- Default blocked firewall policies.
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key.
- HTTPS required for all web traffic.
- Encrypted connectors for databases using SSL.
SCHEDULE 3 – Cross-Border Transfer Mechanism
“Designated EU Governing Law” means: | The laws of the Republic of Ireland |
“Designated EU Member State” means: | Republic of Ireland |
Section Reference | Clause Application |
Section I, Clause 7 | The docking clause does not apply. |
Section II, Clause 9 | Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA. |
Section II, Clause 11 | The optional language does not apply. |
Section II, Clause 13 | All square brackets are removed with the text remaining. |
Section IV, Clause 17 | Option 1 will apply, and the EU SCCs will be governed by the Designated EU Governing Law. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of the Designated EU Member State. |
Schedule 1 (Subject Matter and Details of Processing) | Contains the information required in Annex 1 of the EU SCCs. |
Schedule 2 (Technical and Organisational Measures) | Contains the information required in Annex 2 of the EU SCCs. |
Section Reference | Clause Application |
Section II, Clause 13 | The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner. |
Section IV, Clause 17 (Option 1) | The EU SCCs will be governed by the laws of Switzerland. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of Switzerland. |
Section IV, Clause 18 (c) | The term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). |
EU GDPR | All references to the EU GDPR in this DPA are also deemed to refer to the FADP. |
SCHEDULE 4: Region-Specific Terms
Effective April 7th 2023 to April 7th 2023
DownloadTable of Contents
1. Definitions. The definitions of certain capitalized terms used in this DPA are set forth below. Others are defined in the body of the DPA. Capitalized terms not defined in this DPA are defined in the Agreement.
2. Scope and Duration.
3. Processing of Personal Data.
4. Subprocessors.
5. Security.
7. Data Subject Requests.
8. Data Return or Deletion.
9. Audits.
10. Cross-Border Transfers/Region-Specific Terms.
Name: | The named “Customer” on the signed or accepted Order or Agreement. |
Address: | The address associated with the Customer on the signed or accepted Order or Agreement. |
Contact person’s name, position and contact details: | The contact details associated with the Customer on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Controller |
Name: | Abnormal Security Corporation |
Address: | 185 Clara Street, Suite 100, San Francisco, CA 94107, United States |
Contact person’s name, position and contact details: | The contact details associated with Abnormal on the signed or accepted Order or Agreement. |
Activities relevant to the data transferred under these Clauses: | See Description of Transfer below. |
Signature and date: | Refer to the signed or accepted Order or Agreement. |
Role (controller/processor): | Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | Individual users of the cloud office applications and infrastructure that Controller has authorized Processor’s Service to connect to, including Controller’s messaging systems, as well as individuals sending messages to or receiving messages from user accounts. |
Categories of personal data transferred |
More detailed categories of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | Ongoing as determined by the Controller. |
Nature of the processing | For the provision of the Service and Support under the Agreement. More details on Abnormal processing activities of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
Purpose(s) of the data transfer and further processing. | Scanning of message contents, metadata, activity logs, and cloud application and infrastructure configurations for malicious activity and signatures. More detailed purposes for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. | During the Term and as set forth in the data retention policies as published in the Documentation. Additional specific retention periods for Abnormal processing of personal data are reflected for the applicable Service as set forth in the applicable Privacy Data Sheets that are made available at the Abnormal Trust Portal. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. | During the Term and as specified under the Agreement. |
C. SUBPROCESSORS
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service.
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
- The Service processes Customer Data on an in-memory basis within Customer’s messaging system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it.
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
- Isolated network environment using Amazon VPC.
- Default blocked firewall policies.
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key.
- HTTPS required for all web traffic.
- Encrypted connectors for databases using SSL.
“Designated EU Governing Law” means: | The laws of the Republic of Ireland |
“Designated EU Member State” means: | Republic of Ireland |
Section Reference | Clause Application |
Section I, Clause 7 | The docking clause does not apply. |
Section II, Clause 9 | Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA. |
Section II, Clause 11 | The optional language does not apply. |
Section II, Clause 13 | All square brackets are removed with the text remaining. |
Section IV, Clause 17 | Option 1 will apply, and the EU SCCs will be governed by the Designated EU Governing Law. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of the Designated EU Member State. |
Schedule 1 (Subject Matter and Details of Processing) | Contains the information required in Annex 1 of the EU SCCs. |
Schedule 2 (Technical and Organisational Measures) | Contains the information required in Annex 2 of the EU SCCs. |
Section Reference | Clause Application |
Section II, Clause 13 | The competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner. |
Section IV, Clause 17 (Option 1) | The EU SCCs will be governed by the laws of Switzerland. |
Section IV, Clause 18 (b) | Disputes will be resolved before the courts of Switzerland. |
Section IV, Clause 18 (c) | The term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c). |
EU GDPR | All references to the EU GDPR in this DPA are also deemed to refer to the FADP. |
Abnormal Security Acceptable Use Policy
Effective August 1st 2022
DownloadTable of Contents
Abnormal Security Acceptable Use Policy
This Acceptable Use Policy (“AUP”) describes the prohibited uses of the Software as a Service offering (the "Service") provided by Abnormal Security Corporation (“Abnormal"). This AUP is in addition to any other terms and conditions under which Abnormal provides the Service to you. In addition to any other remedies available to Abnormal, if Abnormal determines in its sole discretion that you violate the AUP, we may suspend, limit, or terminate your use of the Service without prior notice or liability. This right applies, even if the breach is unintentional or unauthorized, if we believe that any such suspension, limitation, or termination is necessary to ensure compliance with laws, or to protect the rights, safety, privacy, security, or property (including the Service) of Abnormal or others.
Abnormal may modify this AUP at any time by posting an updated version of this document. Such updates will be effective upon posting. We therefore recommend that you visit the Abnormal website regularly to ensure that your activities conform to the most recent version. Your continued access to and use of the Service constitutes your agreement to be bound by such updates.
The prohibited uses listed below are not exhaustive. Prohibited uses and activities by you, the customer, your users or any third party include, without limitation:
- Violating any applicable laws or regulations (including without limitation data, privacy, and export control laws) or use the Service in a manner that gives rise to civil or criminal liability;
- Intentionally distributing malicious code, viruses, worms, defects, Trojan horses, corrupted files, hoaxes, or any other items of a destructive or deceptive manner;
- Infringing or misappropriating Abnormal’s or any third party’s intellectual property, proprietary or privacy rights;
- Reverse engineering, decompiling, or disassembling the Service or any software used in the provision of the Service;
- Interrupting, or attempting to interrupt, violate, obtain unauthorized access to, disrupt, damage, overburden, breach, or compromise the operation or security of the Service or any networks or systems;
- Using the Service for any reason other than as intended by the parties.
We may report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this AUP.
Abnormal Security Master Service Agreement - Transactions Entered into Prior to April 5, 2022
Effective April 11th 2022
DownloadTable of Contents
This Master Service Agreement (“Agreement”) by and between Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107 (“Abnormal”), and the customer stated in the Order Form (as defined in Section 1) (“Customer”) is effective as of the date Abnormal accepts the Order Form. Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
EXHIBIT A
SERVICE LEVEL AGREEMENT
Uptime | Days Credited |
< 99.9% - ≥ 98.0% | 3 |
< 98.0% - ≥ 95.0% | 7 |
< 95.0% | 15 |
EXHIBIT B
SUPPORT TERMS
This exhibit sets forth the terms on which Abnormal provides technical support (“Support”) to Customer (the “Support Terms”).
Severity Level | Description | Response Time |
1 | Major Impact: Service is inoperable or the performance of the Service is so severely reduced that Customer cannot reasonably continue to use the Service because of the Error, the Error cannot be circumvented with a workaround, and it affects Customer’s ability to perform its business. | 2 hours |
2 | Moderate Impact: Performance is significantly degraded such that Customer’s use of the Service is materially impaired, but the Error can be circumvented with a workaround. | 8 hours |
3 | Minor Impact: Customer is experiencing a performance, operational, or functional issue in its use of the Service that can be circumvented with a workaround, and the Error causes only minimal impact to the Customer’s ability to use the Service. | 24 hours |
4 | General Questions: No issue with performance or operation of the Service. These include standard questions on the API configuration, dashboard functionality, enhancement requests, or documentation clarification. | 3 business days |
5. Conditions, Exclusions, and Termination.
Effective April 11th 2022 to April 11th 2022
DownloadTable of Contents
This Master Service Agreement (“Agreement”) by and between Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107 (“Abnormal”), and the customer stated in the Order Form (as defined in Section 1) (“Customer”) is effective as of the date Abnormal accepts the Order Form. Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
EXHIBIT A
SERVICE LEVEL AGREEMENT
Uptime | Days Credited |
< 99.9% - ≥ 98.0% | 3 |
< 98.0% - ≥ 95.0% | 7 |
< 95.0% | 15 |
EXHIBIT B
SUPPORT TERMS
This exhibit sets forth the terms on which Abnormal provides technical support (“Support”) to Customer (the “Support Terms”).
Severity Level | Description | Response Time |
1 | Major Impact: Service is inoperable or the performance of the Service is so severely reduced that Customer cannot reasonably continue to use the Service because of the Error, the Error cannot be circumvented with a workaround, and it affects Customer’s ability to perform its business. | 2 hours |
2 | Moderate Impact: Performance is significantly degraded such that Customer’s use of the Service is materially impaired, but the Error can be circumvented with a workaround. | 8 hours |
3 | Minor Impact: Customer is experiencing a performance, operational, or functional issue in its use of the Service that can be circumvented with a workaround, and the Error causes only minimal impact to the Customer’s ability to use the Service. | 24 hours |
4 | General Questions: No issue with performance or operation of the Service. These include standard questions on the API configuration, dashboard functionality, enhancement requests, or documentation clarification. | 3 business days |
5. Conditions, Exclusions, and Termination.
Effective April 5th 2022 to April 11th 2022
DownloadTable of Contents
This Master Service Agreement (“Agreement”) by and between Abnormal Security Corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107 (“Abnormal”), and the customer stated in the Order Form (as defined in Section 1) (“Customer”) is effective as of the date Abnormal accepts the Order Form. Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
EXHIBIT A
SERVICE LEVEL AGREEMENT
Uptime | Days Credited |
< 99.9% - ≥ 98.0% | 3 |
< 98.0% - ≥ 95.0% | 7 |
< 95.0% | 15 |
EXHIBIT B
SUPPORT TERMS
This exhibit sets forth the terms on which Abnormal provides technical support (“Support”) to Customer (the “Support Terms”).
Severity Level | Description | Response Time |
1 | Major Impact: Service is inoperable or the performance of the Service is so severely reduced that Customer cannot reasonably continue to use the Service because of the Error, the Error cannot be circumvented with a workaround, and it affects Customer’s ability to perform its business. | 2 hours |
2 | Moderate Impact: Performance is significantly degraded such that Customer’s use of the Service is materially impaired, but the Error can be circumvented with a workaround. | 8 hours |
3 | Minor Impact: Customer is experiencing a performance, operational, or functional issue in its use of the Service that can be circumvented with a workaround, and the Error causes only minimal impact to the Customer’s ability to use the Service. | 24 hours |
4 | General Questions: No issue with performance or operation of the Service. These include standard questions on the API configuration, dashboard functionality, enhancement requests, or documentation clarification. | 3 business days |
5. Conditions, Exclusions, and Termination.
Abnormal Security Data Processing Addendum - Transactions April 6, 2023 and Prior
Effective April 7th 2023
DownloadTable of Contents
ABNORMAL SECURITY
DATA PROCESSING ADDENDUM - Transactions Prior to April 7, 2023
If you have a separate written data processing addendum with Abnormal Security related to your use of the Service, then this Addendum and the following updates do not apply. Customers that entered into an Order with Abnormal Security, or an authorized Abnormal Security Partner, for a Subscription to the Service prior to April 7, 2023 shall have the data processing addendum set forth below govern the processing of personal data by the Service. Upon the Customer's next renewal Subscription Term or a subscription to Abnormal Security's new products, the updated data processing addendum shall be the Abnormal Security Data Processing Addendum [LINK], which will automatically apply unless Customer elects not to renew. In any event, continued use of the Service during the renewal Subscription Term will constitute Customer acceptance of the Data Processing Addendum in effect at the time the renewal Subscription Term begins.
This Data Processing Addendum (“Addendum”) supplements the agreement for use of the Abnormal Security Corporation ("Abnormal") Service (“Agreement”) entered into by and between Abnormal and the Customer identified on the signed or accepted Order Form or Agreement (“Customer”). Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
Customer has purchased a Subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
This Addendum is incorporated into and forms part of the agreement for Customer’s use of Abnormal’s services The Parties agree as follows:
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service and Support.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer.
"Data Protection Laws” means the following laws, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Abnormal Processes on behalf of Customer as described in Section 4 of this Addendum, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Abnormal on behalf of Customer.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Abnormal.
“Standard Contractual Clauses” means, (i) where the GDPR applies, the terms described in Article 46 of the GDPR and approved by the European Commission in decision 2021/914/EC, dated 4 June 2021, and attached to this Addendum as Exhibit 1 (“GDPR SCCs”), and (ii) where the UK GDPR applies, the terms attached to this Addendum as Exhibit 2 and issued by the Information Commissioner under s 119A(1) of the DPA 2018 and in force 21 March 2022 (“UK GDPR SCCs”).
Unless prohibited by applicable law, Abnormal will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws. Any additional instructions regarding the manner in which Abnormal Processes the Personal Data will require prior written agreement between Abnormal and Customer.
Abnormal will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Abnormal receives a binding order from a law enforcement agency for Personal Data, Abnormal will notify Customer of the request it has received so long as Abnormal is not legally prohibited from doing so.
Abnormal will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
In assessing the appropriate level of security, Abnormal will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
Abnormal maintains a list of all Subprocessors at www.abnormalsecurity.com/trust which is also set forth in Annex III to Exhibit 1 hereto (together, the “Subprocessors List”) and Abnormal may amend the Subprocessors List by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Abnormal in writing the reasons of its objection. Abnormal will work in good faith to address Customer’s objections. If Abnormal is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with the procedures to terminate for material breach as set forth in the Agreement.
EXHIBIT 1 (GDPR SCCs)
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
Clause 2
Effect and invariability of the Clauses
Clause 3
Third-party beneficiaries
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
- Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
- Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
Clause 4
Interpretation
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Optional Docking clause removed
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
Clause 9
Use of sub-processors
Clause 10
Data subject rights
Clause 11
Redress
Clause 12
Liability
Clause 13
Supervision
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
15.2 Review of legality and data minimisation
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
APPENDIX (GDPR SCCs)
ANNEX I
Data exporter(s):
- Name: The named “Customer” on the signed or accepted Order Form or Agreement.
Address: The address associated with Customer on the signed or accepted Order Form or Agreement.
Contact person’s name, position and contact details: The contact details associated with the Customer on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Controller
Data importer(s):
- Name: Abnormal Security Corporation
Address: 185 Clara Street, Suite 100, San Francisco, CA 94107, United States
Contact person’s name, position and contact details: The contact details associated with Abnormal on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individual users of Data Controller’s email system, as well as individuals sending messages to or receiving messages from such user accounts.
Categories of personal data transferred
First and Last Name
Email address
IP address
Personal Data contained in email message body or attachments
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Ongoing as determined by the Controller
Nature of the processing
For the provision of the Service under the Agreement
Purpose(s) of the data transfer and further processing
Scanning of email contents and metadata for malicious signatures
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the Term and as specified under the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
During the Term and as specified under the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s email system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC
- Default blocked firewall policies
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key
- HTTPS required for all web traffic
- Encrypted connectors for databases using SSL
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors: The sub-processors located on the agreed list available at www.abnormalsecurity.com/trust. As of the effective date, the current list of sub-processors is:
1. Name: Amazon Web Services
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for the Abnormal Security SaaS platform
2. Name: Microsoft Azure
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for Abnormal’s use of Databricks Platform as a Service (PaaS)
3. Name: Microsoft Azure
Address: Ireland
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): EU-based customer data hosting services for the Abnormal Security SaaS platform
4. Name: Databricks
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Analytics infrastructure provider
5. Name: Atlassian
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Abnormal utilizes JIRA for certain bug and ticket handling. Accordingly, some information that you submit into a support ticket may be processed.
6. Name: Salesforce
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Customer Relationship Management Software
EXHIBIT 2 (UK GDPR SCCs)
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | ||
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | The named “Customer” on the signed or accepted Order Form or Agreement and Affiliates of the Customer established in the UK The address associated with Customer on the signed or accepted Order Form or Agreement | Abnormal Security Corporation 185 Clara Street, Suite 100, San Francisco, CA 94107, United States Official registration number (if any) (company number or similar identifier): N/A |
Key Contact | The contact details associated with the Customer on the signed or accepted Order Form or Agreement. | The contact details associated with Abnormal on the signed or accepted Order Form or Agreement. |
Signature (if required for the purposes of Section 2) | Refer to the signed or accepted Order Form or Agreement. | Refer to the signed or accepted Order Form or Agreement. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | X - The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Effective Date of the MSA. Reference (if any): As set out in Exhibit 1 of the MSA |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex 1B: Description of Transfer: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex III: List of Sub processors (Modules 2 and 3 only): As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: - Importer - Exporter X - Neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
Interpretation of this Addendum
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
Hierarchy
Incorporation of and changes to the EU SCCs
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
“These Clauses are governed by the laws of England and Wales.”;
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
Amendments to this Addendum
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
Effective August 31st 2022 to April 7th 2023
DownloadTable of Contents
ABNORMAL SECURITY
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) supplements the agreement for use of the Abnormal Security Corporation ("Abnormal") Service (“Agreement”) entered into by and between Abnormal and the Customer identified on the signed or accepted Order Form or Agreement (“Customer”). Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
Customer has purchased a Subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
This Addendum is incorporated into and forms part of the agreement for Customer’s use of Abnormal’s services The Parties agree as follows:
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service and Support.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer.
"Data Protection Laws” means the following laws, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Abnormal Processes on behalf of Customer as described in Section 4 of this Addendum, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Abnormal on behalf of Customer.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Abnormal.
“Standard Contractual Clauses” means, (i) where the GDPR applies, the terms described in Article 46 of the GDPR and approved by the European Commission in decision 2021/914/EC, dated 4 June 2021, and attached to this Addendum as Exhibit 1 (“GDPR SCCs”), and (ii) where the UK GDPR applies, the terms attached to this Addendum as Exhibit 2 and issued by the Information Commissioner under s 119A(1) of the DPA 2018 and in force 21 March 2022 (“UK GDPR SCCs”).
Unless prohibited by applicable law, Abnormal will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws. Any additional instructions regarding the manner in which Abnormal Processes the Personal Data will require prior written agreement between Abnormal and Customer.
Abnormal will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Abnormal receives a binding order from a law enforcement agency for Personal Data, Abnormal will notify Customer of the request it has received so long as Abnormal is not legally prohibited from doing so.
Abnormal will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
In assessing the appropriate level of security, Abnormal will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
Abnormal maintains a list of all Subprocessors at www.abnormalsecurity.com/trust which is also set forth in Annex III to Exhibit 1 hereto (together, the “Subprocessors List”) and Abnormal may amend the Subprocessors List by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Abnormal in writing the reasons of its objection. Abnormal will work in good faith to address Customer’s objections. If Abnormal is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with the procedures to terminate for material breach as set forth in the Agreement.
EXHIBIT 1 (GDPR SCCs)
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
Clause 2
Effect and invariability of the Clauses
Clause 3
Third-party beneficiaries
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
- Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
- Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
Clause 4
Interpretation
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Optional Docking clause removed
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
Clause 9
Use of sub-processors
Clause 10
Data subject rights
Clause 11
Redress
Clause 12
Liability
Clause 13
Supervision
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
15.2 Review of legality and data minimisation
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
APPENDIX (GDPR SCCs)
ANNEX I
Data exporter(s):
- Name: The named “Customer” on the signed or accepted Order Form or Agreement.
Address: The address associated with Customer on the signed or accepted Order Form or Agreement.
Contact person’s name, position and contact details: The contact details associated with the Customer on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Controller
Data importer(s):
- Name: Abnormal Security Corporation
Address: 185 Clara Street, Suite 100, San Francisco, CA 94107, United States
Contact person’s name, position and contact details: The contact details associated with Abnormal on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individual users of Data Controller’s email system, as well as individuals sending messages to or receiving messages from such user accounts.
Categories of personal data transferred
First and Last Name
Email address
IP address
Personal Data contained in email message body or attachments
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Ongoing as determined by the Controller
Nature of the processing
For the provision of the Service under the Agreement
Purpose(s) of the data transfer and further processing
Scanning of email contents and metadata for malicious signatures
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the Term and as specified under the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
During the Term and as specified under the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s email system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC
- Default blocked firewall policies
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key
- HTTPS required for all web traffic
- Encrypted connectors for databases using SSL
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors: The sub-processors located on the agreed list available at www.abnormalsecurity.com/trust. As of the effective date, the current list of sub-processors is:
1. Name: Amazon Web Services
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for the Abnormal Security SaaS platform
2. Name: Microsoft Azure
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for Abnormal’s use of Databricks Platform as a Service (PaaS)
3. Name: Microsoft Azure
Address: Ireland
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): EU-based customer data hosting services for the Abnormal Security SaaS platform
4. Name: Databricks
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Analytics infrastructure provider
5. Name: Atlassian
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Abnormal utilizes JIRA for certain bug and ticket handling. Accordingly, some information that you submit into a support ticket may be processed.
6. Name: Salesforce
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Customer Relationship Management Software
EXHIBIT 2 (UK GDPR SCCs)
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | ||
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | The named “Customer” on the signed or accepted Order Form or Agreement and Affiliates of the Customer established in the UK The address associated with Customer on the signed or accepted Order Form or Agreement | Abnormal Security Corporation 185 Clara Street, Suite 100, San Francisco, CA 94107, United States Official registration number (if any) (company number or similar identifier): N/A |
Key Contact | The contact details associated with the Customer on the signed or accepted Order Form or Agreement. | The contact details associated with Abnormal on the signed or accepted Order Form or Agreement. |
Signature (if required for the purposes of Section 2) | Refer to the signed or accepted Order Form or Agreement. | Refer to the signed or accepted Order Form or Agreement. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | X - The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Effective Date of the MSA. Reference (if any): As set out in Exhibit 1 of the MSA |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex 1B: Description of Transfer: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex III: List of Sub processors (Modules 2 and 3 only): As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: - Importer - Exporter X - Neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
Interpretation of this Addendum
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
Hierarchy
Incorporation of and changes to the EU SCCs
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
“These Clauses are governed by the laws of England and Wales.”;
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
Amendments to this Addendum
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
Effective August 3rd 2022 to August 31st 2022
DownloadTable of Contents
ABNORMAL SECURITY
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) supplements the agreement for use of the Abnormal Security Corporation ("Abnormal") Service (“Agreement”) entered into by and between Abnormal and the Customer identified on the signed or accepted Order Form or Agreement (“Customer”). Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
Customer has purchased a Subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
This Addendum is incorporated into and forms part of the agreement for Customer’s use of Abnormal’s services The Parties agree as follows:
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service and Support.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer.
"Data Protection Laws” means the following laws, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Abnormal Processes on behalf of Customer as described in Section 4 of this Addendum, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Abnormal on behalf of Customer.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Abnormal.
“Standard Contractual Clauses” means, (i) where the GDPR applies, the terms attached to this Addendum as Exhibit 1 and promulgated pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on standard contractual clauses for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of data protection (“GDPR SCCs”), and (ii) where the UK GDPR applies, the terms attached to this Addendum as Exhibit 2 and issued by the Information Commissioner under s 119A(1) of the DPA 2018 and in force 21 March 2022 (“UK GDPR SCCs”).
Unless prohibited by applicable law, Abnormal will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws. Any additional instructions regarding the manner in which Abnormal Processes the Personal Data will require prior written agreement between Abnormal and Customer.
Abnormal will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Abnormal receives a binding order from a law enforcement agency for Personal Data, Abnormal will notify Customer of the request it has received so long as Abnormal is not legally prohibited from doing so.
Abnormal will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
In assessing the appropriate level of security, Abnormal will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
Abnormal maintains a list of all Subprocessors at www.abnormalsecurity.com/trust which is also set forth in Annex III to Exhibit 1 hereto (together, the “Subprocessors List”) and Abnormal may amend the Subprocessors List by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Abnormal in writing the reasons of its objection. Abnormal will work in good faith to address Customer’s objections. If Abnormal is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with the procedures to terminate for material breach as set forth in the Agreement.
EXHIBIT 1 (GDPR SCCs)
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
Clause 2
Effect and invariability of the Clauses
Clause 3
Third-party beneficiaries
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
- Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
- Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
Clause 4
Interpretation
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Optional Docking clause removed
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
Clause 9
Use of sub-processors
Clause 10
Data subject rights
Clause 11
Redress
Clause 12
Liability
Clause 13
Supervision
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
15.2 Review of legality and data minimisation
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
APPENDIX (GDPR SCCs)
ANNEX I
Data exporter(s):
- Name: The named “Customer” on the signed or accepted Order Form or Agreement.
Address: The address associated with Customer on the signed or accepted Order Form or Agreement.
Contact person’s name, position and contact details: The contact details associated with the Customer on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Controller
Data importer(s):
- Name: Abnormal Security Corporation
Address: 185 Clara Street, Suite 100, San Francisco, CA 94107, United States
Contact person’s name, position and contact details: The contact details associated with Abnormal on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individual users of Data Controller’s email system, as well as individuals sending messages to or receiving messages from such user accounts.
Categories of personal data transferred
First and Last Name
Email address
IP address
Personal Data contained in email message body or attachments
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Ongoing as determined by the Controller
Nature of the processing
For the provision of the Service under the Agreement
Purpose(s) of the data transfer and further processing
Scanning of email contents and metadata for malicious signatures
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the Term and as specified under the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
During the Term and as specified under the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s email system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for the period set forth in Abnormal's data retention policies as published in the Documentation. Such data is then automatically deleted at the end of such period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC
- Default blocked firewall policies
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key
- HTTPS required for all web traffic
- Encrypted connectors for databases using SSL
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors: The sub-processors located on the agreed list available at www.abnormalsecurity.com/trust. As of the effective date, the current list of sub-processors is:
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for the Abnormal Security SaaS platform
EXHIBIT 2 (UK GDPR SCCs)
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | ||
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | The named “Customer” on the signed or accepted Order Form or Agreement and Affiliates of the Customer established in the UK The address associated with Customer on the signed or accepted Order Form or Agreement | Abnormal Security Corporation 185 Clara Street, Suite 100, San Francisco, CA 94107, United States Official registration number (if any) (company number or similar identifier): N/A |
Key Contact | The contact details associated with the Customer on the signed or accepted Order Form or Agreement. | The contact details associated with Abnormal on the signed or accepted Order Form or Agreement. |
Signature (if required for the purposes of Section 2) | Refer to the signed or accepted Order Form or Agreement. | Refer to the signed or accepted Order Form or Agreement. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | X - The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Effective Date of the MSA. Reference (if any): As set out in Exhibit 1 of the MSA |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex 1B: Description of Transfer: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex III: List of Sub processors (Modules 2 and 3 only): As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: - Importer - Exporter X - Neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
Interpretation of this Addendum
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
Hierarchy
Incorporation of and changes to the EU SCCs
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
“These Clauses are governed by the laws of England and Wales.”;
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
Amendments to this Addendum
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
Effective June 13th 2022 to August 3rd 2022
DownloadTable of Contents
ABNORMAL SECURITY
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) supplements the agreement for use of the Abnormal Security Corporation ("Abnormal") Service (“Agreement”) entered into by and between Abnormal and the Customer identified on the signed or accepted Order Form or Agreement (“Customer”). Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
Customer has purchased a Subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
This Addendum is incorporated into and forms part of the agreement for Customer’s use of Abnormal’s services The Parties agree as follows:
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service and Support.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer.
"Data Protection Laws” means the following laws, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Abnormal Processes on behalf of Customer as described in Section 4 of this Addendum, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Abnormal on behalf of Customer.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Abnormal.
“Standard Contractual Clauses” means, (i) where the GDPR applies, the terms attached to this Addendum as Exhibit 1 and promulgated pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on standard contractual clauses for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of data protection (“GDPR SCCs”), and (ii) where the UK GDPR applies, the terms attached to this Addendum as Exhibit 2 and issued by the Information Commissioner under s 119A(1) of the DPA 2018 and in force 21 March 2022 (“UK GDPR SCCs”).
Unless prohibited by applicable law, Abnormal will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws. Any additional instructions regarding the manner in which Abnormal Processes the Personal Data will require prior written agreement between Abnormal and Customer.
Abnormal will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Abnormal receives a binding order from a law enforcement agency for Personal Data, Abnormal will notify Customer of the request it has received so long as Abnormal is not legally prohibited from doing so.
Abnormal will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
In assessing the appropriate level of security, Abnormal will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
Abnormal maintains a list of all Subprocessors at www.abnormalsecurity.com/trust which is also set forth in Annex III to Exhibit 1 hereto (together, the “Subprocessors List”) and Abnormal may amend the Subprocessors List by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Abnormal in writing the reasons of its objection. Abnormal will work in good faith to address Customer’s objections. If Abnormal is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with the procedures to terminate for material breach as set forth in the Agreement.
EXHIBIT 1 (GDPR SCCs)
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
Clause 2
Effect and invariability of the Clauses
Clause 3
Third-party beneficiaries
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
- Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
- Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
Clause 4
Interpretation
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Optional Docking clause removed
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
Clause 9
Use of sub-processors
Clause 10
Data subject rights
Clause 11
Redress
Clause 12
Liability
Clause 13
Supervision
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
15.2 Review of legality and data minimisation
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
APPENDIX (GDPR SCCs)
ANNEX I
Data exporter(s):
- Name: The named “Customer” on the signed or accepted Order Form or Agreement.
Address: The address associated with Customer on the signed or accepted Order Form or Agreement.
Contact person’s name, position and contact details: The contact details associated with the Customer on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Controller
Data importer(s):
- Name: Abnormal Security Corporation
Address: 185 Clara Street, Suite 100, San Francisco, CA 94107, United States
Contact person’s name, position and contact details: The contact details associated with Abnormal on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individual users of Data Controller’s email system, as well as individuals sending messages to or receiving messages from such user accounts.
Categories of personal data transferred
First and Last Name
Email address
IP address
Personal Data contained in email message body or attachments
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Ongoing as determined by the Controller
Nature of the processing
For the provision of the Service under the Agreement
Purpose(s) of the data transfer and further processing
Scanning of email contents and metadata for malicious signatures
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the Term and as specified under the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
During the Term and as specified under the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s email system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for 180 days. Such data is then automatically deleted at the end of the 180-day period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC
- Default blocked firewall policies
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key
- HTTPS required for all web traffic
- Encrypted connectors for databases using SSL
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors: The sub-processors located on the agreed list available at www.abnormalsecurity.com/trust. As of the effective date, the current list of sub-processors is:
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for the Abnormal Security SaaS platform
EXHIBIT 2 (UK GDPR SCCs)
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | ||
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | The named “Customer” on the signed or accepted Order Form or Agreement and Affiliates of the Customer established in the UK The address associated with Customer on the signed or accepted Order Form or Agreement | Abnormal Security Corporation 185 Clara Street, Suite 100, San Francisco, CA 94107, United States Official registration number (if any) (company number or similar identifier): N/A |
Key Contact | The contact details associated with the Customer on the signed or accepted Order Form or Agreement. | The contact details associated with Abnormal on the signed or accepted Order Form or Agreement. |
Signature (if required for the purposes of Section 2) | Refer to the signed or accepted Order Form or Agreement. | Refer to the signed or accepted Order Form or Agreement. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | X - The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Effective Date of the MSA. Reference (if any): As set out in Exhibit 1 of the MSA |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex 1B: Description of Transfer: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex III: List of Sub processors (Modules 2 and 3 only): As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: - Importer - Exporter X - Neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
Interpretation of this Addendum
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
Hierarchy
Incorporation of and changes to the EU SCCs
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
“These Clauses are governed by the laws of England and Wales.”;
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
Amendments to this Addendum
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
Effective June 7th 2022 to June 13th 2022
DownloadTable of Contents
ABNORMAL SECURITY
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) supplements the agreement for use of the Abnormal Security Corporation ("Abnormal") Service (“Agreement”) entered into by and between Abnormal and the Customer identified on the signed or accepted Order Form or Agreement (“Customer”). Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
Customer has purchased a Subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
is incorporated into and forms part of the agreement for Customer’s use of Abnormal’s services The Parties agree as follows:
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service and Support.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer.
"Data Protection Laws” means the following laws, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Abnormal Processes on behalf of Customer as described in Section 4 of this Addendum, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Abnormal on behalf of Customer.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Abnormal.
“Standard Contractual Clauses” means, (i) where the GDPR applies, the terms attached to this Addendum as Exhibit 1 and promulgated pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on standard contractual clauses for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of data protection (“GDPR SCCs”), and (ii) where the UK GDPR applies, the terms attached to this Addendum as Exhibit 2 and issued by the Information Commissioner under s 119A(1) of the DPA 2018 and in force 21 March 2022 (“UK GDPR SCCs”).
Unless prohibited by applicable law, Abnormal will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws. Any additional instructions regarding the manner in which Abnormal Processes the Personal Data will require prior written agreement between Abnormal and Customer.
Abnormal will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Abnormal receives a binding order from a law enforcement agency for Personal Data, Abnormal will notify Customer of the request it has received so long as Abnormal is not legally prohibited from doing so.
Abnormal will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
In assessing the appropriate level of security, Abnormal will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
Abnormal maintains a list of all Subprocessors at www.abnormalsecurity.com/trust which is also set forth in Annex III to Exhibit 1 hereto (together, the “Subprocessors List”) and Abnormal may amend the Subprocessors List by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Abnormal in writing the reasons of its objection. Abnormal will work in good faith to address Customer’s objections. If Abnormal is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with Section 4.2 of the Agreement.
EXHIBIT 1 (GDPR SCCs)
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
Clause 2
Effect and invariability of the Clauses
Clause 3
Third-party beneficiaries
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
- Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
- Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
Clause 4
Interpretation
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Optional Docking clause removed
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
Clause 9
Use of sub-processors
Clause 10
Data subject rights
Clause 11
Redress
Clause 12
Liability
Clause 13
Supervision
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
15.2 Review of legality and data minimisation
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
APPENDIX (GDPR SCCs)
ANNEX I
Data exporter(s):
- Name: The named “Customer” on the signed or accepted Order Form or Agreement.
Address: The address associated with Customer on the signed or accepted Order Form or Agreement.
Contact person’s name, position and contact details: The contact details associated with the Customer on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Controller
Data importer(s):
- Name: Abnormal Security Corporation
Address: 185 Clara Street, Suite 100, San Francisco, CA 94107, United States
Contact person’s name, position and contact details: The contact details associated with Abnormal on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individual users of Data Controller’s email system, as well as individuals sending messages to or receiving messages from such user accounts.
Categories of personal data transferred
First and Last Name
Email address
IP address
Personal Data contained in email message body or attachments
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Ongoing as determined by the Controller
Nature of the processing
For the provision of the Service under the Agreement
Purpose(s) of the data transfer and further processing
Scanning of email contents and metadata for malicious signatures
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the Term and as specified under the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
During the Term and as specified under the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s email system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for 180 days. Such data is then automatically deleted at the end of the 180-day period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC
- Default blocked firewall policies
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key
- HTTPS required for all web traffic
- Encrypted connectors for databases using SSL
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors: The sub-processors located on the agreed list available at www.abnormalsecurity.com/trust. As of the effective date, the current list of sub-processors is:
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for the Abnormal Security SaaS platform
EXHIBIT 2 (UK GDPR SCCs)
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | ||
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | The named “Customer” on the signed or accepted Order Form or Agreement and Affiliates of the Customer established in the UK The address associated with Customer on the signed or accepted Order Form or Agreement | Abnormal Security Corporation 185 Clara Street, Suite 100, San Francisco, CA 94107, United States Official registration number (if any) (company number or similar identifier): N/A |
Key Contact | The contact details associated with the Customer on the signed or accepted Order Form or Agreement. | The contact details associated with Abnormal on the signed or accepted Order Form or Agreement. |
Signature (if required for the purposes of Section 2) | Refer to the signed or accepted Order Form or Agreement. | Refer to the signed or accepted Order Form or Agreement. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | X - The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Effective Date of the MSA. Reference (if any): As set out in Exhibit 1 of the MSA |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex 1B: Description of Transfer: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex III: List of Sub processors (Modules 2 and 3 only): As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: - Importer - Exporter X - Neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
Interpretation of this Addendum
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
Hierarchy
Incorporation of and changes to the EU SCCs
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
“These Clauses are governed by the laws of England and Wales.”;
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
Amendments to this Addendum
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
Effective May 20th 2022 to June 7th 2022
DownloadTable of Contents
ABNORMAL SECURITY
DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) supplements the agreement for use of the Abnormal Security Corporation ("Abnormal") Service (“Agreement”) entered into by and between Abnormal and the Customer identified on the signed or accepted Order Form or Agreement (“Customer”). Abnormal and Customer may each be referred to separately as, a “Party,” or together as, the “Parties.”
Customer has purchased a Subscription to the Service pursuant to the Agreement that involves the Processing of Personal Data subject to Data Protection Laws.
is incorporated into and forms part of the agreement for Customer’s use of Abnormal’s services The Parties agree as follows:
“CCPA Personal Information” means the “personal information” (as defined in the CCPA) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service and Support.
“Controller” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Customer.
"Data Protection Laws” means the following laws, including any amendments to such laws: (i) the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the “Privacy Directive”) and the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) the UK Data Protection Act 2018 as supplemented by Schedule 21, the Keeling Schedule (“UK GDPR”); (iii) to the extent applicable to the Service and/or Support, any other EU or EU Member State data protection laws with respect to the processing of Personal Data under the Agreement; (iv) the following laws applicable to processing of personal information of citizens of Australia and New Zealand respectively, the Privacy Act 1988 (Cth) and the Privacy Act 1993 (NZ) (together “ANZ Privacy Law”), and (v) any United States laws or regulations protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data, including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder (“CCPA”).
“Data Subject” means a “consumer” (as defined in the CCPA), a “data subject” as defined in the GDPR and in the UK GDPR), or an “individual” as defined in ANZ Privacy Law, as applicable.
“GDPR Personal Data” means the “personal data” (as defined in the GDPR and the UK GDPR) that Abnormal Processes on behalf of Customer in connection with Abnormal’s provision of the Service.
“Personal Data” means any information relating to a Data Subject which is subject to the Data Protection Laws and which Abnormal Processes on behalf of Customer as described in Section 4 of this Addendum, including CCPA Personal Information, GDPR Personal Data, and UK GDPR Personal Data.
“Personal Data Breach” means a breach of security leading to accidental or unlawful destruction, loss, or alteration, unauthorized disclosure of, or access to, Personal Data Processed by Abnormal on behalf of Customer.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
“Processor” has the meaning given to it in the Data Protection Laws and for the purposes of this Addendum means Abnormal.
“Standard Contractual Clauses” means, (i) where the GDPR applies, the terms attached to this Addendum as Exhibit 1 and promulgated pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on standard contractual clauses for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of data protection (“GDPR SCCs”), and (ii) where the UK GDPR applies, the terms attached to this Addendum as Exhibit 2 and issued by the Information Commissioner under s 119A(1) of the DPA 2018 and in force 21 March 2022 (“UK GDPR SCCs”).
Unless prohibited by applicable law, Abnormal will notify Customer if in its opinion, an instruction infringes any Data Protection Laws to which it is subject, in which case Abnormal will be entitled to suspend performance of such instruction, until Customer confirms in writing that such instruction is valid under Data Protection Laws. Any additional instructions regarding the manner in which Abnormal Processes the Personal Data will require prior written agreement between Abnormal and Customer.
Abnormal will not disclose Personal Data to any government, except as necessary to comply with applicable law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If Abnormal receives a binding order from a law enforcement agency for Personal Data, Abnormal will notify Customer of the request it has received so long as Abnormal is not legally prohibited from doing so.
Abnormal will ensure that individuals with access to or involved in the Processing of Personal Data are subject to appropriate confidentiality obligations and/or are bound by related obligations under Data Protection Laws or other applicable laws.
In assessing the appropriate level of security, Abnormal will take into account in particular the risks that are presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
Abnormal maintains a list of all Subprocessors at www.abnormalsecurity.com/trust which is also set forth in Annex III to Exhibit 1 hereto (together, the “Subprocessors List”) and Abnormal may amend the Subprocessors List by adding or replacing Subprocessors at any time. Customer will be entitled to object to a new Subprocessor by notifying Abnormal in writing the reasons of its objection. Abnormal will work in good faith to address Customer’s objections. If Abnormal is unable or unwilling to adequately address Customer’s objections to its reasonable satisfaction, then Customer may terminate this Addendum and the Agreement in accordance with Section 4.2 of the Agreement.
EXHIBIT 1 (GDPR SCCs)
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
Clause 2
Effect and invariability of the Clauses
Clause 3
Third-party beneficiaries
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);
- Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
- Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
Clause 4
Interpretation
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Optional Docking clause removed
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
Clause 9
Use of sub-processors
Clause 10
Data subject rights
Clause 11
Redress
Clause 12
Liability
Clause 13
Supervision
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
15.2 Review of legality and data minimisation
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
APPENDIX (GDPR SCCs)
ANNEX I
Data exporter(s):
- Name: The named “Customer” on the signed or accepted Order Form or Agreement.
Address: The address associated with Customer on the signed or accepted Order Form or Agreement.
Contact person’s name, position and contact details: The contact details associated with the Customer on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Controller
Data importer(s):
- Name: Abnormal Security Corporation
Address: 185 Clara Street, Suite 100, San Francisco, CA 94107, United States
Contact person’s name, position and contact details: The contact details associated with Abnormal on the signed or accepted Order Form or Agreement.
Activities relevant to the data transferred under these Clauses: See Description of Transfer below.
Signature and date: Refer to the signed or accepted Order Form or Agreement.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individual users of Data Controller’s email system, as well as individuals sending messages to or receiving messages from such user accounts.
Categories of personal data transferred
First and Last Name
Email address
IP address
Personal Data contained in email message body or attachments
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Ongoing as determined by the Controller
Nature of the processing
For the provision of the Service under the Agreement
Purpose(s) of the data transfer and further processing
Scanning of email contents and metadata for malicious signatures
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the Term and as specified under the Agreement
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
During the Term and as specified under the Agreement
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Abnormal has taken and will maintain the appropriate administrative, technical, physical and procedural security measures, for the protection of the Personal Data, including the measures set forth below or otherwise made reasonably available by Abnormal.
Policy Controls:
- Abnormal has established an information security policy.
- A framework of security standards has been developed, which supports the objectives of the security policy.
- Procedures and systems exist for requesting, establishing, issuing, suspending, deleting, and closing user accounts and associated access privileges, e.g. system access is granted based upon position, job function, and manager approval.
- Abnormal prevents unauthorized internal access to customer data by limiting access to only employees who need access to offer and improve the Service
- Multi-Factor Authentication, including biometric fingerprint verification, is required to access Abnormal systems and Customer Data.
- Access to Abnormal offices is controlled via card key access, and is under 24/7 CCTV monitoring.
- No Customer Data is stored on premise.
Collection of Data:
- The Service processes Customer Data on an in-memory basis within Customer’s email system.
- Data that is processed and identified as malicious by the Service is transferred to Abnormal servers that support the Service and stored for 180 days. Such data is then automatically deleted at the end of the 180-day period.
- All Customer Data is encrypted at rest using multi-factor encryption with a per-file key and AES-256 block cipher, with keys managed by AWS Key Management Service.
Backup Copies:
- Procedures for backup and retention of data and programs have been documented and implemented.
- Data and programs are backed up regularly and replicated between geographically diverse data centers.
Computers and Access Terminals:
- New employees are required to sign a non-disclosure agreement relating to proprietary software and confidentiality of information relating to customers.
- New employees are required to acknowledge receipt of Abnormal’s Information Security Policy.
- Access to the production environment is authorized by the Chief Technology Officer and is based on business need. A multi-factor secure remote access is required for all access to the production systems.
- Customer Data is processed in memory and is not available for printing. All print services are disabled by default on all production servers
Access Controls:
- All Data Importer employees and contractors are provided with unique userIDs
- Access is only granted to employees whose role requires it
- Access is disabled upon role reassignment or termination.
- Access is revoked on termination.
Security while transferring and processing:
- Isolated network environment using Amazon VPC
- Default blocked firewall policies
- Limited number of integration-related endpoints are accessible via public internet. Majority of services protected by firewalls as private endpoints.
- Public endpoints utilize Application Load Balancers, and are resilient to dynamic changes in query load/throughput
- Data in transit encrypted using TLS 1.2 sessions with a 2048-bit RSA asymmetric key
- HTTPS required for all web traffic
- Encrypted connectors for databases using SSL
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors: The sub-processors located on the agreed list available at www.abnormalsecurity.com/trust. As of the effective date, the current list of sub-processors is:
- Name: Amazon Web Services
Address: United States
Contact person’s name, position and contact details: N/A
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Data hosting services for the Abnormal Security SaaS platform
EXHIBIT 2 (UK GDPR SCCs)
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | ||
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | The named “Customer” on the signed or accepted Order Form or Agreement and Affiliates of the Customer established in the UK The address associated with Customer on the signed or accepted Order Form or Agreement | Abnormal Security Corporation 185 Clara Street, Suite 100, San Francisco, CA 94107, United States Official registration number (if any) (company number or similar identifier): N/A |
Key Contact | The contact details associated with the Customer on the signed or accepted Order Form or Agreement. | The contact details associated with Abnormal on the signed or accepted Order Form or Agreement. |
Signature (if required for the purposes of Section 2) | Refer to the signed or accepted Order Form or Agreement. | Refer to the signed or accepted Order Form or Agreement. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | X - The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Effective Date of the MSA. Reference (if any): As set out in Exhibit 1 of the MSA |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex 1B: Description of Transfer: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As described in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Annex III: List of Sub processors (Modules 2 and 3 only): As listed in Annex 1 of the Approved EU SCCs found in Exhibit 1 of the MSA |
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: - Importer - Exporter X - Neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
Interpretation of this Addendum
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. |
Appendix Information | As set out in Table 3. |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. |
ICO | The Information Commissioner. |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. |
UK | The United Kingdom of Great Britain and Northern Ireland. |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
Hierarchy
Incorporation of and changes to the EU SCCs
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
“These Clauses are governed by the laws of England and Wales.”;
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
Amendments to this Addendum
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
Abnormal Security Reseller Terms
Effective October 13th 2023
DownloadTable of Contents
Abnormal Security
Online Reseller Terms
Abnormal reserves the right to amend these Terms from time-to-time, in whole or in part, in which case the updated Terms will supersede the prior version. Any changes to the Terms will be effective immediately for new partners and, for all other partners, any changes will be effective five (5) business days after the date of such changes.
In consideration of the mutual agreements contained herein and intending to be legally bound hereby, the Parties agree as follows:
14. Glossary “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party, provided such entity will be considered an Affiliate for only such time as such control interest is maintained; where "control" means the ownership of greater than fifty percent (50%) of (i) the voting power to elect directors of the company, or (ii) the ownership interests in the company. “Anti-Corruption Laws” means all applicable anti-bribery and anti-corruption laws and regulations, including the United States Foreign Corrupt Practices Act, U.K. Bribery Act 2010, and the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. “Authorized Distributor” means an Abnormal authorized distributor that is permitted to distribute the Service in the Territory. “Brand Elements” means the trademarks, service marks, names, logos, images, collateral or similar materials provided by Abnormal for use under this Agreement. “Cloud Terms” means the then-current version of Abnormal’s standard customer agreement governing use of the Service and Technical Services, located at https://legal.abnormalsecurity.com/. “Confidential Information” means the information disclosed by a disclosing party (“Discloser”) to a receiving Party (“Recipient”) under these Terms, or to which the Recipient gains access to in connection with this Agreement, that is designated as proprietary or confidential or that should be reasonably understood to be proprietary or confidential due to its nature and the circumstances of its disclosure. Abnormal Confidential Information includes the terms and conditions of this Agreement and any underlying software, technical or performance information about the Service. Confidential Information may also include the confidential or proprietary information of a third party disclosed. “Customer” means the end-user customer of the Service located in the Territory and set forth on the applicable Order. “Deal Registration Conditions” means the set of terms and conditions set forth in the Partner Portal that apply to and govern Partner Opportunities. “Documentation” means the technical guides and documentation made available from the dedicated ‘Documentation’ page of the Abnormal website or in the Service. “Laws” means all relevant local, state, federal and international laws, regulations and conventions, including those related to data privacy and data transfer, international communications and export of technical or personal data. “Order” means Abnormal’s standard order for the placement of resale orders for the Service by Partner. “Partner Portal” means the website maintained by Abnormal that provides various resources to Partner, including Service information, corresponding list prices, marketing collateral, and Deal Registration Conditions, made available from the dedicated ‘Partners’ page of the Abnormal website. “Service” means one or more Abnormal software-as-a-service solutions or related Abnormal offerings identified on an applicable Order. “Technical Services” means any training, enablement or other technical services provided by Abnormal related to the Service, as identified in an Order. Technical Services do not form a part of the Service. “Territory” means the country in which the Partner is headquartered, or any geographic or market territory approved by Abnormal in the Partner Portal or in writing. |
Effective June 8th 2023 to October 13th 2023
DownloadTable of Contents
Abnormal Security
Online Reseller Terms
Abnormal reserves the right to amend these Terms from time-to-time, in whole or in part, in which case the updated Terms will supersede the prior version. Any changes to the Terms will be effective immediately for new partners and, for all other partners, any changes will be effective five (5) business days after the date of such changes.
In consideration of the mutual agreements contained herein and intending to be legally bound hereby, the Parties agree as follows:
14. Glossary “Anti-Corruption Laws” means all applicable anti-bribery and anti-corruption laws and regulations, including the United States Foreign Corrupt Practices Act, U.K. Bribery Act 2010, and the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. “Authorized Distributor” means an Abnormal authorized distributor that is permitted to distribute the Service in the Territory. “Brand Elements” means the trademarks, service marks, names, logos, images, collateral or similar materials provided by Abnormal for use under this Agreement. “Cloud Terms” means the then-current version of Abnormal’s standard customer agreement governing use of the Service and Technical Services, located at https://legal.abnormalsecurity.com/. “Confidential Information” means the information disclosed by a disclosing party (“Discloser”) to a receiving Party (“Recipient”) under these Terms, or to which the Recipient gains access to in connection with this Agreement, that is designated as proprietary or confidential or that should be reasonably understood to be proprietary or confidential due to its nature and the circumstances of its disclosure. Abnormal Confidential Information includes the terms and conditions of this Agreement and any underlying software, technical or performance information about the Service. Confidential Information may also include the confidential or proprietary information of a third party disclosed. “Customer” means the end-user customer of the Service located in the Territory and set forth on the applicable Order. “Deal Registration Conditions” means the set of terms and conditions set forth in the Partner Portal that apply to and govern Partner Opportunities. “Documentation” means the technical guides and documentation made available from the dedicated ‘Documentation’ page of the Abnormal website or in the Service. “Laws” means all relevant local, state, federal and international laws, regulations and conventions, including those related to data privacy and data transfer, international communications and export of technical or personal data. “Order” means Abnormal’s standard order for the placement of resale orders for the Service by Partner. “Partner Portal” means the website maintained by Abnormal that provides various resources to Partner, including Service information, corresponding list prices, marketing collateral, and Deal Registration Conditions, made available from the dedicated ‘Partners’ page of the Abnormal website. “Service” means one or more Abnormal software-as-a-service solutions or related Abnormal offerings identified on an applicable Order. “Technical Services” means any training, enablement or other technical services provided by Abnormal related to the Service, as identified in an Order. Technical Services do not form a part of the Service. “Territory” means the country in which the Partner is headquartered, or any geographic or market territory approved by Abnormal in the Partner Portal or in writing. |
Effective October 25th 2022 to June 8th 2023
DownloadTable of Contents
Abnormal Security
Online Reseller Terms
Abnormal reserves the right to amend these Terms from time-to-time, in whole or in part, in which case the updated Terms will supersede the prior version. Any changes to the Terms will be effective immediately for new partners and, for all other partners, any changes will be effective five (5) business days after the date of such changes.
In consideration of the mutual agreements contained herein and intending to be legally bound hereby, the Parties agree as follows:
14. Glossary “Anti-Corruption Laws” means all applicable anti-bribery and anti-corruption laws and regulations, including the United States Foreign Corrupt Practices Act, U.K. Bribery Act 2010, and the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. “Authorized Distributor” means an Abnormal authorized distributor that is permitted to distribute the Service in the Territory. “Brand Elements” means the trademarks, service marks, names, logos, images, collateral or similar materials provided by Abnormal for use under this Agreement. “Cloud Terms” means the then-current version of Abnormal’s standard customer agreement governing use of the Service and Technical Services, located at https://legal.abnormalsecurity.com/. “Confidential Information” means the information disclosed by a disclosing party (“Discloser”) to a receiving Party (“Recipient”) under these Terms, or to which the Recipient gains access to in connection with this Agreement, that is designated as proprietary or confidential or that should be reasonably understood to be proprietary or confidential due to its nature and the circumstances of its disclosure. Abnormal Confidential Information includes the terms and conditions of this Agreement and any underlying software, technical or performance information about the Service. Confidential Information may also include the confidential or proprietary information of a third party disclosed. “Customer” means the end-user customer of the Service located in the Territory and set forth on the applicable Order. “Deal Registration Conditions” means the set of terms and conditions set forth in the Partner Portal that apply to and govern Partner Opportunities. “Documentation” means the technical guides and documentation made available from the dedicated ‘Documentation’ page of the Abnormal website or in the Service. “Laws” means all relevant local, state, federal and international laws, regulations and conventions, including those related to data privacy and data transfer, international communications and export of technical or personal data. “Order” means Abnormal’s standard order for the placement of resale orders for the Service by Partner. “Partner Portal” means the website maintained by Abnormal that provides various resources to Partner, including Service information, corresponding list prices, marketing collateral, and Deal Registration Conditions, made available from the dedicated ‘Partners’ page of the Abnormal website. “Service” means one or more Abnormal software-as-a-service solutions or related Abnormal offerings identified on an applicable Order. “Technical Services” means any training, enablement or other technical services provided by Abnormal related to the Service, as identified in an Order. Technical Services do not form a part of the Service. “Territory” means any geographic or market territory approved by Abnormal in the Partner Portal or in writing. |
Effective October 21st 2022 to October 25th 2022
DownloadTable of Contents
Abnormal Security
Online Reseller Terms
Abnormal reserves the right to amend these Terms from time-to-time, in whole or in part, in which case the updated Terms will supersede the prior version. Any changes to the Terms will be effective immediately for new partners and, for all other partners, any changes will be effective five (5) business days after the date of such changes.
In consideration of the mutual agreements contained herein and intending to be legally bound hereby, the Parties agree as follows:
14. Glossary “Anti-Corruption Laws” means all applicable anti-bribery and anti-corruption laws and regulations, including the United States Foreign Corrupt Practices Act, U.K. Bribery Act 2010, and the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. “Authorized Distributor” means an Abnormal authorized distributor that is permitted to distribute the Service in the Territory. “Brand Elements” means the trademarks, service marks, names, logos, images, collateral or similar materials provided by Abnormal for use under this Agreement. “Cloud Terms” means the then-current version of Abnormal’s standard customer agreement governing use of the Service and Technical Services, located at https://legal.abnormalsecurity.com/. “Confidential Information” means the information disclosed by a disclosing party (“Discloser”) to a receiving Party (“Recipient”) under these Terms, or to which the Recipient gains access to in connection with this Agreement, that is designated as proprietary or confidential or that should be reasonably understood to be proprietary or confidential due to its nature and the circumstances of its disclosure. Abnormal Confidential Information includes the terms and conditions of this Agreement and any underlying software, technical or performance information about the Service. Confidential Information may also include the confidential or proprietary information of a third party disclosed. “Customer” means the end-user customer of the Service located in the Territory and set forth on the applicable Order. “Deal Registration Conditions” means the set of terms and conditions set forth in the Partner Portal that apply to and govern Partner Opportunities. “Documentation” means the technical guides and documentation made available from the dedicated ‘Documentation’ page of the Abnormal website or in the Service. “Laws” means all relevant local, state, federal and international laws, regulations and conventions, including those related to data privacy and data transfer, international communications and export of technical or personal data. “Order” means Abnormal’s standard order for the placement of resale orders for the Service by Partner. “Partner Portal” means the website maintained by Abnormal that provides various resources to Partner, including Service information, corresponding list prices, marketing collateral, and Deal Registration Conditions, made available from the dedicated ‘Partners’ page of the Abnormal website. “Service” means one or more Abnormal software-as-a-service solutions or related Abnormal offerings identified on an applicable Order. “Technical Services” means any training, enablement or other technical services provided by Abnormal related to the Service, as identified in an Order. Technical Services do not form a part of the Service. “Territory” means any geographic or market territory approved by Abnormal in the Partner Portal or in writing. |
Effective September 27th 2022 to October 21st 2022
DownloadTable of Contents
Abnormal Security
Online Reseller Terms
Abnormal reserves the right to amend these Terms from time-to-time, in whole or in part, in which case the updated Terms will supersede the prior version. Any changes to the Terms will be effective immediately for new partners and, for all other partners, any changes will be effective five (5) business days after the date of such changes.
In consideration of the mutual agreements contained herein and intending to be legally bound hereby, the Parties agree as follows:
14. Glossary “Anti-Corruption Laws” means all applicable anti-bribery and anti-corruption laws and regulations, including the United States Foreign Corrupt Practices Act, U.K. Bribery Act 2010, and the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. “Authorized Distributor” means an Abnormal authorized distributor that is permitted to distribute the Service in the Territory. “Brand Elements” means the trademarks, service marks, names, logos, images, collateral or similar materials provided by Abnormal for use under this Agreement. “Cloud Terms” means the then-current version of Abnormal’s standard customer agreement governing use of the Service and Technical Services, located at https://legal.abnormalsecurity.com/. “Confidential Information” means the information disclosed by a disclosing party (“Discloser”) to a receiving Party (“Recipient”) under these Terms, or to which the Recipient gains access to in connection with this Agreement, that is designated as proprietary or confidential or that should be reasonably understood to be proprietary or confidential due to its nature and the circumstances of its disclosure. Abnormal Confidential Information includes the terms and conditions of this Agreement and any underlying software, technical or performance information about the Service. Confidential Information may also include the confidential or proprietary information of a third party disclosed. “Customer” means the end-user customer of the Service located in the Territory and set forth on the applicable Order. “Deal Registration Conditions” means the set of terms and conditions set forth in the Partner Portal that apply to and govern Partner Opportunities. “Documentation” means the technical guides and documentation made available from the dedicated ‘Documentation’ page of the Abnormal website or in the Service. “Laws” means all relevant local, state, federal and international laws, regulations and conventions, including those related to data privacy and data transfer, international communications and export of technical or personal data. “Order” means Abnormal’s standard order for the placement of resale orders for the Service by Partner. “Partner Portal” means the website maintained by Abnormal that provides various resources to Partner, including Service information, corresponding list prices, marketing collateral, and Deal Registration Conditions, made available from the dedicated ‘Partners’ page of the Abnormal website. “Service” means one or more Abnormal software-as-a-service solutions or related Abnormal offerings identified on an applicable Order. “Technical Services” means any training, enablement or other technical services provided by Abnormal related to the Service, as identified in an Order. Technical Services do not form a part of the Service. “Territory” means any geographic or market territory approved by Abnormal in the Partner Portal or in writing. |
Effective August 4th 2022 to September 27th 2022
DownloadTable of Contents
Abnormal Security
Online Reseller Terms
August 3, 2022
These Reseller Terms (the “Terms”), any Order entered into from time-to-time, and the Documentation (together the “Agreement”), and the Cloud Terms, are entered into by and between Abnormal Security Corporation, a Delaware corporation, having its principal place of business at 185 Clara Street, Suite 100, San Francisco, CA 94107 (“Abnormal”) and Partner (as defined and set forth in the Order) (“Partner”, Abnormal and Partner individually as “Party”, or together “Parties”). These Terms will become binding once both parties sign an Order that references or incorporates these Terms (the “Effective Date”). By signing an Order or issuing a purchase order against, identifying, and matching the material terms of an applicable Order, Partner assents to these Terms and represents and warrants that Partner (1) has read, understands, and agrees to be bound, and (2) has the authority to enter into these Terms on behalf of the company or other organization that is named as Partner in the Order and these Terms will constitute a legal, valid, and binding obligation of such entity.
Abnormal reserves the right to amend these Terms from time-to-time, in whole or in part, in which case the updated Terms will supersede the prior version. Any changes to the Terms will be effective immediately for new partners and, for all other partners, any changes will be effective five (5) business days after the date of such changes.
In consideration of the mutual agreements contained herein and intending to be legally bound hereby, the Parties agree as follows:
14. Glossary “Anti-Corruption Laws” means all applicable anti-bribery and anti-corruption laws and regulations, including the United States Foreign Corrupt Practices Act, U.K. Bribery Act 2010, and the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. “Authorized Distributor” means an Abnormal authorized distributor that is permitted to distribute the Service in the Territory. “Brand Elements” means the trademarks, service marks, names, logos, images, collateral or similar materials provided by Abnormal for use under this Agreement. “Cloud Terms” means the then-current version of Abnormal’s standard customer agreement governing use of the Service and Technical Services, located at https://abnormalsecurity.com/msa. “Confidential Information” means the information disclosed by a disclosing party (“Discloser”) to a receiving Party (“Recipient”) under these Terms, or to which the Recipient gains access to in connection with this Agreement, that is designated as proprietary or confidential or that should be reasonably understood to be proprietary or confidential due to its nature and the circumstances of its disclosure. Abnormal Confidential Information includes the terms and conditions of this Agreement and any underlying software, technical or performance information about the Service. Confidential Information may also include the confidential or proprietary information of a third party disclosed. “Customer” means the end-user customer of the Service located in the Territory and set forth on the applicable Order. “Deal Registration Conditions” means the set of terms and conditions set forth in the Partner Portal that apply to and govern Partner Opportunities; “Documentation” means the technical guides and documentation made available from the dedicated ‘Documentation’ page of the Abnormal website or in the Service. “Laws” means all relevant local, state, federal and international laws, regulations and conventions, including those related to data privacy and data transfer, international communications and export of technical or personal data. “Order” means Abnormal’s standard order for the placement of orders for the Service by Partner on behalf of Customers. “Partner Portal” means the website maintained by Abnormal that provides various resources to Partner, including Service information, corresponding list prices, marketing collateral, and Deal Registration Conditions, made available from the dedicated ‘Partners’ page of the Abnormal website. “Service” means one or more Abnormal software-as-a-service solutions or related Abnormal offerings identified on an applicable Order. “Technical Services” means any training, enablement or other technical services provided by Abnormal related to the Service, as identified in an Order. Technical Services do not form a part of the Service. “Territory” means any geographic or market territory approved by Abnormal in the Partner Portal or in writing. |
Abnormal Security API Terms of Service
Effective August 23rd 2023
DownloadTable of Contents
Abnormal Security Corporation API Terms of Service
1. Defined Terms
2. Scope and Application Registration
3. Abnormal APIs License and Guidelines
- Use the Abnormal APIs in a way that could impair, harm or damage Abnormal, the Abnormal APIs, any Abnormal Offering, or anyone else’s use of the Abnormal APIs or any Abnormal Offerings;
- Use the Abnormal APIs to disrupt, interfere with, or attempt to gain unauthorized access to services, servers, devices, or networks connected to or which can be accessed via the Abnormal APIs;
- Use the Abnormal APIs, or any information accessed or obtained using the Abnormal APIs, for the purpose of migrating Customer(s) away from an Abnormal Offering, except as expressly permitted by Abnormal pursuant to a duly executed written agreement;
- Scrape, build databases or otherwise create copies of any data accessed or obtained using the Abnormal APIs, except as necessary to enable the intended usage scenario for the Application;
- Request from the Abnormal APIs more than the minimum amount of data, or more than the minimum permissions to the types of data, that the Application needs for Customer(s) to use the intended functionality of the Application;
- Use an unreasonable amount of bandwidth, or adversely impact the stability of the Abnormal APIs or the behavior of other apps using the Abnormal APIs;
- Attempt to circumvent the limitations Abnormal sets on use of the Abnormal APIs. Abnormal sets and enforces limits on use of the Abnormal APIs (e.g., limiting the number of API requests that you may make or the number of users you may serve), in its sole discretion;
- Use Abnormal APIs in any manner that works around any technical limitations of the Abnormal APIs or of the accessed Abnormal Offering, or reverse engineer, decompile or disassemble the Abnormal APIs or an Abnormal Offering, except and only to the extent that applicable law expressly permits, despite this limitation;
- Use the Abnormal APIs, or any data obtained using the Abnormal APIs, to conduct performance testing of an Abnormal Offering unless expressly permitted by Abnormal pursuant to a duly executed written agreement;
- Use the Abnormal APIs, or any data obtained using the Abnormal APIs, to identify, exploit or publicly disclose any potential security vulnerabilities;
- Request, use or make available any data obtained using the Abnormal APIs outside any permissions expressly granted by Customer(s) in connection with using the Application;
- Use or transfer any data accessed or obtained using the Abnormal APIs, including any data aggregated, anonymized or derived from that data (collectively the "Abnormal APIs Data") for advertising or marketing purposes including (i) targeting ads, or (ii) serving ads. For purposes of clarity, this prohibition on using Abnormal APIs Data for advertising or marketing purposes does not extend to using other data, such as (i) the number of users of the Application, (ii) a user identifier you independently receive from a user (e.g., an email address you receive when a user enrolls to use the Application, a device identifier, or an advertising identifier), or (iii) a product or service identifier that identifies an Abnormal Offering;
- Make the Application available for use in a manner that circumvents the need for Customer to obtain a valid license to the Abnormal Offering accessed through the Abnormal APIs;
- Redistribute or resell, or sublicense access to, the Abnormal APIs, any data obtained using the Abnormal APIs, or any other Abnormal Offering accessed through the Abnormal APIs; or
- Misrepresent expressly, by omission, or implication, the need for Customer to obtain a valid license to the Abnormal Offering that is accessed through the Abnormal APIs;
- Falsify or alter any unique referral identifier in, or assigned to an Application, or otherwise obscure or alter the source of queries coming from an Application to hide a violation of this agreement; or
- Use the Abnormal APIs or allow any user to use the Application in a way that violates applicable law, including but not limited to:
- Illegal activities, such as child pornography, gambling, piracy, violating copyright, trademark or other intellectual property laws.
- Intending to exploit minors in any way.
- Accessing or authorizing anyone to access the Abnormal APIs from an embargoed country as prohibited by the U.S. government.
- Threatening, stalking, defaming, defrauding, degrading, victimizing or intimidating anyone for any reason.
- Violating applicable privacy laws and regulations.
- Use the Abnormal APIs in a way that could create, in Abnormal's sole discretion and judgment, an unreasonable security or privacy risk.